Threat Research

The Beast Returns: Analysis of a Beast Ransomware Server

team-cymru
The Beast Returns: Analysis of a Beast Ransomware Server
Team Cymru discovered an open directory on 5.78.84[.]144 that contained a full Beast ransomware operator toolkit, revealing tools and binaries used across reconnaissance, credential theft, lateral movement, exfiltration, and cleanup. The collection included Windows and Linux Beast binaries, scripts to disable backups and wipe traces, and evidence of data exfiltration workflows (e.g., MEGASync) tied to the BEAST LEAKS operation. #BeastRansomware #BEASTLEAKS

Keypoints

  • Team Cymru used NetFlow-augmented Open Ports scanning to detect an open directory hosted at 5.78.84[.]144 (AS212317, Hetzner) that exposed an operator toolkit for Beast ransomware.
  • The exposed files mapped the full intrusion lifecycle: reconnaissance and network mapping, credential theft, persistence, lateral movement, exfiltration, and final-stage cleanup.
  • Reconnaissance tools found included Advanced IP Scanner, Advanced Port Scanner, Everything.exe, and FolderSize, used to locate high-value systems and open RDP/SMB ports.
  • Credential-theft artifacts included Mimikatz, LaZagne, Automim, an enable_dump_pass.reg to enable WDigest cleartext storage, and a Kerberos.ps1 script likely for Kerberoasting.
  • Lateral movement and persistence tools included PsExec, OpenSSH for Windows, and AnyDesk; exfiltration tools included MEGASync, WinSCP, and Klink for large-volume data transfer.
  • Final-stage files included disable_backup.bat to remove Volume Shadow Copies, CleanExit.exe to wipe logs/tools, and Beast ransomware binaries for Windows and Linux (e.g., encrypter-windows-cli-x86.exe, encrypter-linux-x64.run).

MITRE Techniques

  • [T1595 ] Active Scanning – Used to discover live hosts and open services (e.g., “Advanced IP Scanner and Advanced Port Scanner … map internal networks and find open remote desktop protocol (RDP) or server message block (SMB) ports.”) (‘Advanced IP Scanner and Advanced Port Scanner … map internal networks and find open remote desktop protocol (RDP) or server message block (SMB) ports.’)
  • [T1046 ] Network Service Discovery – Tools and scans were used to enumerate network services and listening ports to prioritize targets (‘map internal networks and find open remote desktop protocol (RDP) or server message block (SMB) ports.’)
  • [T1003 ] Credential Dumping – Mimikatz, LaZagne, and Automim were present to extract credentials from memory and stored locations (‘Copies of Mimikatz, LaZagne, and Automim were identified on the server, the gold standard for dumping passwords from memory and recovering stored passwords from browsers, databases, and email clients.’)
  • [T1558 ] Kerberoasting / Kerberos Ticket Theft – A Kerberos.ps1 script was likely used to extract service account tickets for offline cracking (‘Another script was found called Kerberos.ps1 that was likely used for Kerberoasting, whereby the attackers can extract service account tickets to crack them offline.’)
  • [T1078 ] Valid Accounts / Use of Legitimate Remote Access – AnyDesk and other legitimate RMM tools were used to persist and access systems while evading detections (‘A copy of AnyDesk was stored on the server, a well known remote monitoring and management (RMM) tool … useful for these adversaries due to antivirus and endpoint detection and response (EDR) systems not usually blocking it as malicious by default.’)
  • [T1021 ] Remote Services (PsExec/OpenSSH) – PsExec and OpenSSH for Windows were used to execute commands remotely and move laterally across the network (‘PsExec … also used by many ransomware groups to spread inside a target environment. A copy of OpenSSH for Windows was also found on the server, which can be used by the attackers to create secure tunnels for remote access.’)
  • [T1567 ] Exfiltration to Cloud Storage / Web Services – MEGASync, WinSCP, and Klink were used to upload and transfer large volumes of stolen data (e.g., Mega[.]nz) (‘MEGASync … can be used to upload hundreds of Gigabytes of stolen data … The Beast operator was also using WinSCP and Klink too, which can be used to exfiltrate data via SFTP and other protocols.’)
  • [T1490 ] Inhibit System Recovery – Scripts to delete Volume Shadow Copies and disable backups were used to prevent restoration (‘One file, called “disable_backup.bat”, is a batch script designed to delete Volume Shadow Copies (VSS) and disable Windows backups.’)
  • [T1070 ] Indicator Removal on Host – CleanExit.exe and similar tools were used to wipe logs and tooling after completion of the attack (‘Another file called “CleanExit.exe” is likely a tool used by the Beast operator to wipe logs and their tools after the encryption is triggered, making forensic recovery harder.’)

Indicators of Compromise

  • [IP Address ] Beast operator open directory – 5.78.84[.]144 (AS212317 / Hetzner)
  • [ASN / Organization ] Hosting and attribution – AS212317 (Hetzner)
  • [File Hash ] SHA256 malware samples (sandbox submissions) – e.g., 6718cb66521a678274e5672285bf208eac375827d622edcf1fe7eba7e7aa65e0 and 0479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea237822 (and other hashes reported)
  • [File Names ] Exposed toolkit and payload filenames – encrypter-windows-cli-x86.exe, encrypter-linux-x64.run, disable_backup.bat (and many other filenames listed in the open directory)
  • [Domain / Service ] Exfiltration and leak site context – Mega[.]nz (MEGASync used for uploads) and BEAST LEAKS (Tor data leak site referenced for victim shaming)

Read more: https://www.team-cymru.com/post/beast-ransomware-server-toolkit-analysis