- Table of contents
The Nature of the Beast Ransomware
Monster, a novel Ransomware-as-a-Service (RaaS) built on Delphi, surfaced in March 2022 and caught the attention of the BlackBerry Incident Response (IR) team during an incident investigation. After its initial appearance, Monster’s capabilities and its ransomware partnership program were promoted on the Russian Anonymous Marketplace (RAMP) in June.
The mastermind behind Monster ransomware later introduced an enhanced version named Beast Ransomware, incorporating advanced features. Unlike its predecessor, Beast Ransomware extends its reach beyond Windows systems, targeting Linux and ESXI operating systems as well.
Beast Ransomware Victimology
Monster Ransomware Geographical Exclusions
Similar to several ransomware strains originating or advertised in Eastern Europe, Monster avoids encrypting data on devices in specific countries. It identifies a machine’s country code through the GetLocaleW function, exempting 12 Commonwealth of Independent States (CIS) countries, including Armenia, Azerbaijan, Belarus, Georgia, Kazakhstan, Kyrgyzstan, Moldova, Russian Federation, Tajikistan, Turkmenistan, Ukraine, and Uzbekistan. Outside these countries, the ransomware operator retains the ability to target any entity or location of their choice.
Beast Ransomware Malware Characteristics and Tactics
Aside from assessing the victim’s machine country code, Monster enables attackers to monitor target IP addresses and locations through the IP Logger web service. Delivered as a 32-bit binary, Monster features a concealed user interface granting threat actors control over various aspects, such as selective encryption, self-deletion, and manipulation of services and processes. The ransomware is highly adaptable, allowing threat actors to define custom extensions and craft personalized ransom notes.
The subsequent iteration, Beast Ransomware, introduces several enhancements:
- Inclusion of new command line options for precise adjustment of encryption parameters.
- Introduction of the ability to specify encryption depth in percentage terms.
- Implementation of an archiver mode that dynamically converts encrypted files to .zip format with an embedded ransom demand.
- Enhanced speed and numerous minor fixes and additions.
- Expanded functionality in the Linux version, now controllable through arguments.
- Capability to link the ransom note text from an external file in both Windows and Linux versions.
Beast Ransomware Origins and Affiliations
The modus operandi suggests that the operators likely originate from the Eastern European or Russian side of the globe.
Beast Ransomware Potential Growth
Although Monster was around for a while, the operators still weren’t able to position Monster as a leading RaaS for threat actors to use. While they hope the Beast will do the trick, it is still considered an early-stage RaaS that doesn’t have a massive impact in the wild yet.