Full Report
CosmicBeetle, after improving its own ransomware, tries its luck as a RansomHub affiliate
Analysis Summary
# Threat Actor: CosmicBeetle
## Attribution & Identity
* **Name:** CosmicBeetle (name assigned by ESET researchers in 2023).
* **Known Aliases/Associations:** Previously used Scarab ransomware. Believed with medium confidence to be a new affiliate of the **RansomHub** ransomware gang (active since March 2024). Has been observed impersonating the **LockBit** ransomware gang.
* **Toolset:** Most known for using its custom collection of Delphi tools, dubbed **Spacecolon**, which includes ScHackTool, ScInstaller, ScService, and ScPatcher.
## Activity Summary
* CosmicBeetle has been active since at least 2020, with public insights first published in 2023.
* The actor actively deploys its continually improving custom ransomware, **ScRansom**, replacing its previous ransomware, Scarab.
* Recent activity (2024) involves the distribution of ScRansom to Small and Medium-sized Businesses (SMBs) globally.
* The group has experimented with using the leaked **LockBit builder** and has tried to leverage the LockBit brand name in ransom notes and leak sites to persuade victims to pay.
* ESET researchers believe, with medium confidence, that CosmicBeetle is a new affiliate of the **RansomHub** Ransomware-as-a-Service (RaaS) operation.
## Tactics, Techniques & Procedures
* **Initial Access/Exploitation:** Exploits years-old vulnerabilities to breach SMB environments.
* **Custom Tooling:** Uses the proprietary Spacecolon toolset (ScHackTool, ScInstaller, ScService, ScPatcher).
* **Ransomware Deployment:** Deploys custom ScRansom ransomware.
* **Impersonation/Deception:** Abuses the LockBit brand name/reputation in ransom notes.
* **Technical Characteristics (ScRansom/Tooling):**
* Programming Language: Delphi.
* Uses the IPWorks library for encryption.
* Exhibits identical Turkish strings and uses spaces after colons in strings (a characteristic leading to the Spacecolon name).
* Code similarity observed between ScRansom and the Spacecolon tools.
* **Operational Defects:** The deployment and encryption process with ScRansom is described as immature, sometimes requiring multiple decryption keys, and potentially leading to permanent file loss for victims who pay.
## Targeting
* **Sectors:** Small and Medium-sized Businesses (SMBs).
* **Geography:** Various parts of the world, specifically noted in Europe and Asia.
* **Victims:** "Interesting targets" have been compromised, though no specific organizations are named in the summary.
## Tools & Infrastructure
* **Malware Families Used:**
* ScRansom (Ransomware of choice).
* Scarab (Previous ransomware).
* LockBit Black builder (Used for experimentation).
* **Infrastructure (C2, domains, IPs):** *No specific C2 domains or IPs were provided in the context.*
## Implications
CosmicBeetle remains an active and evolving threat, transitioning from self-developed ransomware (Scarab) to ScRansom while attempting to integrate with established RaaS operations (RansomHub). Their continued reliance on known vulnerabilities for initial access and operational immaturity present risks, but their attempts to mimic high-profile groups like LockBit aim to increase financial pressure on victims. The possibility of file recovery failure due to poor encryption execution is a significant risk for compromised entities paying the ransom.
## Mitigations
* **Patch Management:** Immediately address year-old, known vulnerabilities that CosmicBeetle is actively exploiting for initial access.
* **Ransomware Defense:** Implement robust security controls suitable for defending against modern ransomware attacks, despite ScRansom’s relative immaturity.
* **Due Diligence:** Organizations should exercise extreme caution regarding remediation and payment if affected by ScRansom, given the high risk of partial or failed decryption.
* **Brand Awareness:** Be aware of potential brand impersonation techniques (e.g., LockBit branding) used by threat actors to coerce payment.