CosmicBeetle has been targeting small and medium-sized businesses (SMBs) across Europe and Asia, using advanced techniques and leveraging the reputation of established ransomware gangs. ESET’s analysis reveals that CosmicBeetle is employing a leaked LockBit builder and possibly associating with the ransomware-as-a-service group RansomHub, which has been active since March 2024 and shows increasing activity.
Jakub Souček, an ESET researcher, explains, “CosmicBeetle’s attempt to exploit LockBit’s reputation could be a strategic move to overcome challenges in developing custom ransomware. By doing so, they aim to mask weaknesses in their ransomware and increase the likelihood of ransom payments.” Souček adds that the simultaneous deployment of ScRansom and RansomHub payloads on the same machine within a week suggests a potential affiliation between CosmicBeetle and RansomHub.
CosmicBeetle utilizes brute-force attacks and exploits known vulnerabilities to breach its targets. The group’s victims are predominantly SMBs from various sectors including manufacturing, pharmaceuticals, legal, education, healthcare, technology, hospitality, financial services, and regional government. These sectors often use vulnerable software or lack robust patch management, making them prime targets.
ScRansom, CosmicBeetle’s ransomware variant, is known for encrypting files and disrupting system processes. Despite its simplicity, the ransomware has inflicted significant damage, partly due to CosmicBeetle’s relative inexperience and the challenges in deploying ScRansom effectively. The ongoing development of ScRansom and its complex encryption scheme raises concerns about the reliability of file restoration. Even if victims decide to pay, successful decryption is complicated and uncertain.
CosmicBeetle, discovered by ESET in 2023 but active since at least 2020, is recognized for its custom Delphi tools collection, known as Spacecolon, which includes ScHackTool, ScInstaller, ScService, and ScPatcher.