Full Report
In March 2026, Team Cymru detected an Open Directory on 5.78.84[.]144 hosted at AS212317. Using Team Cymru’s NetFlow-augmented Open Ports collection, we detected a list of notable file names running on Port 8000. Analysis of the file names revealed on the Beast operator’s server enabled us to understand the flow of their attacks from start, to middle, to the end. The analysis of the Beast ransomware server successfully identified a wide array of tools used by the operators, providing a detailed breakdown of their tactics across the entire intrusion lifecycle. This further shows that through proactive collection of internet telemetry, we can identify a ransomware operator's entire toolkit before it can be used against its targets. This directly feeds into proactive defensive strategies.
Analysis Summary
# Tool/Technique: Beast Ransomware & Operator Toolkit
## Overview
Beast is a Ransomware-as-a-Service (RaaS) that emerged as the successor to the "Monster" ransomware. It target Windows, Linux (NAS), and VMware ESXi environments. The toolkit identified on an associated Open Directory reveals a standardized workflow involving legitimate administrative tools and specialized malware to facilitate internal mapping, credential theft, and data exfiltration.
## Technical Details
- **Type:** Malware Family (Ransomware) and Attack Toolkit
- **Platform:** Windows, Linux, VMware ESXi
- **Capabilities:** Multi-platform encryption, CIS-country exclusions (geofencing), offline builders, and data leak site hosting for double extortion.
- **First Seen:** June 2024 (Successor to Monster ransomware, March 2022). Active operator server detected March 2026.
## MITRE ATT&CK Mapping
- **[TA0007 - Discovery]**
- [T1046 - Network Service Discovery] (Advanced Port Scanner)
- [T1018 - Remote System Discovery] (Advanced IP Scanner)
- [T1083 - File and Directory Discovery] (Everything.exe, FolderSize)
- **[TA0006 - Credential Access]**
- [T1003.001 - LSA Secrets] (Mimikatz, Automim)
- [T1558.003 - Kerberoasting] (Kerberos.ps1)
- [T1606 - Forge Web Credentials] (LaZagne)
- [T1112 - Modify Registry] (enable_dump_pass.reg)
- **[TA0003 - Persistence] / [TA0011 - Command and Control]**
- [T1219 - Remote Access Software] (AnyDesk)
- **[TA0008 - Lateral Movement]**
- [T1570 - Lateral Tool Transfer] (PsExec, OpenSSH)
- [T1021.001 - Remote Desktop Protocol] (Pass-The-Hash_RDP.bat)
- **[TA0010 - Exfiltration]**
- [T1567.002 - Exfiltration to Cloud Storage] (MEGAsync)
## Functionality
### Core Capabilities
- **Geofencing:** Specifically avoids encrypting systems in Commonwealth of Independent States (CIS) countries (Russia, Belarus, Moldova).
- **Cross-Platform Support:** Builders available for specialized environments including NAS devices and ESXi hypervisors.
- **Network Mapping:** Automated scanning of IP ranges and open ports (RDP/SMB) to identify lateral movement targets.
### Advanced Features
- **Credential Harvesting Hardening:** Modifies Windows Registry (`WDigest`) to force cleartext password storage in memory, facilitating easier extraction.
- **Data Prioritization:** Uses tools like `FolderSize` to calculate which directories contain the most significant volume of data to prioritize encryption and impact.
- **Double Extortion:** Integration with "BEAST LEAKS" Tor site for data exfiltration and public shaming.
## Indicators of Compromise
- **File Hashes (SHA256):**
- `6718cb66521a678274e5672285bf208eac375827d622edcf1fe7eba7e7aa65e0`
- `479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227`
- `cc0680de960f3e1b727b61a42e59f9c282bd8e41fe20146ed191c7f4bf9283a7`
- `cf5c45be416d1b18dd67ffa95c6434691f1f9ba9c30754fa6fc9978c1f975750`
- `2ce62601491549ab91c9517e0accf3286ed29976f6ec359d31ddc060a8d99eb3`
- **File Names:** `Advanced_IP.exe`, `AnyDesk.exe`, `automim.rar`, `enable_dump_pass.reg`, `encrypter-linux-x64.run`, `MEGAsyncSetup64.exe`, `Everything.exe`.
- **Network Indicators:**
- `5.78.84[.]144` (Operator Server)
- Port `8000` (Open Directory)
- **Behavioral Indicators:** Unexpected installation of RMM tools (AnyDesk), execution of `WDigest` registry modifications, and large-scale ICMP/TCP scanning from a single internal host.
## Associated Threat Actors
- **Beast (RaaS Operators)**
- **Monster Ransomware** (Predecessor group)
## Detection Methods
- **Signature-based:** Detect known Beast binary hashes and common hacker tools (Mimikatz, LaZagne).
- **Behavioral:**
- Monitoring for registry modifications: `HKLM\System\CurrentControlSet\Control\SecurityProviders\WDigest`.
- Alerting on use of `PsExec` or `AnyDesk` in environments where they are not standard.
- Identification of large-scale internal file searching or rapid folder size calculations.
## Mitigation Strategies
- **Hardening:** Disable `WDigest` caching. Implement the "Protected Users" security group in Active Directory.
- **Access Control:** Restrict the use of administrative tools like `PsExec` and `netscan` to authorized personnel only via AppLocker or similar software restriction policies.
- **Network Segmentation:** Limit lateral movement by segmenting critical servers and enforcing MFA for all remote access (RDP/VPN).
- **RMM Restrictions:** Maintain an allow-list for Remote Monitoring and Management (RMM) tools; block unauthorized binaries for `AnyDesk`, `TeamViewer`, etc.
## Related Tools/Techniques
- **Monster Ransomware:** Technical predecessor.
- **Qilin / Akira:** Observed using similar RMM-based persistence techniques (AnyDesk).
- **Kerberoasting:** Common credential access technique used by the group.