Keypoints
- Beast is an evolving RaaS that markets continuous updates and an expanding affiliate marketplace to attract more operators.
- The platform can produce customizable binaries for Windows, Linux, and VMware ESXi, with an offline builder advertised in August 2024.
- Windows variants use a combination of elliptic-curve and ChaCha20 encryption, segmented and multithreaded file encryption, ZIP wrapper mode, and extensive service/process termination.
- Beast implements geofencing to avoid encrypting systems in CIS countries by checking system locale and querying an external IP logging domain.
- Self-propagation is supported via SMB/subnet scanning to find and infect vulnerable hosts on local networks.
- Cybereason provides detection/prevention guidance and platform-specific controls (Anti-Malware, Anti-Ransomware/PRP, Application Control, Variant Payload Prevention) to mitigate Beast attacks.
MITRE Techniques
- [T1047] Windows Management Instrumentation – Used to query and manage system components such as shadow copies for deletion (‘IWbemServices::ExecQuery(“WQL”, “Select * FROM Win32_ShadowCopy”)’).
- [T1106] Native API – Uses native system APIs for actions like deleting shadow copies and stopping services (‘IWbemServices::DeleteInstance(“…Win32_ShadowCopy.ID=…”)’).
- [T1543.003] Create or Modify System Process: Windows Service – Creates or modifies services to maintain or escalate persistence (article maps Beast to service creation/modification behavior).
- [T1083] File and Directory Discovery – Enumerates files and directories to identify targets for encryption (article describes discovery to build encrypted file lists).
- [T1078.001] Valid Accounts: Default Accounts – May leverage default local accounts as part of privilege escalation and lateral access (mapping lists default account use).
- [T1078.002] Valid Accounts: Domain Accounts – Uses domain accounts for network access and lateral movement (mapping lists domain account abuse).
- [T1135] Network Share Discovery – Scans for network shares to find and encrypt remote files (article details network share discovery for lateral spread).
- [T1016] System Network Configuration Discovery – Gathers network configuration and subnet information to support SMB scanning and propagation (article references subnet scanner and SMB scanning).
- [T1406.002] Obfuscated Files or Information: Software Packing – Employs packing/obfuscation to hide payloads and evade detection (mapping lists software packing use).
- [T1620] Reflective Code Loading – Loads code into memory to avoid writing to disk and evade defensive controls (mapping indicates reflective loading behavior).
- [T1021.002] Remote Service: SMB/Windows Admin Shares – Uses SMB to move laterally and deploy encryption across accessible admin shares (article describes SMB scanning and exploitation of Windows admin shares).
- [T1119] Automated Collection – Automates the collection and processing of target data prior to encryption (mapping lists automated collection behavior).
- [T1486] Data Encrypted for Impact – Encrypts a wide range of file types across endpoints and networked storage to extort victims (article details multithreaded segmented encryption and targeted file types).
- [T1489] Service Stop – Stops services to unlock files before encryption (article documents termination of backup and database services).
- [T1490] Inhibit System Recovery – Deletes shadow copies and disables recovery mechanisms to increase impact (‘Select * FROM Win32_ShadowCopy’ query and subsequent DeleteInstance calls are used for shadow copy deletion).
Indicators of Compromise
- [Domain] Geofencing IP query – iplogger[.]co/1v1i85[.]torrent (used to determine victim location).
- [SHA-256] Beast Windows encryptor samples – 4c44ac1eea4bc7f4ea542d611b5658d7ac2729d79abe750da83f1581cd832eaf, 369034bf1d793fe56ea4d683a156722d825ad9829fc128117f82a26bc1d0480b, and 3 more hashes.
- [File name / Artifact] Ransom note – README.txt (ransom note extracted from settings and written to directories during encryption).
- [String / Mutex] Process mutex – ‘BEAST HERE?’ (prevents multiple instances running concurrently).
- [DLL / Component] System component abused – RstrtMgr.dll (Restart Manager leveraged to unlock and close files before encryption).
Cybereason’s analysis traces Beast back to at least 2022 and documents how the group has matured its Ransomware-as-a-Service offering to meet demand in underground markets. The operators have advertised partnership programs and continuously release updated tools; in August 2024 an offline builder surfaced that lets affiliates configure builds targeting Windows, NAS, and VMware ESXi environments. Earlier Beast variants (also called Monster) were written in Delphi, but current builds show a shift to C for Windows and C/Go for Linux variants, and they deploy a mix of elliptic-curve and ChaCha20 cryptography for robust encryption.
On Windows, Beast’s encryptor implements segmented file encryption with a multithreaded queue that accelerates processing by delegating files from a parent thread to concurrent child threads. It can wrap files on the fly into ZIP containers containing the ransom note, terminate a long list of backup and database services to release file locks, remove Volume Shadow Copies via WMI queries and DeleteInstance calls, mount hidden partitions, and scan subnets to locate additional targets. The ransomware creates a unique mutex string “BEAST HERE?” to prevent duplicate instances, and it queries an external IP logging domain as part of geofencing logic that halts encryption on systems identified as being in CIS countries (e.g., Russia, Belarus, Moldova) by checking locale, country code, and public IP. To show its GUI during encryption, the binary responds to the user pressing ALT+CTRL and typing 666.
Beast’s Linux build accepts command-line arguments that let operators select encryption paths, enable or disable features, supply an external ransom note file, and run as a daemon. The ESXi variant adds options tailored to virtualized environments, such as shutting down VMs before encrypting machine files and excluding specific vmid values from targeting. For propagation, Beast runs SMB and subnet scans to automatically find vulnerable hosts on nearby networks and use Windows admin shares for lateral movement, enabling rapid spread without manual intervention.
The ransomware manipulates system components to assist encryption. It leverages the Restart Manager (RstrtMgr.dll) to safely close and unlock open files after stopping services, and it explicitly queries and deletes shadow copies using IWbemServices WQL queries (for example, ExecQuery(“WQL”, “Select * FROM Win32_ShadowCopy”) and DeleteInstance calls) to inhibit system recovery. Encrypted files are replaced with unreadable data controlled by the attackers, and a decoded ransom note is written as README.txt into directories that are not excluded. Cybereason published multiple SHA-256 hashes associated with Beast Windows encryptors and shared the iplogger domain used for geofencing.
To defend against Beast, Cybereason recommends hunting for affiliate activity and pre-ransomware behaviors, enforcing multi-factor authentication and solid patch management, and maintaining reliable backups and a documented recovery policy. For organizations using the Cybereason Defense Platform, the vendor suggests enabling Anti-Malware (set signatures to Prevent, Quarantine, or Disinfect), activating Anti-Ransomware/PRP with Quarantine mode and shadow copy protection, turning on Application Control, keeping systems patched, and enabling Variant Payload Prevention on behavioral execution prevention. These controls aim to detect and block payloads, prevent execution of novel variants, and preserve recovery options.
The report includes a mapping to MITRE ATT&CK techniques that covers execution (e.g., WMI, native APIs), persistence and privilege escalation avenues, discovery and lateral movement through network and share enumeration, defense evasion (packing, reflective loading), automated collection, and impact activities such as service stoppage, shadow copy deletion, and data encryption. Mark Tsipershtein of the Cybereason Security Research Team authored the analysis and the company provides these findings to help defenders harden environments against Beast and similar RaaS operations. Read more: https://www.cybereason.com/blog/threat-analysis-beast-ransomware