Ransomware, Threat Intelligence
Spacecolon toolset spreads ransomware worldwide by CosmicBeetle group

Ransomware operators are targeting businesses in a number of industries with the Spacecolon malware, according to ESET researchers. (Adobe Stock Images)
Ransomware operators CosmicBeetle were observed leveraging the Spacecolon toolset to distribute Scarab ransomware all over the world.In a blog post Aug. 22, ESET researchers said they tracked the origins of Spacecolon back to at least May 2020 and continue to see new campaigns, with the latest build compiled in May of this year. The Scarab ransomware dates back to June 2017.While the researchers have not found any one pattern in terms of the threat actor’s focus, ESET researchers observed Spacecolon at the following sites: a hospital and a tourist resort in Thailand, an insurance company in Israel, a local governmental institution in Poland, an entertainment provider in Brazil, an environmental company in Turkey, and a school in Mexico.“Ransomware groups previously focused on specific geographies or sectors, capitalizing on regional vulnerabilities,” said Ani Chaudhuri, chief executive officer at Dasera. “CosmicBeetle's widespread range, affecting entities from hospitals in Thailand to schools in Mexico, signals a shift to a more opportunistic approach, where everyone is potentially a target. Given the indiscriminate nature of these attacks, it’s not a matter of if, but when a U.S. company will fall victim.” The ESET researchers said Spacecolon “probably” finds its way into victim organizations by its operators compromising vulnerable web servers or via brute-forcing RDP [remote desktop protocol] credentials. Several Spacecolon builds contain several Turkish strings, therefore the ESET researchers suspect a Turkish-speaking developer.ESET’s researchers also said they observed an entirely new ransomware family being developed, with samples uploaded to VirusTotal from Turkey. They believe with high confidence that it’s written by the same developer as Spacecolon, therefore they refer to it as ScRansom.This attribution is based on similar Turkish strings in the code, usage of the IPWorks library, and the overall GUI similarity. ScRansom attempts to encrypt all hard, removable and remote drives using the AES-128 algorithm with a key generated from a hardcoded string. The ESET researchers have not observed ScRansom being deployed in the wild at the time of writing and they believe it’s still in the development stage.“ScRansom's discovery in the development phase indicates proactive detection by cybersecurity researchers,” said Dasera’s Chaudhuri. “However, its emergence also underlines a pivotal concern: threat actors are continually innovating, and our defenses must keep pace. While one might be quick to jump to geopolitical conclusions based on the Turkish strings in the code, it’s crucial to approach attribution with caution. Cyber mercenaries, developers for hire, and false flags are common. A Turkish-speaking developer does not necessarily imply a Turkish origin for the attacks.”
An In-Depth Guide to Ransomware
Get essential knowledge and practical strategies to protect your organization from ransomware attacks.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds