Dark Web Profile: CosmicBeetle (NoName) Ransomware Overview

CosmicBeetle (NoName) is a ransomware group that targets SMBs worldwide using brute-force access, publicly available exploits, and custom ransomware families such as ScRansom and Spacecolon. In 2023 they increased activity, mimicked LockBit’s leak-site style, and partnered with RansomHub to expand capabilities. #CosmicBeetle #ScRansom #Spacecolon #LockBit #RansomHub #NONAME

Keypoints

Primarily targets small-to-medium businesses across multiple industries, emphasizing targets with weaker patching and security practices.
Gains initial access via brute-force attacks (RDP/SMB) and by exploiting known public vulnerabilities such as EternalBlue, Zerologon, FortiOS SSL-VPN, and Veeam CVE-2023-27532.
Uses custom and adapted ransomware strains (ScRansom, Spacecolon) with features like partial encryption modes and an “ERASE” destructive mode that can permanently destroy files.
Leverages publicly available PoCs and leaked builders (including the LockBit builder) plus a variety of third-party tools and scripts to craft and deploy payloads.
Perseveres with lateral movement and privilege escalation using AD noPac vulnerabilities (CVE-2021-42278/42287), Zerologon (CVE-2020-1472), and by creating attacker-controlled local admin accounts.
Mimics LockBit’s visual/ransom-note style and registered lookalike domains (e.g., lockbitblog[.]info) and operated a LockBit-style DLS called “NONAME” to pressure victims.
Aligned with RansomHub (RaaS) and uses encrypted messaging (qTox) for victim communications and negotiation.

MITRE Techniques

[T1595.002] Active Scanning: Vulnerability Scanning – scans targets for exploitable vulnerabilities. (‘CosmicBeetle scans its targets for a list of vulnerabilities it can exploit.’)
[T1590.005] Gather Victim Network Information: IP Addresses – scans the internet for vulnerable IP addresses. (‘CosmicBeetle scans the internet for IP addresses vulnerable to the vulnerabilities it can exploit.’)
[T1583.001] Acquire Infrastructure: Domains – registers domains for leak sites and impersonation. (‘CosmicBeetle registered its own leak site domain.’)
[T1587.001] Develop Capabilities: Malware – develops custom toolsets such as Spacecolon. (‘CosmicBeetle develops its custom toolset, Spacecolon.’)
[T1588.002] Obtain Capabilities: Tool – uses a variety of third‑party tools and scripts in operations. (‘CosmicBeetle utilizes a large variety of third-party tools and scripts.’)
[T1588.005] Obtain Capabilities: Exploits – uses publicly available PoCs for known exploits. (‘CosmicBeetle utilizes publicly available PoCs for known exploits.’)
[T1588.001] Obtain Capabilities: Malware – leverages leaked builders and RaaS-provided ransomware (e.g., LockBit builder, RansomHub). (‘CosmicBeetle probably obtained ransomware from RansomHub and the leaked LockBit 3.0 builder.’)
[T1190] Exploit Public-Facing Application – exploits vulnerabilities in FortiOS SSL‑VPN and other public-facing apps for initial access. (‘CosmicBeetle gains initial access by exploiting vulnerabilities in FortiOS SSL-VPN and other public-facing applications.’)
[T1204] User Execution – relies on user-executed tools or actor-driven execution via RDP. (‘CosmicBeetle relies on user execution for some of its tools, though this is usually done by the threat actor via RDP.’)
[T1059.003] Command and Scripting Interpreter: Windows Command Shell – executes BAT scripts and command shell operations. (‘CosmicBeetle executes various BAT scripts and commands.’)
[T1059.001] Command and Scripting Interpreter: PowerShell – runs PowerShell scripts and commands during operations. (‘CosmicBeetle executes various PowerShell scripts and commands.’)
[T1136.001] Create Account: Local Account – creates attacker-controlled admin accounts for persistence. (‘CosmicBeetle often creates an attacker-controlled administrator account.’)
[T1078] Valid Accounts – abuses obtained valid credentials for access and evasion. (‘CosmicBeetle abuses valid accounts whose credentials it successfully obtains.’)
[T1140] Deobfuscate/Decode Files or Information – protects cryptographic keys or components by encrypting them within samples. (‘ScRansom samples protect public RSA keys by encryption.’)
[T1110.001] Brute Force: Password Guessing – performs RDP and SMB brute-force attacks to gain credentials. (‘CosmicBeetle utilizes RDP and SMB brute-force attacks.’)
[T1212] Exploitation for Credential Access – exploits vulnerabilities to obtain credentials. (‘CosmicBeetle exploits known vulnerabilities to obtain credentials.’)
[T1485] Data Destruction – renders some encrypted files unrecoverable via destructive modes. (‘CosmicBeetle renders some encrypted files unrecoverable.’)
[T1486] Data Encrypted for Impact – encrypts sensitive files on compromised systems. (‘CosmicBeetle encrypts sensitive files on compromised machines.’)

Indicators of Compromise

[Domain] Leak-site / impersonation domains – lockbitblog[.]info (registered to mimic LockBit), NONAME DLS (LockBit-style leak site; currently inactive).
[Malware / Tool Names] Ransomware and tool identifiers observed in campaigns – ScRansom (Delphi-based ransomware with partial encryption and ERASE mode), Spacecolon (custom toolset).
[Communication] Encrypted messaging used for negotiation – qTox (Tox protocol) used for victim communications.
[IP addresses / File hashes] None specified in article – no specific IP addresses or file hashes were provided in the source.

CosmicBeetle’s operational chain begins with automated reconnaissance and scanning to locate vulnerable internet-facing systems and IPs, followed by credential harvesting through RDP/SMB brute-force and exploitation of public CVEs. Notable exploited weaknesses include EternalBlue (CVE-2017-0144), Zerologon (CVE-2020-1472), the AD noPac bugs (CVE-2021-42278/42287), FortiOS SSL‑VPN (CVE-2022-42475), and Veeam Backup & Replication (CVE-2023-27532); publicly available PoCs and leaked exploit builders are leveraged to weaponize these flaws.

After initial access, the actors use PowerShell and BAT scripts, third‑party tools, and RaaS-provided or custom binaries (Spacecolon, ScRansom) to escalate privileges, create local administrator accounts, move laterally, and deploy ransomware. ScRansom supports configurable partial encryption and an ERASE mode that can permanently destroy files; its samples also encrypt public RSA keys, complicating decryption. The group has used leaked LockBit builders and mimicry of LockBit’s ransom notes and leak-site infrastructure (including lockbitblog[.]info and a NONAME DLS) to amplify coercive pressure on victims.

Persistence and impact techniques observed include creating attacker-controlled admin accounts, abusing valid credentials, and employing credential-exploitation techniques to compromise domain controllers and backup systems. Final-stage actions consist of widespread file encryption across local, networked, and removable storage, and targeted destruction on some files to render them unrecoverable. Communications with victims occur over encrypted channels (qTox), and affiliation with RansomHub provides access to additional ransomware builders and infrastructure.

SHARE THIS STORY

WhatsApp X (Twitter)Telegram Bluesky Facebook LinkedIn Threads Email Print