CosmicBeetle Launches New Custom ScRansom Ransomware in Collaboration with RansomHub

In September 2024, the cybersecurity landscape was rocked by the emergence of a new ransomware strain known as “ScRansom,” deployed by the well-known hacker group CosmicBeetle in collaboration with RansomHub. This latest development highlights the ever-evolving nature of cyber threats and the ongoing innovation among cybercriminal organizations. ScRansom, which is still in the developmental phase, represents a significant threat to industries worldwide, showcasing the growing sophistication of ransomware and the increasing vulnerability of organizations to these types of attacks.

The Rise of CosmicBeetle and Spacecolon

CosmicBeetle, previously notorious for the deployment of the Spacecolon toolset, has established a reputation as one of the most dangerous cybercriminal groups operating today. The group’s previous exploits have targeted organizations across the globe, affecting industries ranging from healthcare to education. Spacecolon, a toolkit used for deploying ransomware, has been associated with attacks in a variety of countries, including Thailand, Brazil, Mexico, and Poland​(SC Media).

This widespread activity has prompted cybersecurity experts to warn of CosmicBeetle’s shift toward an opportunistic approach to ransomware deployment, attacking a diverse range of sectors rather than focusing on a specific region or industry.

One of the key components of Spacecolon’s success has been its method of infiltrating systems through the exploitation of vulnerable web servers and the brute-forcing of Remote Desktop Protocol (RDP) credentials. RDP, which is commonly used for remote access to systems, has been a frequent target of cybercriminals due to its often weak security configurations. Many organizations exposed their RDP systems to the internet during the COVID-19 pandemic, increasing their vulnerability to ransomware attacks​(SC Media).

ScRansom: The New Threat

The development of ScRansom marks a new chapter in CosmicBeetle’s ransomware operations. According to researchers from ESET, ScRansom is still in its early stages and has not yet been widely deployed. However, the malware shows significant potential due to its ability to encrypt hard drives, removable storage, and remote drives using AES-128 encryption. This encryption method, combined with a key generated from a hardcoded string, makes ScRansom a formidable tool for locking down a target’s data, leaving them with few options other than paying the ransom​(SC Media)​(RH-ISAC).

Researchers have also noted similarities between ScRansom and Spacecolon, particularly in terms of the Turkish strings found in the code and the use of the IPWorks library. While this suggests a Turkish-speaking developer, cybersecurity experts caution against jumping to conclusions regarding the origin of the malware. The presence of Turkish code may be a false flag, intended to mislead researchers and obscure the true source of the ransomware

​(RH-ISAC).

Despite ScRansom not being fully operational at the time of writing, its discovery in the development phase is a testament to the proactive efforts of cybersecurity researchers. Identifying new ransomware strains before they are deployed in the wild allows for better preparation and mitigation strategies. However, this discovery also serves as a reminder that cybercriminals are constantly innovating, developing new tools to circumvent security measures.

The Role of RansomHub

CosmicBeetle’s partnership with RansomHub is another critical factor in the deployment of ScRansom. RansomHub acts as a marketplace or platform for cybercriminals to buy and sell ransomware-as-a-service (RaaS), allowing less-skilled hackers to launch sophisticated attacks without having to develop their own malware. This collaboration between CosmicBeetle and RansomHub demonstrates the increasingly collaborative nature of cybercrime, where different groups and individuals pool their resources to maximize the impact of their attacks.

Ransomware-as-a-service has become a major issue for cybersecurity professionals, as it lowers the barrier to entry for potential attackers. By providing ready-made ransomware tools, platforms like RansomHub enable a wider range of cybercriminals to participate in ransomware attacks, significantly increasing the number of potential threats faced by organizations​(SC Media).

The Impact of ScRansom on Global Cybersecurity

The emergence of ScRansom raises significant concerns for organizations around the world, as it underscores the growing threat of ransomware and the challenges of defending against these attacks. As ransomware evolves, so too must the strategies used to protect against it. Organizations must ensure that their systems are properly secured, particularly when it comes to web servers and RDP configurations. Failure to patch vulnerabilities or implement multi-factor authentication (MFA) can leave organizations exposed to attacks from groups like CosmicBeetle​(SC Media).

Additionally, the global nature of ransomware attacks means that no industry or region is safe. CosmicBeetle has already demonstrated its willingness to target organizations in a wide range of sectors, including healthcare, education, and entertainment. This shift toward opportunistic attacks suggests that cybercriminals are increasingly focusing on exploiting vulnerabilities wherever they find them, rather than sticking to a specific geographical or industry focus.

Mitigation and Defense Strategies

To defend against ransomware attacks like those carried out by CosmicBeetle, cybersecurity experts recommend a multi-layered approach to security. This includes regularly patching systems, implementing robust MFA for all administrative functions, and ensuring that RDP systems are not exposed to the internet. By taking these steps, organizations can significantly reduce the risk of falling victim to ransomware​(SC Media)​(RH-ISAC).

Another important strategy is the use of proactive monitoring and incident response capabilities. Security operations centers (SOCs) can detect ransomware activity early and prevent it from spreading throughout an organization’s network. Additionally, regular backups of critical data and the use of encryption can help mitigate the impact of a ransomware attack, ensuring that an organization can recover its data without paying the ransom.

Conclusion

The deployment of ScRansom by CosmicBeetle in collaboration with RansomHub represents the latest development in the ever-evolving landscape of cybercrime. As ransomware continues to grow in sophistication and reach, organizations must remain vigilant and proactive in their cybersecurity efforts. The emergence of new ransomware strains like ScRansom serves as a stark reminder that cybercriminals are constantly innovating, and defenses must evolve to keep pace. By implementing robust security measures and staying informed about the latest threats, organizations can protect themselves from the devastating impact of ransomware attacks.