THREAT ANALYSIS: Beast Ransomware

Cybereason issues Threat Analysis reports to investigate emerging threats and provide practical recommendations for protecting against them. In this Threat Analysis report, Cybereason investigates the Ransomware-as-a-Service (RaaS) known as Beast and how to defend against it through the Cybereason Defense Platform.

KEY POINTS

• Expanding Marketplace: The Beast Ransomware group provides various tools  with constant version updates. These updates are made to appeal to wider audiences across the underground cybercrime ecosystem. 

• Binary Customizations: The Beast RaaS platform offers affiliates numerous options for building ransomware binaries that target Windows, Linux, and ESXi systems, enabling tailored configurations to suit different operational requirements.
• Detection And Prevention: The Cybereason Defense Platform employs advanced Anti-Ransomware and Anti-Malware features, designed to detect and block ransomware payloads like Beast before they can execute.
  
  

INTRODUCTION

The Beast Ransomware group has been active since 2022. Recently, a Beast Ransomware partnership program and new capabilities were promoted on the underground forums in June. The group has updated and created various versions to meet the market demand. 

Invitation to cooperate in Russian, English and Chinese languages.

Previous versions of the Beast Ransomware, also known as Monster, were developed using the Delphi programming language and offered as a Ransomware-as-a-Service (RaaS) platform.

First Appearance Of Beast Ransomware On The Russian Anonymous Marketplace

TECHNICAL ANALYSIS

Beast Operating System Support – Windows 

The current known Windows versions of Beast demonstrate the following capabilities:

• Combination of Elliptic-curve and ChaCha20 encryption model  
• Written in the C programming language

Beast Windows Binary

• Segmented file encryption
• ZIP wrapper mode - Files are converted on the fly to .zip with ransom note inside
• Multithreaded queue for encryption
• Processes/Services termination
• Shadow copy delete
• Mounting hidden partitions
• Subnet scanner
• In August 2024, offline builder was promoted with option to configure builds for Windows, NAS, ESXi.
  
  

New Beast Offline Builder

Beast Operating System Support – Linux And ESXi

The Beast Linux version has the following capabilities (controllable via command line argument):

• Selectable path for encryption
• Enable/disable certain functionality
• Ransom note generation from external file
• Daemon mode
• Written in C and Go programming languages

The VMWare ESXi version also has the following additional options:

• Option to shut down a VM and machine’s files encryption
• Option to exclude some vmid

Linux & ESXi Version Parameters

Binary Analysis - BEAST HERE? 

Like most ransomware, the initial compromise often occurs through various infection vectors, such as phishing emails, or compromised remote desktop protocol (RDP) endpoints.

To prevent multiple instances of Beast running simultaneously on the same system, it creates a unique mutex with the string “BEAST HERE?”. This ensures efficient execution and enables the attacker to maintain control over the ransomware’s behavior on the infected system. 

Beast Creates A Mutex Object With BEAST HERE? String

The latest version of Beast Ransomware specifically avoids encrypting data on devices located in Commonwealth of Independent States (CIS) countries, such as Russia, Belarus, and Moldova. This is achieved through code that checks the system's default language settings, country code, and retrieves the target's IP address. 

If the ransomware detects that the device is in a CIS country, it halts encryption activities. This strategic exclusion is likely a tactic to avoid drawing attention or repercussions from authorities in those regions.

Checking Victim IP & Location By Connecting To iplogger.co

Beast performs SMB scans to automatically search for and infect vulnerable computers on nearby networks. This self-propagation mechanism can quickly spread the payload without requiring any human intervention.

Beast SMB Scanning

Load Of RstrtMgr DLL (Restart Manager)

RstrtMgr.dll, the Restart Manager, is a critical system component that safeguards open and unsaved files during system reboots. It acts as a gatekeeper, prompting users to save their work before shutting down to prevent data loss. Beast Ransomware exploits this DLL in a malicious way. 

Before encrypting a file, the ransomware stops services and processes in order to unlock and safely close open files. 

The list of services targeted by Beast Ransomware is as following:

Shadow Copy Delete

When Shadow Copy delete process is initiated by Beast Ransomware, it calls the IWbemServices::ExecQuery(“WQL”, ”Select * FROM Win32_ShadowCopy”)WQL query to get the IEnumWbemClassObject object for querying shadow copies and IWbemServices::DeleteInstance(“\\MachineName\ROOT\CIMV2:Win32_ShadowCopy.ID=”{Shadow Copy ID}””) to delete them.

Beast Querying Shadow Copies

Beast Deleting Shadow Copies

File Encryption

Ransomware often employs multithreading to accelerate file encryption.

This technique involves the parent thread identifying and sending files for encryption to child threads. 

The child threads then work concurrently, each encrypting a different file, significantly speeding up the overall encryption process. This approach leverages the system's hardware capabilities to encrypt files more efficiently.

Beast Ransomware Threads (demonstrating multithreading usage)

Beast uses powerful encryption methods to lock down files on all connected devices in a network. It targets a variety of file formats, such as documents, pictures, videos, and databases. 

Once files are encrypted, victims can't access them unless they have the decryption key, which is controlled by the attackers.

PDF File Encryption Process Example

Encrypted Files

The ransom note thread extracts and decodes the embedded ransom note, which was specified in the malware's settings. This note is then saved as a "README.txt" file in every directory that isn't explicitly excluded from encryption.

Creation Of The Ransom Note README.txt

Ransom Note

In order to see Beast Ransomware GUI during the encryption process, it is needed to press and hold ALT+CTRL and type 666:

Beast Ransomware GUI

Indicators of Compromise - IOCs

Cybereason shared a list of indicators of compromise related to this research :

Cybereason Recommendations:

• Follow and hunt Beast affiliate activity in order to identify pre-ransomware behaviors. 
• Promote cybersecurity best practices such as multifactor authentication and patch management.
• For Cybereason customers on the Cybereason Defense Platform:
  • Enable Anti-Malware and set the Anti-Malware > Signatures mode to Prevent, Quarantine, or Disinfect.
  • Enable Anti-Ransomware (PRP), set Anti-Ransomware to Quarantine mode and enable shadow copy protection.
  • Enable Application Control.
  • Keep systems fully patched: Make sure your systems are patched in order to mitigate vulnerabilities.
  • Regularly backup files and create a backup process and policy : Restoring your files from a backup is the fastest way to regain access to your data.
  • Enable Variant Payload Prevention with prevent mode on Cybereason Behavioral execution prevention.
    
    

MITRE ATT&CK MAPPING

References

https://blogs.blackberry.com/en/2022/09/some-kind-of-monster-raas-hides-itself-using-traits-from-other-malware

https://cyberint.com/blog/research/the-nature-of-the-beast-ransomware/

ABOUT THE RESEARCHER

Mark Tsipershtein, Security Researcher at Cybereason

Mark Tsipershtein, a security researcher at the Cybereason Security Research Team, focuses on research, analysis automation and infrastructure. Mark has more than 20 years of experience in SQA, automation, and security research.

Cybereason is dedicated to teaming with Defenders to end cyber attacks from endpoints to the enterprise to everywhere. Learn more about Cybereason XDR powered by Google Chronicle as well as Cybereason SDR, check out our Extended Detection and Response (XDR) Toolkit, or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.