Blog Details

  • Home
  • Blog
  • CosmicBeetle Introduces ScRansom Ransomware, Targets SMBs Globally
CosmicBeetle Introduces ScRansom Ransomware, Targets SMBs Globally

CosmicBeetle Introduces ScRansom Ransomware, Targets SMBs Globally

The threat actor CosmicBeetle, known for using the Spacecolon toolset, has introduced a new custom ransomware strain called ScRansom, targeting small- and medium-sized businesses (SMBs) across Europe, Asia, Africa, and South America. The malware replaces the previously used Scarab ransomware and is continuously being refined.

While ScRansom is not considered highly advanced, it has compromised various sectors, including manufacturing, pharmaceuticals, legal, education, healthcare, technology, hospitality, financial services, and regional governments. ESET researcher Jakub Souček revealed that CosmicBeetle might also be working as an affiliate for RansomHub.

 

ScRansom Attack Techniques

CosmicBeetle’s attacks leverage brute-force attacks and exploit several known vulnerabilities (CVE-2017-0144, CVE-2020-1472, CVE-2021-42278, and others) to gain access to target environments. The group has used tools like Reaper, Darkside, and RealBlindingEDR to terminate security processes before deploying ScRansom.

ScRansom's features include:

  • Partial encryption for faster data encryption.
  • "ERASE" mode, which renders files unrecoverable by overwriting them with constant values.

A connection to RansomHub has been identified, as ScRansom and RansomHub payloads were deployed on the same machine within a short time span.

 

Attribution Challenges

CosmicBeetle, also known as NONAME, was previously thought to have a Turkish origin, based on the encryption scheme in their ScHackTool. However, ESET now suggests that this attribution may no longer be valid. The encryption algorithm was originally used in a legitimate tool called Disk Monitor Gadget by the Turkish company VOVSOFT, which CosmicBeetle likely adopted.

 

Cicada3301 Unleashes Updated Encryptor

Meanwhile, the Cicada3301 ransomware group (also known as Repellent Scorpius) has been spotted using an updated version of its encryptor since July 2024. The update introduces a new command-line argument, --no-note, preventing the writing of ransom notes. It also eliminates hard-coded usernames and passwords, though it retains the ability to execute PsExec if credentials are available.

 

EDR-Killing Tools: POORTRY and BURNTCIGAR

Another notable development involves the evolution of POORTRY (also known as BURNTCIGAR), a kernel-mode Windows driver used by multiple ransomware gangs to disable Endpoint Detection and Response (EDR) software. POORTRY is delivered via the STONESTOP loader, bypassing Driver Signature Enforcement protections.

Ransomware groups such as CUBA, BlackCat, Medusa, LockBit, and RansomHub have been using POORTRY since 2021. In addition, RansomHub has been observed utilizing another EDR-disabling tool called EDRKillShifter, as well as Kaspersky’s TDSSKiller.

© 2016 - 2025 Red Secure Tech Ltd. Registered in England and Wales under Company Number: 15581067