Increase in CosmicBeetle Ransomware Group Activity Observed in 2023
/ 3 min read
Quick take - CosmicBeetle, a ransomware group active since 2020, has increased its targeting of small to medium-sized enterprises in 2023 by exploiting outdated software and cybersecurity vulnerabilities, utilizing customized ransomware tools like ScRansom, and employing aggressive tactics similar to those of the LockBit group.
Fast Facts
- CosmicBeetle, also known as NoName, is a ransomware group active since 2020, with increased activity noted in 2023, primarily targeting small to medium-sized enterprises (SMEs) globally.
- The group exploits outdated software and weak cybersecurity, using customized ransomware tools like ScRansom, which features partial encryption, multiple speeds, and an “ERASE” mode for permanent file deletion.
- CosmicBeetle employs aggressive brute-force attacks and targets critical vulnerabilities, including EternalBlue and Zerologon, as well as recent vulnerabilities in Veeam and FortiOS.
- They have attempted to mimic the strategies of the LockBit group, including the use of a Data Leak Site (DLS) to pressure victims, although all their DLS domains are currently inactive.
- Organizations can defend against CosmicBeetle by implementing multi-layered security strategies, including regular software updates, multi-factor authentication, and robust data backup plans.
CosmicBeetle Ransomware Group Overview
CosmicBeetle, also known as NoName, is a ransomware group that has been active since 2020. An increase in their activity has been observed in 2023, primarily targeting small to medium-sized enterprises (SMEs) across the globe. They exploit these enterprises’ reliance on outdated software and inadequate cybersecurity measures.
Ransomware Tools and Tactics
CosmicBeetle employs customized ransomware tools, notably ScRansom, which is developed in Delphi. ScRansom includes features such as partial encryption capabilities, multiple encryption speeds, and an “ERASE” mode that permanently deletes file content. The group’s operational tactics involve aggressive brute-force attacks, exploiting critical vulnerabilities in widely-used systems. Key vulnerabilities targeted by CosmicBeetle include:
- EternalBlue (CVE-2017-0144)
- Zerologon (CVE-2020-1472)
- CVE-2023-27532 (Veeam Backup & Replication)
- CVE-2022-42475 (FortiOS SSL-VPN vulnerability)
In 2023, the group shifted from using Scarab ransomware to ScRansom and has refined their methods over time. CosmicBeetle has attempted to replicate the strategies of the notorious LockBit ransomware group, including the use of a Data Leak Site (DLS) named “NONAME” to pressure victims into paying ransoms. The DLS was designed to mimic LockBit’s theme and ransom note style, creating urgency among potential victims. However, all of CosmicBeetle’s DLS domains are currently inactive, suggesting that the group may rebrand or affiliate with other Ransomware-as-a-Service (RaaS) programs to maintain its operations.
Psychological Tactics and Targeted Sectors
In addition to its technical capabilities, CosmicBeetle employs psychological tactics in its interactions with victims. They use encrypted messaging applications such as qTox for ransom negotiations and often warn victims against seeking third-party assistance, threatening that such actions will exacerbate their situation. CosmicBeetle has also aligned with RansomHub, a Ransomware-as-a-Service operation, to enhance its resources and operational support.
The sectors targeted by CosmicBeetle include:
- Manufacturing
- Pharmaceuticals
- Healthcare
- Technology
- Legal
- Education
- Hospitality
- Financial services
- Regional government bodies
Defense Strategies Against Ransomware
Organizations can defend against CosmicBeetle and similar ransomware threats by implementing a multi-layered defense strategy. Recommended measures include:
- Regularly patching software vulnerabilities
- Segmenting networks to limit lateral movement
- Enforcing multi-factor authentication and strong password policies
- Deploying endpoint detection and response tools
- Conducting regular audits of user accounts and privileges
- Maintaining a robust data backup strategy alongside an incident response plan
SOCRadar provides tools to assist organizations in detecting and mitigating ransomware threats, offering services such as threat intelligence, dark web monitoring, and vulnerability tracking. CosmicBeetle’s tactics, techniques, and procedures (TTPs) align with various methods outlined in the MITRE ATT&CK framework, encompassing areas such as reconnaissance, initial access, execution, persistence, defense evasion, credential access, and impact.
Original Source: Read the Full Article Here
