The hacker known as CosmicBeetle has recently introduced a new custom ransomware strain named ScRansom, targeting small- and medium-sized businesses in Europe, Asia, Africa, and South America. It is believed that CosmicBeetle is also working as an affiliate for RansomHub.
According to ESET researcher Jakub Souček, CosmicBeetle has replaced its previous Scarab ransomware with ScRansom, which is continuously being enhanced. The threat actor has been successful in compromising various interesting targets.
ScRansom attacks have been directed towards industries such as manufacturing, pharmaceuticals, legal, education, healthcare, technology, hospitality, leisure, financial services, and regional government sectors.
CosmicBeetle is most notably recognized for Spacecolon, a malicious toolset previously used to distribute the Scarab ransomware globally.
The adversary, also known as NONAME, has been experimenting with the leaked LockBit builder to imitate the notorious ransomware gang since November 2023.
The attacks involving ScRansom exploit brute-force attacks and known security vulnerabilities (CVE-2017-0144, CVE-2020-1472, CVE-2021-42278, CVE-2021-42287, CVE-2022-42475, and CVE-2023-27532) to gain access to target systems.
Various tools such as Reaper, Darkside, and RealBlindingEDR are used in the attack chain to disable security processes before deploying the Delphi-based ScRansom ransomware. This ransomware includes features like partial encryption for faster processing and an “ERASE” mode to make files unrecoverable by overwriting them.
The association between ScRansom and RansomHub has been observed as both payloads were discovered on the same machine within a week. CosmicBeetle attempted to leverage LockBit’s reputation to potentially conceal issues in their ransomware and increase the likelihood of victims paying the ransom.
Cicada3301 Introduces Updated Version
Meanwhile, threat actors linked to the Cicada3301 ransomware, also known as Repellent Scorpius, have been utilizing an updated version of the encryptor since July 2024. This version includes a new command-line argument, –no-note, which prevents the encryptor from writing the ransom note to the system.
Another significant change is the absence of hard-coded usernames or passwords in the binary, although it retains the ability to execute PsExec using these credentials if available.
Moreover, there are indications that the group possesses data from previous compromise incidents, suggesting they may have operated under a different ransomware brand or obtained the data from other groups.
BURNTCIGAR Transforms into an EDR Wiper
Recent findings highlight the evolution of a kernel-mode signed Windows driver, POORTRY (also known as BURNTCIGAR), used by multiple ransomware gangs to disable Endpoint Detection and Response (EDR) software, effectively acting as a wiper to delete critical EDR components.
POORTRY is delivered through a loader named STONESTOP, bypassing Driver Signature Enforcement safeguards. It has the capability to force delete files on disk and has been utilized by ransomware groups such as CUBA, BlackCat, Medusa, LockBit, and RansomHub.
Sophos noted that POORTRY focuses on disabling EDR products by modifying kernel notify routines and wiping critical files off disk to render the EDR agent useless.
RansomHub has been observed using an enhanced version of POORTRY, alongside another EDR killer tool called EDRKillShifter, demonstrating a continued effort by threat actors to experiment with different methods to disable EDR products.
These activities signify an ongoing process rather than a sudden increase, with threat actors exploring various tactics to evade detection.
