Emerging Ransomware Trends: CosmicBeetle, Cicada3301, and the Evolution of EDR Evasion
The ransomware landscape continues to evolve at a rapid pace, with threat actors constantly refining their tactics and tools to maximize their impact and evade detection. Recent developments in the cybersecurity world have shed light on several concerning trends, including the emergence of new ransomware strains, the evolution of existing threats, and the sophisticated methods employed to bypass security measures. This blog post delves into three significant developments: the debut of ScRansom by CosmicBeetle, updates to the Cicada3301 ransomware, and the transformation of the BURNTCIGAR driver into an EDR wiper.
Technical Details
- CosmicBeetle’s ScRansom
- Vulnerability Types: Exploitation of known CVEs, brute-force attacks
- Affected Products: Various, including Windows systems and network devices
- CVEs Exploited:
- CVE-2017-0144 (EternalBlue)
- CVE-2020-1472 (Zerologon)
- CVE-2021-42278, CVE-2021-42287 (Sam-the-Admin)
- CVE-2022-42475 (FortiOS SSL-VPN)
- CVE-2023-27532 (Fortinet FortiOS, FortiProxy, and FortiSwitchManager)
- Impact: Data encryption, potential data exfiltration, business disruption
- IoCs: Presence of ScRansom binaries, Spacecolon toolset artifacts
- Detection Rules: Monitor for suspicious process terminations, unusual file encryption activities, and the presence of known CosmicBeetle tools
- Cicada3301 Updates
- Vulnerability Type: Ransomware payload updates
- Affected Products: Windows systems
- Impact: Enhanced evasion capabilities, potential for silent encryption without ransom notes
- IoCs: Updated Cicada3301 binaries, presence of PsExec with specific execution patterns
- Detection Rules: Monitor for PsExec usage with specific arguments, track file encryption patterns characteristic of Cicada3301
- BURNTCIGAR/POORTRY Evolution
- Vulnerability Type: Kernel-mode driver abuse (BYOVD)
- Affected Products: EDR solutions, Windows systems
- Impact: Disabling of EDR functionality, potential for complete removal of security protections
- IoCs: Presence of signed malicious drivers, sudden termination or deletion of EDR processes/files
- Detection Rules: Monitor for the loading of known vulnerable drivers, track attempts to modify kernel notify routines, watch for mass termination of security-related processes
CosmicBeetle Debuts ScRansom
The threat actor known as CosmicBeetle has introduced a new custom ransomware strain called ScRansom, targeting small- and medium-sized businesses across Europe, Asia, Africa, and South America. This development marks a significant shift in the group’s tactics, as they have replaced their previously deployed Scarab ransomware with this new, continuously improved variant.
ScRansom attacks have been observed across a wide range of sectors, including manufacturing, pharmaceuticals, legal, education, healthcare, technology, hospitality, leisure, financial services, and even regional government entities. The diverse target list underscores the indiscriminate nature of these attacks and the broad threat they pose to organizations of all types.
CosmicBeetle’s attack methodology involves a mix of brute-force attacks and exploitation of known vulnerabilities to gain initial access. Once inside a network, they deploy a suite of tools, including Reaper, Darkside, and RealBlindingEDR, to terminate security processes and evade detection. The final payload, ScRansom, is a Delphi-based ransomware that supports partial encryption for faster operation and includes an “ERASE” mode to render files unrecoverable.
Interestingly, ESET researchers have also noted a potential connection between CosmicBeetle and the RansomHub group, as both ScRansom and RansomHub payloads were observed on the same compromised machine within a week’s timeframe. This suggests that CosmicBeetle may be operating as an affiliate for RansomHub or that there’s some level of collaboration between the two entities.
Cicada3301 Ransomware Updates
The Cicada3301 ransomware, also known as Repellent Scorpius, has received notable updates since July 2024. The most significant changes include:
- A new command-line argument (–no-note) that allows the ransomware to encrypt files without leaving a ransom note, potentially making detection and recovery more challenging.
- Removal of hard-coded usernames and passwords from the binary, although the capability to use PsExec with provided credentials remains.
These updates demonstrate the ongoing evolution of ransomware tactics, with a focus on stealth and flexibility in deployment. The potential use of data from older compromises, predating the Cicada3301 brand, raises questions about the group’s history and connections to other ransomware operations.
BURNTCIGAR: From EDR Killer to Wiper
The BURNTCIGAR malware, also known as POORTRY, has undergone a significant evolution. Originally used as a kernel-mode signed Windows driver to disable EDR software, it has now been enhanced to act as a wiper, capable of deleting critical components of security solutions rather than just terminating them.
This malware is delivered through a loader called STONESTOP, which facilitates a Bring Your Own Vulnerable Driver (BYOVD) attack to bypass Driver Signature Enforcement. The ability to “force delete” files on disk makes BURNTCIGAR particularly dangerous, as it can potentially leave systems completely unprotected against subsequent attacks.
Multiple ransomware gangs, including CUBA, BlackCat, Medusa, LockBit, and RansomHub, have been observed using BURNTCIGAR in their operations. This widespread adoption highlights the effectiveness of the tool and the concerning trend of shared resources among different cybercriminal groups.
Remediation Steps
To protect against these emerging threats, organizations should consider implementing the following measures:
- Keep all systems and software up to date with the latest security patches, particularly addressing the known CVEs exploited by CosmicBeetle and other threat actors.
- Implement strong password policies and multi-factor authentication to mitigate the risk of brute-force attacks.
- Regularly backup critical data and store backups offline or in air-gapped environments to ensure recovery options in case of a successful ransomware attack.
- Deploy and maintain robust EDR solutions, and implement additional monitoring to detect attempts to disable or remove these security measures.
- Utilize application whitelisting and strict USB device controls to prevent the execution of unauthorized software and the introduction of potentially malicious drivers.
- Conduct regular security awareness training for employees, focusing on recognizing phishing attempts and practicing good cybersecurity hygiene.
- Implement network segmentation to limit the potential spread of ransomware within the organization.
- Establish and regularly test an incident response plan that includes procedures for dealing with ransomware attacks and potential data breaches.
By staying informed about the latest ransomware trends and implementing a multi-layered security approach, organizations can significantly reduce their risk of falling victim to these increasingly sophisticated cyber threats.