Beast ransomware, evolved from the Monster strain, began RaaS operations in February 2025 and has publicly disclosed 16 victims across multiple regions and industries while actively distributing via SMB scanning, phishing, and Vidar-assisted campaigns. The malware uses ChaCha20-based hybrid encryption, country-based execution filtering, persistence, shadow copy deletion, process/service termination, and a Tor-based leak site to maximize damage and hinder recovery. #Beast #Monster #Vidar
Keypoints
- Beast emerged from the Monster ransomware family as a Ransomware-as-a-Service in Feb 2025 and launched a Tor data leak site in July 2025; 16 victims across the US, Europe, Asia, and Latin America were disclosed by Aug 2025.
- Main distribution methods include scanning active SMB ports to spread to shared folders, phishing (copyright warnings or fake resumes), and distribution alongside the Vidar Infostealer.
- Execution is filtered by locale via GetLocaleInfo and GetSystemDefaultUILanguage to avoid execution in specified countries (primarily former USSR/CIS and select others).
- Payload stores encrypted configuration in the .data section decrypted with a ChaCha20-based routine (unless config/password strings are present), and supports receiving config/password arguments.
- Implements persistence via self-replication to %ALLUSERPROFILE%{GUID-like}gugbuhan.exe and Run key registration under HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun.
- Encryption uses ChaCha20 with a hybrid public-key scheme; encrypted files include a fixed 8-byte Magic and 0xA0 metadata, use GUID-like extensions derived from SHA-512, and employ header overwriting and block encryption for large ZIPs.
- Tactics to prevent recovery include deleting ShadowCopy via WMI/COM, terminating many database/backup/AV/office processes and services, and exposing a debug GUI for manual control by operators/partners.
MITRE Techniques
- [T1083] File and Directory Discovery – Ransomware enumerates shared folders after scanning active SMB ports to spread across the network (“scanning the active SMB port within a breached system and attempting to spread to shared folders on the network”).
- [T1566] Phishing – Distribution via emails disguised as copyright warnings or fake resumes, sometimes accompanied by Vidar Infostealer (“Phishing emails are disguised as copyright infringement warnings or fake resumes, and are sometimes distributed with Vidar Infostealer”).
- [T1490] Inhibit System Recovery – Deletes ShadowCopy using WMI COM interfaces to remove recovery points (“SELECT * FROM Win32_ShadowCopy” and use of DeleteInstance()).
- [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys – Registers persistence in HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun to maintain persistence (“Run Key … HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun”).
- [T1105] Ingress Tool Transfer – Use of Vidar Infostealer alongside phishing suggests secondary payload/tool delivery and credential/data theft to facilitate further intrusion (“sometimes distributed with Vidar Infostealer”).
- [T1486] Data Encrypted for Impact – Uses ChaCha20 hybrid encryption, inserts 0xA0 metadata and Magic value, changes file extension and overwrites headers to render recovery infeasible (“encrypted file has a Magic value … encrypted file … is 0xA0 larger … block encryption and header overwriting techniques”).
- [T1609] Containerization or Environment Awareness – Filters execution by system locale using GetLocaleInfo and GetSystemDefaultUILanguage to avoid certain countries (“the ransomware filters the target country … if the country is not on the list … the ransomware does not perform any malicious behaviors and terminates immediately”).
- [T1053/T1489] Process and Service Discovery/Termination – Identifies and terminates database, backup, antivirus, office, and email processes/services to maximize encryption success (“ransomware terminates processes and services … agntsvc.exe … sqlservr.exe … vss … VeeamTransportSvc”).
- [T1106] Native API – Uses Windows API and COM interfaces (CoCreateInstance, IWbemLocator, IWbemServices, ExecQuery, DeleteInstance) to perform WMI queries and delete ShadowCopy (“called CoCreateInstance() based on the CLSID of IWbemLocator and IWbemContext … ExecQuery() … DeleteInstance()”).
Indicators of Compromise
- [File Hash ] example malicious MD5 samples – 059ac4569026c1b74e541d98b6240574, 11395b5231b765348d210660ea1f68e1 (and 3 more hashes).
- [File Name / Path ] persistence and payload – %ALLUSERPROFILE%{GUID-like string}gugbuhan.exe (self-replication path), MoveFile usage for renamed encrypted files with {Original}.{GUID-like}.{Extension} format.
- [Domain / URL ] tracking/secondary infrastructure – https[:]//iplogger[.]co/1v1i85[.]torrent (observed URL associated with distribution or tracking).
- [Registry ] persistence location – HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun (used for Run key registration to maintain persistence).
Read more: https://asec.ahnlab.com/en/90792/