Beast Ransomware's Malicious Capabilities Exposed: Inside the Leaked Directory

Post Views: 7

Beast Ransomware Group’s Toolkit Exposed

A recent discovery by Team Cymru has shed light on the inner workings of the Beast Ransomware group, a notorious ransomware-as-a-service (RaaS) operation. An open directory linked to one of the group’s operators was found to be publicly accessible, revealing a treasure trove of tools and tactics used by the gang to carry out its nefarious activities.

Background on the Beast Ransomware Group

The Beast Ransomware group, believed to be a successor to the earlier Monster Ransomware group, has been active since June 2024. The gang is known for its double extortion attacks, where it not only encrypts victim data but also threatens to leak sensitive information unless a ransom is paid. The group maintains a dedicated leak site, dubbed BEAST LEAKS, where it publishes stolen data from non-compliant victims.

Exposed Toolkit

The exposed directory, analyzed by Team Cymru, provided a unique glimpse into the gang’s toolkit, which includes a range of legitimate and malicious tools used for reconnaissance, network mapping, credential gathering, lateral movement, and data exfiltration. Among the tools found were Advanced IP Scanner and Advanced Port Scanner, which are commonly used to map the networks of ransomware targets.

The gang also employs a file search engine called Everything.exe to locate sensitive files, as well as FolderSize-x64, a tool used to determine which servers hold the most data. To gather credentials, the attackers use a tool named \\\”enable_dump_pass.reg,\\\” which modifies the Windows Registry to store passwords in cleartext in memory. A script called Kerberos.ps1 is also used to perform Kerberoasting attacks.

Lateral Movement and Data Exfiltration

The attackers leverage PsExec and OpenSSH for Windows to facilitate lateral movement, while AnyDesk, a legitimate remote monitoring and management (RMM) tool, is used to establish persistence access to infected machines. For data exfiltration, the gang employs MEGASync, a tool that automatically uploads large volumes of data to the cloud storage service Mega[.]nz. Additional data exfiltration tools, including WinSCP and Klink, were also found on the server.

Ransomware Binaries

The Beast ransomware binaries, responsible for file encryption, were identified as \\\”encrypter-windows-cli.x86.exe\\\” and \\\”encrypter-linux-x64.run,\\\” indicating that the gang targets both Windows and Linux machines, as well as VMware ESXi hypervisors.

Conclusion

Team Cymru noted that many of the tools used by Beast Ransomware are not novel and can be found in the open-source Ransomware Tool Matrix knowledge base. This resource, combined with the indicators of compromise (IoCs) from Team Cymru’s investigation, can aid defenders in detecting and blocking ransomware attacks before encryption occurs.

The discovery of the Beast Ransomware group’s toolkit serves as a reminder of the importance of staying vigilant and proactive in the face of ever-evolving cyber threats. By understanding the tactics and techniques employed by these groups, organizations can better equip themselves to defend against ransomware attacks and protect their sensitive data.

About Author

Vaibhav

See author's posts

Beast Ransomware’s Malicious Capabilities Exposed: Inside the Leaked Directory