CosmicBeetle, a threat actor specializing in ransomware, has recently replaced its old ransomware, Scarab, with ScRansom, a custom-built ransomware that continues to evolve.  The threat actor has been actively targeting SMBs worldwide, exploiting vulnerabilities to gain access to their systems and experimenting with the leaked LockBit builder, attempting to leverage its reputation by impersonating the notorious ransomware gang.  It is believed, with medium confidence, that CosmicBeetle is a new affiliate of RansomHub, a rising ransomware-as-a-service group, which is a relatively new ransomware actor, and has been actively targeting SMBs in Europe and Asia with its custom-developed ScRansom.  While ScRansom is not particularly sophisticated, CosmicBeetle has successfully compromised several interesting targets due to their immature approach and the use of leaked LockBit tools.  ESET telemetry and code analysis strongly suggest ScRansom is a new tool developed by CosmicBeetle. Code similarities, overlapping deployments, and shared components with other CosmicBeetle tools provide compelling evidence.  While previous attribution to a Turkish software developer was inaccurate, the encryption scheme used in ScHackTool is likely adapted from an open-source algorithm, which further supports the connection between ScRansom and CosmicBeetle, solidifying the attribution.

Source: GBHackers