Amateurish CosmicBeetle Ransomware Stings SMBs in Turkey

With an immature codebase and a rather chaotic encryption scheme prone to failure, the group targets small businesses with custom malware.

A cybercriminal group — or individual — known as CosmicBeetle is exploiting vulnerabilities in technologies used by small businesses in Turkey, as well as Spain, India, and South Africa. The goal is to install ransomware that — unfortunately for victims — sometimes has glitches.
Likely based in Turkey, the ransomware attacker operates at a fairly low level of sophistication and is currently developing ransomware that demonstrates a rather chaotic encryption scheme, according to analysis by Slovakian cybersecurity firm ESET. CosmicBeetle often deploys custom ransomware, dubbed ScRansom by ESET, that appears to be under active development with frequent updates and changes.
Because CosmicBeetle demonstrates immature skills as a malware developers, a variety of problems have affected victims of the threat actors ransomware, says Jakub Souček, a senior malware researcher at ESET, who analyzed CosmicBeetle. In one case, ESET worked with a victim organization and found that the encryption routines executed multiple times on some of the infected machines, resulting in some data recovery failing.
Seasoned gangs prefer to have their decryption process as easy as possible to increase the chances of correct decryption, which boosts their reputation and increases the likelihood that victims will pay, the report stated.
But for CosmicBeetle, while we were able to verify that the decryptor — in its most recent state — works from the technical point of view, a lot of factors still come to play, and the more you need [for decryption] from the threat actor, the more unsure the situation, he says. The fact that the ScRansom ransomware is still changing quite rapidly doesnt help.
The relative immaturity of the CosmicBeetle threat actor has led the group to embark on two interesting strategies,
according to the ESET report
. First, the group has attempted to imply connections with the infamous LockBit cybercriminal group as a way to, ironically, inspire trust in their ability to help victims recover their data. Second, the group has also joined the
RansomHub affiliate program
, and now often installs that ransomware rather than its own custom malware.
To kick off its compromises, the CosmicBeetle group scans for and attempts to exploit a variety of older vulnerabilities in software typically used by small and midsize businesses, such as issues in Veeam Backup & Replication (
CVE-2023-27532
), which can allow unauthenticated attackers to access the backup infrastructure, or two privilege escalation vulnerabilities in Microsoft Active Directory (CVE-2021-42278 and CVE-2021-42287), which together allow a user to
effectively become a domain admin.
The group is likely not specifically targeting SMBs, but because of the software it targets for exploitation, smaller businesses make up the majority of its victims, Souček says.
CosmicBeetle abuses quite old known vulnerabilities, which we expect more likely to be patched in larger companies with better patch management in place, he says, adding: Victims outside of the EU and US, especially SMBs, are typically the result of immature, non-seasoned ransomware gangs going for the low-hanging fruit.
The targets include companies in the manufacturing, pharmaceuticals, legal, education, and healthcare industries, among others, according to
ESETs report published on September 10
.
SMBs from all sorts of verticals all over the world are the most common victims of this threat actor because that is the segment most likely to use the affected software and to not have robust patch management processes in place, the report stated.
Turkey accounts for the most victimized organizations, but a significant number also come from Spain, India, South Africa, and a handful of other countries, according to data collected by ESET from the CosmicBeetle leak site.
While one firm has connected the threat actor to an actual person — a Turkish software developer — ESET cast doubt on the connection. Yet, with Turkey accounting for a larger share of infections, the group is probably from the nation or the region, Souček acknowledges.
We could speculate that CosmicBeetle has more knowledge of Turkey and feels more confident choosing their targets there, he says. As for the remaining targets, it is purely opportunistic — a combination of vulnerability of the target and it being sufficiently interesting as a ransomware target.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Amateurish CosmicBeetle Ransomware Stings SMBs in Turkey