CosmicBeetle Group Spreads Ransomware
ESET researchers have discovered that the group is using ScRansom ransomware.
In its ransom letters and on its websites, CosmicBeetle attempts to exploit the reputation of the now-inactive LockBit group to coerce victims into paying. Additionally, the group is now part of the ransomware service provider RansomwareHub, which has been active since March 2024 and is becoming increasingly visible.
“Writing your own ransomware is a challenge for hacker groups—especially for a relatively inexperienced group like CosmicBeetle,” explains ESET researcher Jakub Soucek. “That’s why the group is trying to leverage LockBit’s good reputation to enhance the likelihood of success for their attacks.”
Brute Force Attacks
CosmicBeetle often employs brute force attacks to penetrate its victims’ systems. The group also exploits various known vulnerabilities, as target companies are more likely to be using software with these vulnerabilities. Furthermore, organizations of this size often lack robust patch management. Industries affected include manufacturing, pharmaceuticals, legal, education, healthcare, technology, hospitality, leisure, financial services, and regional government.
ScRansom Encrypts and Terminates Processes
ScRansom can not only encrypt data but also terminate various processes and services on the affected computer. However, it is not considered a sophisticated ransomware. Nevertheless, CosmicBeetle has managed to use it to successfully attack several significant companies.
Victims of ScRansom should be aware that the hackers’ error-prone decryption software is unlikely to recover all encrypted data. Even in the best-case scenario, decryption can be lengthy and complicated. This means that even if organizations choose to pay the ransom and receive the decryption tool, they may still lose many files. ScRansom is continually being developed, indicating poor quality overall.
CosmicBeetle Uses Spacecolon
CosmicBeetle has been active since at least 2020. The group was discovered in 2023 and is best known for using its specially created Delphi tools, commonly referred to as Spacecolon. These tools include ScHackTool, ScInstaller, ScService, and ScPatcher.