Security
Headlines
HeadlinesLatestCVEs

Headline

Amateurish 'CosmicBeetle' Ransomware Stings SMBs in Turkey

With an immature codebase and a “rather chaotic encryption scheme” prone to failure, the group targets small businesses with custom malware.

DARKReading
#vulnerability#mac#microsoft#samba#auth

Source: Mark Brandon via Shutterstock

A cybercriminal group — or individual — known as “CosmicBeetle” is exploiting vulnerabilities in technologies used by small businesses in Turkey, as well as Spain, India, and South Africa. The goal is to install ransomware that — unfortunately for victims — sometimes has glitches.

Likely based in Turkey, the ransomware attacker operates at a fairly “low level of sophistication” and is currently developing ransomware that demonstrates a “rather chaotic encryption scheme,” according to analysis by Slovakian cybersecurity firm ESET. CosmicBeetle often deploys custom ransomware, dubbed ScRansom by ESET, that appears to be under active development with frequent updates and changes.

Because CosmicBeetle demonstrates immature skills as a malware developers, a variety of problems have affected victims of the threat actor’s ransomware, says Jakub Souček, a senior malware researcher at ESET, who analyzed CosmicBeetle. In one case, ESET worked with a victim organization and found that the encryption routines executed multiple times on some of the infected machines, resulting in some data recovery failing.

“Seasoned gangs prefer to have their decryption process as easy as possible to increase the chances of correct decryption, which boosts their reputation and increases the likelihood that victims will pay,” the report stated.

But for CosmicBeetle, “while we were able to verify that the decryptor — in its most recent state — works from the technical point of view, a lot of factors still come to play, and the more you need [for decryption] from the threat actor, the more unsure the situation,” he says. “The fact that the ScRansom ransomware is still changing quite rapidly doesn’t help.”

The relative immaturity of the CosmicBeetle threat actor has led the group to embark on two interesting strategies, according to the ESET report. First, the group has attempted to imply connections with the infamous LockBit cybercriminal group as a way to, ironically, inspire trust in their ability to help victims recover their data. Second, the group has also joined the RansomHub affiliate program, and now often installs that ransomware rather than its own custom malware.

Opportunistically Targeting SMBs

To kick off its compromises, the CosmicBeetle group scans for and attempts to exploit a variety of older vulnerabilities in software typically used by small and midsize businesses, such as issues in Veeam Backup & Replication (CVE-2023-27532), which can allow unauthenticated attackers to access the backup infrastructure, or two privilege escalation vulnerabilities in Microsoft Active Directory (CVE-2021-42278 and CVE-2021-42287), which together allow a user to “effectively become a domain admin.”

The group is likely not specifically targeting SMBs, but because of the software it targets for exploitation, smaller businesses make up the majority of its victims, Souček says.

“CosmicBeetle abuses quite old known vulnerabilities, which we expect more likely to be patched in larger companies with better patch management in place,” he says, adding: “Victims outside of the EU and US, especially SMBs, are typically the result of immature, non-seasoned ransomware gangs going for the low-hanging fruit.”

The targets include companies in the manufacturing, pharmaceuticals, legal, education, and healthcare industries, among others, according to ESET’s report published on September 10.

“SMBs from all sorts of verticals all over the world are the most common victims of this threat actor because that is the segment most likely to use the affected software and to not have robust patch management processes in place,” the report stated.

Turkish Delight? Not So Much

Turkey accounts for the most victimized organizations, but a significant number also come from Spain, India, South Africa, and a handful of other countries, according to data collected by ESET from the CosmicBeetle leak site.

While one firm has connected the threat actor to an actual person — a Turkish software developer — ESET cast doubt on the connection. Yet, with Turkey accounting for a larger share of infections, the group is probably from the nation or the region, Souček acknowledges.

“We could speculate that CosmicBeetle has more knowledge of Turkey and feels more confident choosing their targets there,” he says. “As for the remaining targets, it is purely opportunistic — a combination of vulnerability of the target and it being ‘sufficiently interesting’ as a ransomware target.”

About the Author

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Related news

Ransomware Gangs Use LockBit's Fame to Intimidate Victims in Latest Attacks

Threat actors have been observed abusing Amazon S3 (Simple Storage Service) Transfer Acceleration feature as part of ransomware attacks designed to exfiltrate victim data and upload them to S3 buckets under their control. "Attempts were made to disguise the Golang ransomware as the notorious LockBit ransomware," Trend Micro researchers Jaromir Horejsi and Nitesh Surana said. "However, such is

Akira ransomware continues to evolve

As the Akira ransomware group continues to evolve its operations, Talos has the latest research on the group's attack chain, targeted verticals, and potential future TTPs.

CosmicBeetle Deploys Custom ScRansom Ransomware, Partnering with RansomHub

The threat actor known as CosmicBeetle has debuted a new custom ransomware strain called ScRansom in attacks targeting small- and medium-sized businesses (SMBs) in Europe, Asia, Africa, and South America, while also likely working as an affiliate for RansomHub. "CosmicBeetle replaced its previously deployed ransomware, Scarab, with ScRansom, which is continually improved," ESET researcher Jakub

CosmicBeetle Deploys Custom ScRansom Ransomware, Partnering with RansomHub

The threat actor known as CosmicBeetle has debuted a new custom ransomware strain called ScRansom in attacks targeting small- and medium-sized businesses (SMBs) in Europe, Asia, Africa, and South America, while also likely working as an affiliate for RansomHub. "CosmicBeetle replaced its previously deployed ransomware, Scarab, with ScRansom, which is continually improved," ESET researcher Jakub

CosmicBeetle Deploys Custom ScRansom Ransomware, Partnering with RansomHub

The threat actor known as CosmicBeetle has debuted a new custom ransomware strain called ScRansom in attacks targeting small- and medium-sized businesses (SMBs) in Europe, Asia, Africa, and South America, while also likely working as an affiliate for RansomHub. "CosmicBeetle replaced its previously deployed ransomware, Scarab, with ScRansom, which is continually improved," ESET researcher Jakub

New Ransomware Group Exploiting Veeam Backup Software Vulnerability

A now-patched security flaw in Veeam Backup & Replication software is being exploited by a nascent ransomware operation known as EstateRansomware. Singapore-headquartered Group-IB, which discovered the threat actor in early April 2024, said the modus operandi involved the exploitation of CVE-2023-27532 (CVSS score: 7.5) to carry out the malicious activities. Initial access to the target

Talos IR trends: BEC attacks surge, while weaknesses in MFA persist

Within BEC attacks, adversaries will send phishing emails appearing to be from a known or reputable source making a valid request, such as updating payroll direct deposit information.

New BlackCat Ransomware Variant Adopts Advanced Impacket and RemCom Tools

Microsoft on Thursday disclosed that it found a new version of the BlackCat ransomware (aka ALPHV and Noberus) that embeds tools like Impacket and RemCom to facilitate lateral movement and remote code execution. "The Impacket tool has credential dumping and remote service execution modules that could be used for broad deployment of the BlackCat ransomware in target environments," the company's

Notorious Cyber Gang FIN7 Returns Cl0p Ransomware in New Wave of Attacks

The notorious cybercrime group known as FIN7 has been observed deploying Cl0p (aka Clop) ransomware, marking the threat actor's first ransomware campaign since late 2021. Microsoft, which detected the activity in April 2023, is tracking the financially motivated actor under its new taxonomy Sangria Tempest. "In these recent attacks, Sangria Tempest uses the PowerShell script POWERTRASH to load

Microsoft Confirms PaperCut Servers Used to Deliver LockBit and Cl0p Ransomware

Microsoft has confirmed that the active exploitation of PaperCut servers is linked to attacks designed to deliver Cl0p and LockBit ransomware families. The tech giant's threat intelligence team is attributing a subset of the intrusions to a financially motivated actor it tracks under the name Lace Tempest (formerly DEV-0950), which overlaps with other hacking groups like FIN11, TA505, and Evil

CVE-2023-27532: KB4424: CVE-2023-27532

Vulnerability in Veeam Backup & Replication component allows encrypted credentials stored in the configuration database to be obtained. This may lead to gaining access to the backup infrastructure hosts.

FIN7 Cybercrime Group Likely Behind Black Basta Ransomware Campaign

Several artifacts from recent attacks strongly suggest a connection between the two operations, researchers say.

FIN7 Cybercrime Group Likely Behind Black Basta Ransomware Campaign

Several artifacts from recent attacks strongly suggest a connection between the two operations, researchers say.

Domain Escalation – sAMAccountName Spoofing

Computer accounts have the $ sign appended at the end of their names in contrast with standard user accounts. By default Microsoft operating systems lack… Continue reading → Domain Escalation – sAMAccountName Spoofing

Domain Escalation – sAMAccountName Spoofing

Computer accounts have the $ sign appended at the end of their names in contrast with standard user accounts. By default Microsoft operating systems lack… Continue reading → Domain Escalation – sAMAccountName Spoofing

DARKReading: Latest News

Iranian APT Group Targets IP Cameras, Extends Attacks Beyond Israel