New but ‘immature’ ransomware group CosmicBeetle targets small businesses

A group that researchers are calling CosmicBeetle has developed new ransomware and deployed it against small and medium-sized businesses, mostly in Europe and Asia, according to a new report.

Active since at least 2020, CosmicBeetle is considered an “immature” player in the ransomware world, said the Slovakia-based cybersecurity firm ESET, which analyzed the group’s recent campaigns.

The group often abuses the brand names of more prominent threat actors, such as LockBit, to better persuade victims to pay, researchers said.

CosmicBeetle’s new malware, ScRansom, is undergoing continuous development, “which is never a good sign in ransomware,” ESET said. Even though the ransomware “is not very sophisticated,” it has been deployed against “interesting targets” and caused significant harm, the report said.

“Victims affected by ScRansom who decide to pay should be cautious,” ESET said, because even though the decryptor for locked files works properly, the ransomware’s encryption process is prone to errors — meaning some files could be permanently lost.

The earliest samples of ScRansom appeared at the end of March 2023, but in-the-wild attacks didn’t start until August. Earlier in June, CosmicBeetle attempted to compromise a manufacturing company in India with ScRansom but failed, the researchers said.

The group’s other targets include businesses in the pharmaceutical, legal, education, healthcare, technology and financial industries.

To access systems, CosmicBeetle often uses brute-force methods, in which attackers try various combinations of passwords or keys until they find the correct one.

The hackers also exploit years-old vulnerabilities, ESET said, particularly in software used by small businesses that do not typically have “robust patch management processes in place.”

To compensate for flaws in its own tools and attack methods, CosmicBeetle relies on more established threat actors, ESET said. For example, it used the leaked LockBit builder and tried to impersonate the infamous, recently disrupted ransomware gang in both its ransom notes and leak site.

“Using leaked builders is a common practice for immature ransomware gangs,” ESET said. “It allows them to abuse the brand of their well-established competitors while also providing them with a ransomware sample that usually works properly.”

Besides LockBit, researchers believe “with medium confidence” that CosmicBeetle is a new affiliate of RansomHub, a ransomware gang active since March 2024, with rapidly increasing activity.

The attribution of CosmicBeetle remains unclear. Other researchers have previously linked it to a Turkish software developer, but ESET does not agree with this attribution. Researchers admit there are some links to Turkey, as the group’s malware contains Turkish strings in its code.