Full Report
ESET researchers also find that CosmicBeetle attempts to exploit the notoriety of the LockBit ransomware gang to advance its own ends
Analysis Summary
# Threat Actor: CosmicBeetle
## Attribution & Identity
CosmicBeetle is a cybercrime group whose recent activities suggest they are likely a new affiliate of the RansomHub Ransomware-as-a-Service (RaaS) actor. The group also attempts to exploit the notoriety of the LockBit ransomware gang for its own purposes.
## Activity Summary
CosmicBeetle has been found to be actively compromising Small and Medium-sized Businesses (SMBs) globally using their new proprietary ransomware (ScRansom). A notable aspect of their recent activity is the reported connection to RansomHub, suggesting they may be in a "probation period" with the RaaS operator.
## Tactics, Techniques & Procedures
- Exploitation/Abuse of the LockBit ransomware gang's notoriety.
- Deployment of new proprietary ransomware strains (ScRansom).
- Noted technical flaw: The ScRansom ransomware exhibits decryption issues to the point that file restoration is impossible for some encrypted files.
## Targeting
- Sectors: Organizations categorized as Small and Medium-sized Businesses (SMBs).
- Geography: Various parts of the world.
- Victims: Undisclosed specific organizations, focused on the SMB segment.
## Tools & Infrastructure
- Malware families used: ScRansom (new proprietary ransomware)
- Infrastructure (C2, domains, IPs - defang URLs): Not explicitly detailed in the provided text beyond the association with the RansomHub ecosystem.
## Implications
CosmicBeetle appears to be escalating its operations by aligning with mature RaaS operations like RansomHub, potentially increasing the volume and sophistication of its attacks. The development and deployment of custom ransomware (ScRansom), even if currently flawed, indicates a committed development effort. Their attempts to leverage LockBit branding suggest a tactic aimed at maximizing fear and pressure on victims.
## Mitigations
- Organizations, especially SMBs, should maintain vigilant defense against ransomware campaigns, recognizing that affiliates of major RaaS operations like RansomHub are primary vectors.
- Ensure robust and tested data backup and recovery procedures, as the specific ransomware deployed by this actor (ScRansom) has reported decryption failure points.