The cybercriminal group known as CosmicBeetle has been deploying malware attacks in Asia and Europe, with Spain being one of the most affected countries. Targeting mainly small and medium-sized businesses, the group 100% of attacks in Spain have been directed at companieswith victims located in key sectors such as industry, financial services and architecture.
According to cybersecurity firm ESET’s research group, CosmicBeetle has been using custom malware in its latest wave of attacks. It has been dubbed ScRansom, and is suspected of acting in cooperation with another well-known cybercriminal group, RansomHub, which has been active since March 2024.
ESET researcher Jakub Souček points to this possible link between the two cybercriminal groups based on the fact that “we recently observed the deployment of several samples of ScRansom and RansomHub on the same machine within just a week of each other. This RansomHub execution was very unusual compared to typical cases we have seen in ESET telemetry, but quite similar to CosmicBeetle’s modus operandi.”
CosmicBeetle has also been using a tool from the Lockbit cybercriminal group, specifically its leaked builder, which is used to generate new malware variants.
“Likely due to the hurdles of writing custom ransomware from scratch, CosmicBeetle attempted to take advantage of LockBit’s reputation, possibly to mask underlying issues with their ransomware and in turn increase the chances of victims paying,” the researcher explains. By using LockBit’s tool, CosmicBeetle was able to bypass some of the problems of creating malware from scratch and give their attacks a more sophisticated appearance.
The image below shows a heatmap of CosmicBeetle attacks since August 2023, based on ESET telemetry.
In addition to Spain, other countries in Europe and parts of South America and Africa have also been affected. In general, attacks have been detected on SMEs in the industrial, pharmaceutical, legal, education, healthcare, technology, hospitality, financial services and government sectors. The CosmicBeetle group was discovered in 2023, but is believed to have been active since 2020.
ScRansom manages to cause damage
ScRansom is not a very sophisticated ransomware, but CosmicBeetle has been able to compromise targets of interest and cause them a lot of damage, according to ESET. It is clear that CosmicBeetle is an inexperienced actor in the world of ransomware, as there are many problems that can be found in its code.
That is why, they argue, victims of data theft by this criminal group should be cautious when deciding to pay, as although the decryptor itself works, it often requires multiple decryption keys and some files may be permanently lost, depending on how CosmicBeetle proceeded during encryption. That is, it is possible that, despite paying the demanded amount, it may not even be possible to recover all the company’s files.
