Ransomware, Threat Management, Threat Intelligence

Beast Ransomware’s toolkit revealed by exposed directory

An open directory linked to the Beast Ransomware group exposed the ransomware-as-a-service (RaaS) gang’s toolkit and methods from reconnaissance to encryption, Team Cymru reported this week.

Beast Ransomware has been active since June 2024 and is believed to be a successor to the earlier Monster Ransomware group. The gang maintains a dedicated leak site called BEAST LEAKS, engaging in double extortion attacks.

Team Cymru discovered an open directory linked to a Beast Ransomware operator and analyzed the files to reveal the attacker’s tooling throughout an attack.

First, for reconnaissance and network mapping, the operator was found to use the legitimate tools Advanced IP Scanner and Advanced Port Scanner, which are frequently abused to map the networks of ransomware targets.

Related reading:

A file search engine called Everything.exe was also discovered, which can help intruders locate sensitive files, along with FolderSize-x64, a tool for determining which servers hold the most data.

To gather credentials for eventual lateral movement, the group uses “gold standard” tools including Mimikatz, LaZagne and Automim to dump passwords from memory, browsers, databases and email clients, Team Cymru said.

The researchers also found a tool named “enable_dump_pass.reg,” which modifies the Windows Registry and causes passwords to be stored in cleartext in memory. A script called Kerberos.ps1 is also believed to be used by the group to perform Kerberoasting attacks.  

The exposed server contained copies of PsExec and OpenSSH for Windows, both tools frequently leveraged by ransomware threat actors for lateral movement. A copy of the legitimate, but frequently abused, remote monitoring and management (RMM) tool AnyDesk was revealed to be used to establish persistence access to infected machines.

The Beast operator was found to use a tool called MEGASync for data exfiltration before encryption; this tool helps automatically upload large volumes of data to the cloud storage service Mega[.]nz. Additional data exfiltration tools — WinSCP and Klink — were also found on the server.

To prevent file recovery, a batch script called “disable_backup.bat” was found to be used to delete volume shadow copies and disable Windows backups, Team Cymru found. A file called “CleanExit.exe” was also found, which the researchers suspected was used to wipe logs and delete the tools used during the attack.

The Beast ransomware binaries, which perform the file encryption, were named “encrypter-windows-cli.x86.exe” and “encrypter-linux-x64.run,” confirming targeting of both Windows and Linux machines or VMware ESXi hypervisors by the ransomware group.

Team Cymru noted that many of the tools used by Beast Ransomware are not novel and can be found in the open-source Ransomware Tool Matrix knowledge base. Leveraging this resource and IoCs from Team Cymru’s investigation can aid defenders in detecting and blocking ransomware attack before encryption occurs.  

An In-Depth Guide to Ransomware

Get essential knowledge and practical strategies to protect your organization from ransomware attacks.

Related

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

Account HarvestingDeauthentication AttackDeepfakeDictionary AttackDistributed ScansFault Line AttacksGoogle HackingHybrid AttackPassword CrackingReconnaissance

You can skip this ad in 5 seconds