Cybereason Blog | Cybersecurity News and Analysis

THREAT ANALYSIS: Beast Ransomware

Written by Cybereason Security Services Team | Oct 18, 2024 2:16:35 PM

Cybereason issues Threat Analysis reports to investigate emerging threats and provide practical recommendations for protecting against them. In this Threat Analysis report, Cybereason investigates the Ransomware-as-a-Service (RaaS) known as Beast and how to defend against it through the Cybereason Defense Platform.

KEY POINTS

  • Expanding Marketplace: The Beast Ransomware group provides various tools  with constant version updates. These updates are made to appeal to wider audiences across the underground cybercrime ecosystem. 
  • Binary Customizations: The Beast RaaS platform offers affiliates numerous options for building ransomware binaries that target Windows, Linux, and ESXi systems, enabling tailored configurations to suit different operational requirements.
  • Detection And Prevention: The Cybereason Defense Platform employs advanced Anti-Ransomware and Anti-Malware features, designed to detect and block ransomware payloads like Beast before they can execute.

INTRODUCTION

The Beast Ransomware group has been active since 2022. Recently, a Beast Ransomware partnership program and new capabilities were promoted on the underground forums in June. The group has updated and created various versions to meet the market demand. 

Invitation to cooperate in Russian, English and Chinese languages.

Previous versions of the Beast Ransomware, also known as Monster, were developed using the Delphi programming language and offered as a Ransomware-as-a-Service (RaaS) platform.

First Appearance Of Beast Ransomware On The Russian Anonymous Marketplace

TECHNICAL ANALYSIS

Beast Operating System Support – Windows 

The current known Windows versions of Beast demonstrate the following capabilities:

  • Combination of Elliptic-curve and ChaCha20 encryption model  
  • Written in the C programming language

Beast Windows Binary

  • Segmented file encryption
  • ZIP wrapper mode - Files are converted on the fly to .zip with ransom note inside
  • Multithreaded queue for encryption
  • Processes/Services termination
  • Shadow copy delete
  • Mounting hidden partitions
  • Subnet scanner
  • In August 2024, offline builder was promoted with option to configure builds for Windows, NAS, ESXi.

New Beast Offline Builder

Beast Operating System Support – Linux And ESXi

The Beast Linux version has the following capabilities (controllable via command line argument):

  • Selectable path for encryption
  • Enable/disable certain functionality
  • Ransom note generation from external file
  • Daemon mode
  • Written in C and Go programming languages

The VMWare ESXi version also has the following additional options:

  • Option to shut down a VM and machine’s files encryption
  • Option to exclude some vmid

 

Linux & ESXi Version Parameters

Binary Analysis - BEAST HERE? 

Like most ransomware, the initial compromise often occurs through various infection vectors, such as phishing emails, or compromised remote desktop protocol (RDP) endpoints.

To prevent multiple instances of Beast running simultaneously on the same system, it creates a unique mutex with the string “BEAST HERE?”. This ensures efficient execution and enables the attacker to maintain control over the ransomware’s behavior on the infected system. 

Beast Creates A Mutex Object With BEAST HERE? String

The latest version of Beast Ransomware specifically avoids encrypting data on devices located in Commonwealth of Independent States (CIS) countries, such as Russia, Belarus, and Moldova. This is achieved through code that checks the system's default language settings, country code, and retrieves the target's IP address. 

If the ransomware detects that the device is in a CIS country, it halts encryption activities. This strategic exclusion is likely a tactic to avoid drawing attention or repercussions from authorities in those regions.

Checking Victim IP & Location By Connecting To iplogger.co

Beast performs SMB scans to automatically search for and infect vulnerable computers on nearby networks. This self-propagation mechanism can quickly spread the payload without requiring any human intervention.

Beast SMB Scanning

Load Of RstrtMgr DLL (Restart Manager)

RstrtMgr.dll, the Restart Manager, is a critical system component that safeguards open and unsaved files during system reboots. It acts as a gatekeeper, prompting users to save their work before shutting down to prevent data loss. Beast Ransomware exploits this DLL in a malicious way. 

Before encrypting a file, the ransomware stops services and processes in order to unlock and safely close open files. 

The list of services targeted by Beast Ransomware is as following:

 

List of services targeted by Beast Ransomware

AcronisAgent

BackupExecDiveciMediaService

CAARCUpdateSvc

GxBlr

Intuit.QuickBooks.FCS

AcrSch2Svc

BackupExecJobEngine

CASAD2DWebSvc

GxClMgr

Memtas

Backup

BackupExecManagementService

ccEvtMgr

GxCVD

Mepocs

BackupExecAgentAccelerator

BackupExecRPCService

ccSetMgr

GxFWD

Msexchange

BackupExecAgentBrowser

BackupExecVSSProvider

DefWatch

GxVss

PDVFSService

VeeamDeploymentService

VeeamNFSSvc

VeeamTransportSvc

VSNAPVSS

Vss

YooBackup

YooIT

Zhudongfangyu

MSSQLFDLauncher

MSSQLSERVER

SQLTELEMETRY

MsDtsServer130

SSISTELEMETRY130

SQLWriter

MSSQL$VEEAMSQL2012

SQLAgent

MSSQLSERVERADHelper100

MSSQLServerOLAPService

MsDtsServer100

ReportServer

MSSQL$PROGID

MSSQL$WOLTERSKLUWER

SQLAgent$PROGID

SQLAgent$WOLTERSKLUWER

MSSQLFDLauncher$OPTIMA

ReportServer$OPTIMA

msftesql$SQLEXPRESS

Postgresql-x64-9.4

SavRoam

Wscsvc

SQLTELEMETRY$HL

MSSQL$OPTIMA

SQLSERVERAGENT

SQLAgent$VEEAMSQL2012

SQLAgent$OPTIMA

Veeam

Wuauserv

SQLBrowser

MSSQL

TMBMServer

 

Shadow Copy Delete

When Shadow Copy delete process is initiated by Beast Ransomware, it calls the IWbemServices::ExecQuery(“WQL”, ”Select * FROM Win32_ShadowCopy”)WQL query to get the IEnumWbemClassObject object for querying shadow copies and IWbemServices::DeleteInstance(“\\MachineName\ROOT\CIMV2:Win32_ShadowCopy.ID=”{Shadow Copy ID}””) to delete them.

Beast Querying Shadow Copies

Beast Deleting Shadow Copies

File Encryption

Ransomware often employs multithreading to accelerate file encryption.

This technique involves the parent thread identifying and sending files for encryption to child threads. 

The child threads then work concurrently, each encrypting a different file, significantly speeding up the overall encryption process. This approach leverages the system's hardware capabilities to encrypt files more efficiently.

Beast Ransomware Threads (demonstrating multithreading usage)

Beast uses powerful encryption methods to lock down files on all connected devices in a network. It targets a variety of file formats, such as documents, pictures, videos, and databases. 

Once files are encrypted, victims can't access them unless they have the decryption key, which is controlled by the attackers.

PDF File Encryption Process Example

Encrypted Files

The ransom note thread extracts and decodes the embedded ransom note, which was specified in the malware's settings. This note is then saved as a "README.txt" file in every directory that isn't explicitly excluded from encryption.

Creation Of The Ransom Note README.txt

Ransom Note

In order to see Beast Ransomware GUI during the encryption process, it is needed to press and hold ALT+CTRL and type 666:

Beast Ransomware GUI

Indicators of Compromise - IOCs

Cybereason shared a list of indicators of compromise related to this research :

IOC

IOC type

Description

iplogger[.]co/1v1i85[.]torrent

Domain Name

Geofencing IP query 

4c44ac1eea4bc7f4ea542d611b5658d7ac2729d79abe750da83f1581cd832eaf

SHA-256

Beast Windows Encryptor 

369034bf1d793fe56ea4d683a156722d825ad9829fc128117f82a26bc1d0480b

SHA-256

Beast Windows Encryptor 

e01f5c7067dc984dceb883b10444b1a5b0f22ebd500baf9d9a88207f5033285d

SHA-256

Beast Windows Encryptor 

dd09a2ef31d018fd83f186e3eaaccccdaa8a8c8779ced668abb06dc934d89a2d

SHA-256

Beast Windows Encryptor 

dbbe792e6c804518909f8990a836552573522d126547429d6cd3fcb1f60d542c

SHA-256

Beast Windows Encryptor 

 

Cybereason Recommendations:

  • Follow and hunt Beast affiliate activity in order to identify pre-ransomware behaviors. 
  • Promote cybersecurity best practices such as multifactor authentication and patch management.
  • For Cybereason customers on the Cybereason Defense Platform:
    • Enable Anti-Malware and set the Anti-Malware > Signatures mode to Prevent, Quarantine, or Disinfect.
    • Enable Anti-Ransomware (PRP), set Anti-Ransomware to Quarantine mode and enable shadow copy protection.
    • Enable Application Control.
    • Keep systems fully patched: Make sure your systems are patched in order to mitigate vulnerabilities.
    • Regularly backup files and create a backup process and policy : Restoring your files from a backup is the fastest way to regain access to your data.
    • Enable Variant Payload Prevention with prevent mode on Cybereason Behavioral execution prevention.

MITRE ATT&CK MAPPING

Tactic

Techniques / Sub-Techniques

TA0002: Execution

T1047 – Windows Management Instrumentation

TA0002: Execution

T1106 - Native API

TA0003: Persistence

T1543.003 – Create or Modify System Process: Windows Service

TA0007: Discovery 

T1083 - File and Directory Discovery

TA0004: Privilege Escalation

T1078.001 – Valid Accounts: Default Accounts

TA0004: Privilege Escalation

T1078.002 – Valid Accounts: Domain Accounts

TA0007: Discovery 

T1135 - Network Share Discovery

TA0007: Discovery 

T1016 - System Network Configuration Discovery

TA0005: Defense Evasion

T1406.002 – Obfuscated Files or Information: Software Packing

TA0005: Defense Evasion

T1620 - Reflective Code Loading

TA0008: Lateral Movement

T1021.002 - Remote Service: SMB/Windows Admin Shares

TA0009: Collection

T1119 – Automated Collection

TA0040: Impact

T1486 - Data Encrypted for Impact

TA0040: Impact

T1489 – Service Stop

TA0040: Impact

T1490 – Inhibit System Recovery

 

References

https://blogs.blackberry.com/en/2022/09/some-kind-of-monster-raas-hides-itself-using-traits-from-other-malware

https://cyberint.com/blog/research/the-nature-of-the-beast-ransomware/

 

ABOUT THE RESEARCHER

Mark Tsipershtein, Security Researcher at Cybereason

Mark Tsipershtein, a security researcher at the Cybereason Security Research Team, focuses on research, analysis automation and infrastructure. Mark has more than 20 years of experience in SQA, automation, and security research.


Cybereason is dedicated to teaming with Defenders to end cyber attacks from endpoints to the enterprise to everywhere. Learn more about Cybereason XDR powered by Google Chronicle as well as Cybereason SDR, check out our Extended Detection and Response (XDR) Toolkit, or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.