Cybereason issues Threat Analysis reports to investigate emerging threats and provide practical recommendations for protecting against them. In this Threat Analysis report, Cybereason investigates the Ransomware-as-a-Service (RaaS) known as Beast and how to defend against it through the Cybereason Defense Platform.
The Beast Ransomware group has been active since 2022. Recently, a Beast Ransomware partnership program and new capabilities were promoted on the underground forums in June. The group has updated and created various versions to meet the market demand.
Invitation to cooperate in Russian, English and Chinese languages.
Previous versions of the Beast Ransomware, also known as Monster, were developed using the Delphi programming language and offered as a Ransomware-as-a-Service (RaaS) platform.
First Appearance Of Beast Ransomware On The Russian Anonymous Marketplace
The current known Windows versions of Beast demonstrate the following capabilities:
Beast Windows Binary
New Beast Offline Builder
The Beast Linux version has the following capabilities (controllable via command line argument):
The VMWare ESXi version also has the following additional options:
Linux & ESXi Version Parameters
Like most ransomware, the initial compromise often occurs through various infection vectors, such as phishing emails, or compromised remote desktop protocol (RDP) endpoints.
To prevent multiple instances of Beast running simultaneously on the same system, it creates a unique mutex with the string “BEAST HERE?”. This ensures efficient execution and enables the attacker to maintain control over the ransomware’s behavior on the infected system.
Beast Creates A Mutex Object With BEAST HERE? String
The latest version of Beast Ransomware specifically avoids encrypting data on devices located in Commonwealth of Independent States (CIS) countries, such as Russia, Belarus, and Moldova. This is achieved through code that checks the system's default language settings, country code, and retrieves the target's IP address.
If the ransomware detects that the device is in a CIS country, it halts encryption activities. This strategic exclusion is likely a tactic to avoid drawing attention or repercussions from authorities in those regions.
Checking Victim IP & Location By Connecting To iplogger.co
Beast performs SMB scans to automatically search for and infect vulnerable computers on nearby networks. This self-propagation mechanism can quickly spread the payload without requiring any human intervention.
Beast SMB Scanning
RstrtMgr.dll, the Restart Manager, is a critical system component that safeguards open and unsaved files during system reboots. It acts as a gatekeeper, prompting users to save their work before shutting down to prevent data loss. Beast Ransomware exploits this DLL in a malicious way.
Before encrypting a file, the ransomware stops services and processes in order to unlock and safely close open files.
The list of services targeted by Beast Ransomware is as following:
List of services targeted by Beast Ransomware |
||||
---|---|---|---|---|
AcronisAgent |
BackupExecDiveciMediaService |
CAARCUpdateSvc |
GxBlr |
Intuit.QuickBooks.FCS |
AcrSch2Svc |
BackupExecJobEngine |
CASAD2DWebSvc |
GxClMgr |
Memtas |
Backup |
BackupExecManagementService |
ccEvtMgr |
GxCVD |
Mepocs |
BackupExecAgentAccelerator |
BackupExecRPCService |
ccSetMgr |
GxFWD |
Msexchange |
BackupExecAgentBrowser |
BackupExecVSSProvider |
DefWatch |
GxVss |
PDVFSService |
VeeamDeploymentService |
VeeamNFSSvc |
VeeamTransportSvc |
VSNAPVSS |
Vss |
YooBackup |
YooIT |
Zhudongfangyu |
MSSQLFDLauncher |
MSSQLSERVER |
SQLTELEMETRY |
MsDtsServer130 |
SSISTELEMETRY130 |
SQLWriter |
MSSQL$VEEAMSQL2012 |
SQLAgent |
MSSQLSERVERADHelper100 |
MSSQLServerOLAPService |
MsDtsServer100 |
ReportServer |
MSSQL$PROGID |
MSSQL$WOLTERSKLUWER |
SQLAgent$PROGID |
SQLAgent$WOLTERSKLUWER |
MSSQLFDLauncher$OPTIMA |
ReportServer$OPTIMA |
msftesql$SQLEXPRESS |
Postgresql-x64-9.4 |
SavRoam |
Wscsvc |
SQLTELEMETRY$HL |
MSSQL$OPTIMA |
SQLSERVERAGENT |
SQLAgent$VEEAMSQL2012 |
SQLAgent$OPTIMA |
Veeam |
Wuauserv |
SQLBrowser |
MSSQL |
TMBMServer |
When Shadow Copy delete process is initiated by Beast Ransomware, it calls the IWbemServices::ExecQuery(“WQL”, ”Select * FROM Win32_ShadowCopy”)WQL query to get the IEnumWbemClassObject object for querying shadow copies and IWbemServices::DeleteInstance(“\\MachineName\ROOT\CIMV2:Win32_ShadowCopy.ID=”{Shadow Copy ID}””) to delete them.
Beast Querying Shadow Copies
Beast Deleting Shadow Copies
Ransomware often employs multithreading to accelerate file encryption.
This technique involves the parent thread identifying and sending files for encryption to child threads.
The child threads then work concurrently, each encrypting a different file, significantly speeding up the overall encryption process. This approach leverages the system's hardware capabilities to encrypt files more efficiently.
Beast Ransomware Threads (demonstrating multithreading usage)
Beast uses powerful encryption methods to lock down files on all connected devices in a network. It targets a variety of file formats, such as documents, pictures, videos, and databases.
Once files are encrypted, victims can't access them unless they have the decryption key, which is controlled by the attackers.
PDF File Encryption Process Example
Encrypted Files
The ransom note thread extracts and decodes the embedded ransom note, which was specified in the malware's settings. This note is then saved as a "README.txt" file in every directory that isn't explicitly excluded from encryption.
Creation Of The Ransom Note README.txt
Ransom Note
In order to see Beast Ransomware GUI during the encryption process, it is needed to press and hold ALT+CTRL and type 666:
Beast Ransomware GUI
Cybereason shared a list of indicators of compromise related to this research :
IOC |
IOC type |
Description |
iplogger[.]co/1v1i85[.]torrent |
Domain Name |
Geofencing IP query |
4c44ac1eea4bc7f4ea542d611b5658d7ac2729d79abe750da83f1581cd832eaf |
SHA-256 |
Beast Windows Encryptor |
369034bf1d793fe56ea4d683a156722d825ad9829fc128117f82a26bc1d0480b |
SHA-256 |
Beast Windows Encryptor |
e01f5c7067dc984dceb883b10444b1a5b0f22ebd500baf9d9a88207f5033285d |
SHA-256 |
Beast Windows Encryptor |
dd09a2ef31d018fd83f186e3eaaccccdaa8a8c8779ced668abb06dc934d89a2d |
SHA-256 |
Beast Windows Encryptor |
dbbe792e6c804518909f8990a836552573522d126547429d6cd3fcb1f60d542c |
SHA-256 |
Beast Windows Encryptor |
Tactic |
Techniques / Sub-Techniques |
---|---|
TA0002: Execution |
T1047 – Windows Management Instrumentation |
TA0002: Execution |
T1106 - Native API |
TA0003: Persistence |
T1543.003 – Create or Modify System Process: Windows Service |
TA0007: Discovery |
T1083 - File and Directory Discovery |
TA0004: Privilege Escalation |
T1078.001 – Valid Accounts: Default Accounts |
TA0004: Privilege Escalation |
T1078.002 – Valid Accounts: Domain Accounts |
TA0007: Discovery |
T1135 - Network Share Discovery |
TA0007: Discovery |
T1016 - System Network Configuration Discovery |
TA0005: Defense Evasion |
T1406.002 – Obfuscated Files or Information: Software Packing |
TA0005: Defense Evasion |
T1620 - Reflective Code Loading |
TA0008: Lateral Movement |
T1021.002 - Remote Service: SMB/Windows Admin Shares |
TA0009: Collection |
T1119 – Automated Collection |
TA0040: Impact |
T1486 - Data Encrypted for Impact |
TA0040: Impact |
T1489 – Service Stop |
TA0040: Impact |
T1490 – Inhibit System Recovery |
https://cyberint.com/blog/research/the-nature-of-the-beast-ransomware/
Mark Tsipershtein, Security Researcher at Cybereason
Mark Tsipershtein, a security researcher at the Cybereason Security Research Team, focuses on research, analysis automation and infrastructure. Mark has more than 20 years of experience in SQA, automation, and security research.
Cybereason is dedicated to teaming with Defenders to end cyber attacks from endpoints to the enterprise to everywhere. Learn more about Cybereason XDR powered by Google Chronicle as well as Cybereason SDR, check out our Extended Detection and Response (XDR) Toolkit, or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.