A newly emerging ransomware group, dubbed CosmicBeetle, has been targeting small and medium-sized businesses across Europe and Asia. According to a report from the cybersecurity firm ESET, this group is relatively “immature” compared to more sophisticated threat actors but has nonetheless caused significant damage through its attacks.
Active since 2020, CosmicBeetle has been operating under the radar, using deceptive tactics like abusing the brand names of notorious ransomware groups such as LockBit to increase pressure on their victims. One of their latest creations, ScRansom, is a ransomware variant still in development. Despite its lack of complexity, the malware has inflicted substantial harm on its targets, which include industries such as healthcare, education, technology, pharmaceuticals, and financial services.
ESET’s analysis highlights that the group is evolving rapidly. ScRansom first appeared in March 2023, with actual attacks beginning in August of the same year. The ransomware’s encryption, however, is error-prone, meaning that even after paying the ransom, victims could permanently lose access to some of their files.
CosmicBeetle’s methods of infiltrating systems often involve brute-force attacks, where they attempt various password combinations until they succeed. They also exploit old vulnerabilities in software, particularly in small businesses that lack stringent patch management processes.
Interestingly, CosmicBeetle compensates for its technical shortcomings by relying on tools from more established ransomware groups. For example, they have been using the leaked builder from LockBit to construct their own malware and impersonate the infamous gang in ransom notes and on leak sites. This tactic helps them gain credibility despite being relatively new and underdeveloped.
Researchers have noted some links to Turkey, with Turkish strings appearing in the group’s malware code. However, there is still uncertainty around the group’s exact origins. Some believe it might be connected to the RansomHub gang, which has been increasingly active since March 2024.
While the ransomware deployed by CosmicBeetle might not yet match the sophistication of more seasoned players, their continuous development and ability to cause real damage make them a growing threat, particularly for smaller organizations with weaker cybersecurity defenses.
Sponsored • TRJ Ads
Inquiries: contact@therealistjuggernaut.com
