Ransomware groups have emerged as formidable adversaries in the realm of cybersecurity, employing sophisticated malware to encrypt victims’ data and demanding a ransom for its release. The escalating frequency of ransomware incidents has left organizations across the globe grappling with significant challenges.
Beast Ransomware
Among the latest threats is the Beast ransomware, identified by cybersecurity researchers at Cybereason. This group has been active since 2022, demonstrating a remarkable ability to adapt its malware to target various operating systems, including Windows, Linux, and ESXi. Originally crafted in Delphi, the ransomware has since evolved, now utilizing C and Go for its development.
The Beast ransomware employs a sophisticated blend of encryption techniques, specifically “elliptic-curve” and “ChaCha20” encryption. Its arsenal includes features such as “multithreaded file encryption,” “process termination,” and “shadow copy deletion” on Windows systems, enhancing its effectiveness and reach.
For Linux and ESXi environments, the ransomware offers “customizable encryption paths” and “VM shutdown options,” showcasing its versatility. To prevent multiple instances from running simultaneously, it creates a “BEAST HERE?” mutex and strategically avoids encrypting data in “CIS countries.”
The spread of Beast ransomware is facilitated through various vectors, including “phishing emails,” “compromised RDP endpoints,” and “SMB network scans.” Notably, it exploits the “RstrtMgr.dll” (Restart Manager) to manipulate file access prior to encryption, as detailed in Cybereason’s report.
Recent enhancements to the ransomware include an “offline builder” that allows cybercriminals to configure builds for Windows, NAS, and ESXi systems, reflecting the group’s responsiveness to the evolving landscape of cyber threats.
The attack sequence initiated by Beast ransomware begins with the deletion of Shadow Copies. Utilizing a “Windows Management Instrumentation” (WMI) query, it identifies and removes these backups, thereby crippling recovery options for victims. Following this, the ransomware employs multithreading to facilitate efficient file encryption, allowing multiple files to be encrypted simultaneously.
Targeting a broad spectrum of file formats—including “documents,” “images,” “videos,” and “databases”—Beast ransomware utilizes robust encryption algorithms to render files inaccessible without the decryption key held by the attackers.
During the encryption process, a decoded “README.txt” ransom note is placed in each affected directory, extracted from the malware’s embedded settings. Additionally, users can access the “GUI” of the Beast ransomware during encryption by pressing “ALT+CTRL” and typing “666,” further complicating their recovery efforts.
This comprehensive strategy, which combines “shadow copy deletion,” “multithreaded encryption,” and the strategic placement of ransom notes, is designed to maximize the impact and efficiency of the attack.
Recommendations
To mitigate the risks posed by Beast ransomware, the following recommendations are advised:
- Track Beast affiliates for signs of pre-ransomware activity.
- Promote multi-factor authentication (MFA) and regular patching.
- Enable anti-malware solutions to prevent or quarantine threats.
- Implement anti-ransomware measures, including shadow copy protection and application control.
- Ensure systems are consistently patched.
- Regularly back up files to secure locations.
- Enable variant payload prevention to enhance defenses.
Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Watch Here
