The threat actor CosmicBeetle, known for using the Spacecolon toolset, has introduced a new custom ransomware strain called ScRansom, targeting small- and medium-sized businesses (SMBs) across Europe, Asia, Africa, and South America. The malware replaces the previously used Scarab ransomware and is continuously being refined.
While ScRansom is not considered highly advanced, it has compromised various sectors, including manufacturing, pharmaceuticals, legal, education, healthcare, technology, hospitality, financial services, and regional governments. ESET researcher Jakub Souček revealed that CosmicBeetle might also be working as an affiliate for RansomHub.
CosmicBeetle’s attacks leverage brute-force attacks and exploit several known vulnerabilities (CVE-2017-0144, CVE-2020-1472, CVE-2021-42278, and others) to gain access to target environments. The group has used tools like Reaper, Darkside, and RealBlindingEDR to terminate security processes before deploying ScRansom.
ScRansom's features include:
A connection to RansomHub has been identified, as ScRansom and RansomHub payloads were deployed on the same machine within a short time span.
CosmicBeetle, also known as NONAME, was previously thought to have a Turkish origin, based on the encryption scheme in their ScHackTool. However, ESET now suggests that this attribution may no longer be valid. The encryption algorithm was originally used in a legitimate tool called Disk Monitor Gadget by the Turkish company VOVSOFT, which CosmicBeetle likely adopted.
Meanwhile, the Cicada3301 ransomware group (also known as Repellent Scorpius) has been spotted using an updated version of its encryptor since July 2024. The update introduces a new command-line argument, --no-note, preventing the writing of ransom notes. It also eliminates hard-coded usernames and passwords, though it retains the ability to execute PsExec if credentials are available.
Another notable development involves the evolution of POORTRY (also known as BURNTCIGAR), a kernel-mode Windows driver used by multiple ransomware gangs to disable Endpoint Detection and Response (EDR) software. POORTRY is delivered via the STONESTOP loader, bypassing Driver Signature Enforcement protections.
Ransomware groups such as CUBA, BlackCat, Medusa, LockBit, and RansomHub have been using POORTRY since 2021. In addition, RansomHub has been observed utilizing another EDR-disabling tool called EDRKillShifter, as well as Kaspersky’s TDSSKiller.
© 2016 - 2025 Red Secure Tech Ltd. Registered in England and Wales under Company Number: 15581067