The CosmicBeetle ransomware group, also known as NONAME or Spacecolon, may now be an affiliate of RansomHub according to a report by ESET.
The report, published Tuesday, outlines CosmicBeetle’s activities and tactics since its discovery in 2023, although the group is believed to have been active since at least 2020.
In June 2024, an attack using RansomHub’s ransomware and endpoint detection and response (EDR) killer, was investigated by ESET and found to bear similarities to CosmicBeetle’s past activities. This incident led security researchers to say with “medium confidence” that CosmicBeetle has joined RansomHub’s ranks as an affiliate.
“The NoName group’s activities identify two critical trends in the current ransomware landscape. First, the complexity of ransomware tools is increasing, and second, ransomware gangs are becoming more organized, experimenting with strategies like affiliate programs and impersonation to extend their reach,” James McQuiggan, a security awareness advocate at KnowBe4, told SC Media in an email.
Spacecolon creators target unpatched systems with custom tools
CosmicBeetle, as it is tracked by ESET, is known for its use of a custom Delphi-based toolkit known as Spacecolon, which includes components dubbed ScHackTool, ScInstaller, ScService, ScPatcher and, most recently, ScRansom.
Previously, CosmicBeetle used its toolkit to assist in distribution of the older Scarab ransomware, which first emerged back in 2017. CosmicBeetle targets small and medium-sized businesses (SMBs), mostly in Europe and Asia, and in a range of industries including manufacturing, pharmaceuticals, legal services, education, healthcare, technology, hospitality, financial services and government.
The gang normally makes it intrusions through brute-force methods, as well as exploitation of older vulnerabilities such as EternalBlue (CVE-2017-0144) and Zerologon (CVE-2020-1472). It has also been known to use Windows Active Director flaws CVE-2021-42278 and CVE-2021-42287, FortiOS SSL-VPN vulnerability CVE-2022-42475 and Veeam Backup & Replication flaw CVE-2023-27532 in its intrusions.
“Small and medium-sized businesses (SMBs) remain prime targets due to often outdated infrastructure and limited cybersecurity resources. For their survival, SMBs need to prioritize regular patching and proactive defense strategies by working with a Managed Security Service Provider,” said McQuiggan. “For these businesses, even unsophisticated ransomware can cause catastrophic disruption.”
In mid-2023, CosmicBeetle began using a new ransomware, dubbed ScRansom, instead of Scarab, and ESET researchers believe with high confidence that this ransomware was developed by CosmicBeetle themselves as part of the Spacecolon toolbox.
ScRansom is a relatively unsophisticated ransomware with an overly complicated encryption process involving RSA and AES. This disorganized process can generate dozens of different “decryption IDs” for each victim, each requiring a different decryption key to recover all files. In one case, a victim that paid a ransom received 31 different decryption keys from CosmicBeetle and still could not recover all of their files, according to ESET.
“This decryption approach is typical for an immature ransomware threat actor. Seasoned gangs prefer to have their decryption process as easy as possible to increase the chances of correct decryption, which boosts their reputation and increases the likelihood that victims will pay,” the ESET researchers wrote.
Another feature of ScRansom is the ability for users to select between four to five different encryption modes, including “fast,” “fastest,” “slow,” “full” and “erase,” with the “erase” option overwriting files rather than encrypting them.
The researchers noted that ScRansom, similar to ScHackTool, requires the attacker to have access to the victim’s screen and cursor, suggesting that exploitation of the Remote Desktop Protocol (RDP) is part of CosmicBeetle’s attack.
Despite ScRansom’s lack of sophistication, ESET notes it has been used in several attacks against SMBs, causing “great harm.”
The multiple ransomware brand iterations of CosmicBeetle
ESET’s report noted multiple past attempts by CosmicBeetle to brand itself and step up its ransomware operations. In September 2023, the group set up a dark web leak site with a similar format to that of the LockBit ransomware gang and began calling itself "NONAME." However, this leak site appeared to show victims previously compromised by LockBit rather than the NONAME group itself.
Then, in November 2023, the group registered the domain lockbitblog[.]info and fully copied the LockBit leak site, including the LockBit 3.0 logo. The group also began using the leaked LockBit 3.0 builder in its attacks at this time, with the leak site and attacks being linked back to CosmicBeetle through a qTox messenger ID included in its ransom notes.
On June 3, 2024, ScRansom was used in an attempted attack on an Indian manufacturing company, followed a few days later by attack on the same company using RansomHub’s EDR killer and ransomware strain.
The suspected connection between this RansomHub-affiliated attack and CosmicBeetle is strengthened by the attacker’s extraction of the RansomHub EDR using WinRAR from an archive stored in the Music folder, which is highly unusual for RansomHub affiliates but a common tactic used by CosmicBeetle, according to ESET.
“To our knowledge, there are no public leaks of RansomHub code or its builder,” the ESET researchers wrote. “Therefore, we believe with medium confidence that CosmicBeetle enrolled itself as a new RansomHub affiliate.”
