Beast Ransomware Attacking Windows, Linux, And ESXi Systems


Ransomware groups are cybercriminal organizations that deploy malware to encrypt victims’ data, which helps render it inaccessible until a “ransom” is paid. The rise in ransomware incidents has significantly impacted organizations worldwide.

Cybersecurity researchers at Cybereason recently discovered Beast ransomware that has been actively attacking Windows, Linux, and ESXi systems.

SIEM as a Service

The Beast Ransomware group has been operational since 2022 and since then this group has continuously evolved its malware to target multiple OS. Initially, this sophisticated ransomware was developed in Delphi. Now, it has been developed in C and Go. 

Beast Ransomware

This ransomware employs a combination of “elliptic-curve” and “ChaCha20” encryption. It features “multithreaded file encryption,” “process termination,” and “shadow copy deletion on Windows systems.” 

Join ANY.RUN's FREE webinar on How to Improve Threat Investigations on Oct 23 - Register Here 

The “Linux” and “ESXi” versions offer “customizable encryption paths” and “VM shutdown options.”Beast creates a “BEAST HERE?” mutex to prevent multiple instances and avoids encrypting data in “CIS countries.” 

It spreads through “phishing emails,” “compromised RDP endpoints,” and “SMB network scans.” The ransomware exploits the “RstrtMgr.dll” (Restart Manager) to manipulate file access before encryption, reads Cybereason report.

Recent updates include an “offline builder” for configuring Windows, NAS, and ESXi builds, which demonstrates the group’s adaptability to market demands in the cybercriminal ecosystem.

Services targeted by Beast Ransomware (Source – Cybereason)

Beast Ransomware begins its attack by “deleting Shadow Copies” by using the “Windows Management Instrumentation” (‘WMI’) query “Select * FROM Win32_ShadowCopy” to identify them, followed by the “IWbemServices::DeleteInstance” method to remove them. 

It then employs multithreading for efficient file encryption where a parent thread assigns files to child threads by allowing simultaneous encryption of multiple files. 

This ransomware targets a wide range of file formats, including “documents,” “images,” “videos,” and “databases across all connected network devices.” 

Beast uses robust encryption algorithms to render files inaccessible without the attackers’ decryption key. 

Ransom Note (Source – Cybereason)

During the “encryption process,” it places a decoded “README.txt” ransom note in each affected directory that is extracted from the “embedded settings” of the malware. 

Besides this, the users can access the “GUI” of the “Beast” during encryption by pressing “ALT+CTRL” and typing “666.” 

This comprehensive approach combines “shadow copy deletion,” “multithreaded encryption,” and “strategic ransom note placement” to maximize the impact of the “attack” and “efficiency.”

Recommendations

Here below we have mentioned all the recommendations:-

  • Track Beast affiliate for pre-ransomware signs.
  • Promote MFA and patching.
  • Enable Anti-Malware (Prevent/Quarantine).
  • Enable Anti-Ransomware, shadow copy protection, and App Control.
  • Keep systems patched.
  • Regularly back up files.
  • Enable Variant Payload Prevention.

Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Watch Here



Source link