ScRansom's encryption system offers partial encryption with different speed modes giving attackers versatility, and includes an "ERASE" mode, which makes files unrecoverable by overwriting them. It targets files across all drives and kills critical Windows processes before launching. Despite its evolving capabilities, the gang's operations still reflect a certain level of immaturity as seen in their decryption difficulties. Victims often receive multiple decryption keys, but many are unable to recover all their data which contrasts with more seasoned ransomware groups that prioritize smoother decryption to build a reputation and increase ransom payments.

NoName exploits various vulnerabilities, including those in SMB environments, such as CVE-2017-0144, CVE-2020-1472, and more recent ones like CVE-2023-27532 (Veeam Backup & Replication). The gang also leverages CVE-2017-0290 to disable Windows Defender via a batch file. Alongside its primary ransomware activities, NoName has also been experimenting with tools like the leaked LockBit 3.0 ransomware builder and has created a similar data leak site, mimicking LockBit’s branding to confuse victims and investigators.

In late 2023, NoName/CosmicBeetle likely joined the RansomHub affiliate program, a significant shift in its operations. This was marked by the use of RansomHub’s EDR killer, a tool for disabling security agents and enabling privilege escalation. While the group’s affiliation with RansomHub is not fully confirmed, researchers believe with medium confidence that CosmicBeetle is now working with RansomHub, using their resources to further advance their attacks. Despite technical limitations and frequent errors, NoName's constant evolution suggests it remains a persistent threat on the ransomware scene.

Impact

• Information Theft
• File Encryption
• Financial Loss

Indicators of Compromise

Domain Name

• lockbitblog.info

IP

• 66.29.141.245

MD5

• a8570f9c64b9dd0d7e89eeb3327a8c61
• 8404570e27b53d8291f742c1efd15979
• 377f6d22b30b79b6cbd850716595fcc4
• ba2ad45b96907e639853178a571a122d
• 473aa92db128b6dd772e280eb8facbe5

SHA-256

• 34e2b621f15ad4747c7e3dde2be3617841ffacba203b93fd2ff3256b914240f7
• 8b67a544d7ddbe8e78fad71aab03431dea585c84a229e6d23832d8f449d47ff2
• e44422f6853a2a318f937607e9270ec66a374a3e078d1eedd720f8cb838a165c
• da414697d21874978dcc58930a63c7f2aa42a23b6e8b9580ad4c94d9311c138d
• 87738c63f7098c86625e831ccb7867eca336222bb038fe6411ca4a42186f3cc9

SHA-1

• 4497406d6ee7e2ef561c949ac88bb973bdbd214b
• 26d9f3b92c10e248b7dd7be2cb59b87a7a011af7
• 1b635cb0a4549106d8b4cd4edaff384b1e4177f6
• dae100afc12f3de211bff9607dd53e5e377630c5
• 705280a2dcc311b75af1619b4ba29e3622ed53b6

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Maintain Offline Backups - In a ransomware attack, the adversary will often delete or encrypt backups if they have access to them. That’s why it’s important to keep offline (preferably off-site), encrypted backups of data and test them regularly.
• Emails from unknown senders should always be treated with caution.
• Never trust or open links and attachments received from unknown sources/senders.