{
	"id": "ae315707-b26e-4d5d-8525-b0efdaba18dd",
	"created_at": "2026-04-06T01:32:17.191807Z",
	"updated_at": "2026-04-10T03:22:04.050741Z",
	"deleted_at": null,
	"sha1_hash": "ed632ceecb19d364df2cdab77d7d9a66d0c8dec5",
	"title": "THREAT ANALYSIS: Beast Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2971729,
	"plain_text": "THREAT ANALYSIS: Beast Ransomware\r\nBy Cybereason Security Services Team\r\nArchived: 2026-04-06 00:19:42 UTC\r\nCybereason issues Threat Analysis reports to investigate emerging threats and provide practical recommendations for\r\nprotecting against them. In this Threat Analysis report, Cybereason investigates the Ransomware-as-a-Service (RaaS) known\r\nas Beast and how to defend against it through the Cybereason Defense Platform.\r\nKEY POINTS\r\nExpanding Marketplace: The Beast Ransomware group provides various tools  with constant version updates.\r\nThese updates are made to appeal to wider audiences across the underground cybercrime ecosystem. \r\nBinary Customizations: The Beast RaaS platform offers affiliates numerous options for building ransomware\r\nbinaries that target Windows, Linux, and ESXi systems, enabling tailored configurations to suit different operational\r\nrequirements.\r\nDetection And Prevention: The Cybereason Defense Platform employs advanced Anti-Ransomware and Anti-Malware features, designed to detect and block ransomware payloads like Beast before they can execute.\r\nINTRODUCTION\r\nThe Beast Ransomware group has been active since 2022. Recently, a Beast Ransomware partnership program and new\r\ncapabilities were promoted on the underground forums in June. The group has updated and created various versions to meet\r\nthe market demand. \r\nInvitation to cooperate in Russian, English and Chinese languages.\r\nPrevious versions of the Beast Ransomware, also known as Monster, were developed using the Delphi programming\r\nlanguage and offered as a Ransomware-as-a-Service (RaaS) platform.\r\nFirst Appearance Of Beast Ransomware On The Russian Anonymous Marketplace\r\nTECHNICAL ANALYSIS\r\nBeast Operating System Support – Windows \r\nThe current known Windows versions of Beast demonstrate the following capabilities:\r\nCombination of Elliptic-curve and ChaCha20 encryption model  \r\nWritten in the C programming language\r\nhttps://www.cybereason.com/blog/threat-analysis-beast-ransomware\r\nPage 1 of 10\n\nBeast Windows Binary\r\nSegmented file encryption\r\nZIP wrapper mode - Files are converted on the fly to .zip with ransom note inside\r\nMultithreaded queue for encryption\r\nProcesses/Services termination\r\nShadow copy delete\r\nMounting hidden partitions\r\nSubnet scanner\r\nIn August 2024, offline builder was promoted with option to configure builds for Windows, NAS, ESXi.\r\nNew Beast Offline Builder\r\nBeast Operating System Support – Linux And ESXi\r\nThe Beast Linux version has the following capabilities (controllable via command line argument):\r\nSelectable path for encryption\r\nEnable/disable certain functionality\r\nRansom note generation from external file\r\nDaemon mode\r\nWritten in C and Go programming languages\r\nThe VMWare ESXi version also has the following additional options:\r\nOption to shut down a VM and machine’s files encryption\r\nOption to exclude some vmid\r\nhttps://www.cybereason.com/blog/threat-analysis-beast-ransomware\r\nPage 2 of 10\n\nLinux \u0026 ESXi Version Parameters\r\nBinary Analysis - BEAST HERE? \r\nLike most ransomware, the initial compromise often occurs through various infection vectors, such as phishing emails, or\r\ncompromised remote desktop protocol (RDP) endpoints.\r\nTo prevent multiple instances of Beast running simultaneously on the same system, it creates a unique mutex with the string\r\n“BEAST HERE?”. This ensures efficient execution and enables the attacker to maintain control over the ransomware’s\r\nbehavior on the infected system. \r\nBeast Creates A Mutex Object With BEAST HERE? String\r\nThe latest version of Beast Ransomware specifically avoids encrypting data on devices located in Commonwealth of\r\nIndependent States (CIS) countries, such as Russia, Belarus, and Moldova. This is achieved through code that checks the\r\nsystem's default language settings, country code, and retrieves the target's IP address. \r\nIf the ransomware detects that the device is in a CIS country, it halts encryption activities. This strategic exclusion is likely a\r\ntactic to avoid drawing attention or repercussions from authorities in those regions.\r\nChecking Victim IP \u0026 Location By Connecting To iplogger.co\r\nBeast performs SMB scans to automatically search for and infect vulnerable computers on nearby networks. This self-propagation mechanism can quickly spread the payload without requiring any human intervention.\r\nhttps://www.cybereason.com/blog/threat-analysis-beast-ransomware\r\nPage 3 of 10\n\nBeast SMB Scanning\r\nLoad Of RstrtMgr DLL (Restart Manager)\r\nRstrtMgr.dll, the Restart Manager, is a critical system component that safeguards open and unsaved files during system\r\nreboots. It acts as a gatekeeper, prompting users to save their work before shutting down to prevent data loss. Beast\r\nRansomware exploits this DLL in a malicious way. \r\nBefore encrypting a file, the ransomware stops services and processes in order to unlock and safely close open files. \r\nThe list of services targeted by Beast Ransomware is as following:\r\nhttps://www.cybereason.com/blog/threat-analysis-beast-ransomware\r\nPage 4 of 10\n\nList of services targeted by Beast Ransomware\r\nAcronisAgent BackupExecDiveciMediaService CAARCUpdateSvc GxBlr Intuit.Qui\r\nAcrSch2Svc BackupExecJobEngine CASAD2DWebSvc GxClMgr Memtas\r\nBackup BackupExecManagementService ccEvtMgr GxCVD Mepocs\r\nBackupExecAgentAccelerator BackupExecRPCService ccSetMgr GxFWD Msexchan\r\nBackupExecAgentBrowser BackupExecVSSProvider DefWatch GxVss PDVFSS\r\nVeeamDeploymentService VeeamNFSSvc VeeamTransportSvc VSNAPVSS Vss\r\nYooBackup YooIT Zhudongfangyu MSSQLFDLauncher MSSQLS\r\nSQLTELEMETRY MsDtsServer130 SSISTELEMETRY130 SQLWriter MSSQL$\r\nSQLAgent MSSQLSERVERADHelper100 MSSQLServerOLAPService MsDtsServer100 ReportSe\r\nMSSQL$PROGID MSSQL$WOLTERSKLUWER SQLAgent$PROGID SQLAgent$WOLTERSKLUWER MSSQLF\r\nReportServer$OPTIMA msftesql$SQLEXPRESS Postgresql-x64-9.4 SavRoam Wscsvc\r\nSQLTELEMETRY$HL MSSQL$OPTIMA SQLSERVERAGENT SQLAgent$VEEAMSQL2012 SQLAgen\r\nVeeam Wuauserv SQLBrowser MSSQL TMBMSe\r\nhttps://www.cybereason.com/blog/threat-analysis-beast-ransomware\r\nPage 5 of 10\n\nShadow Copy Delete\r\nWhen Shadow Copy delete process is initiated by Beast Ransomware, it calls the IWbemServices::ExecQuery(“WQL”,\r\n”Select * FROM Win32_ShadowCopy”)WQL query to get the IEnumWbemClassObject object for querying shadow\r\ncopies and IWbemServices::DeleteInstance(“\\\\MachineName\\ROOT\\CIMV2:Win32_ShadowCopy.ID=”{Shadow\r\nCopy ID}””) to delete them.\r\nBeast Querying Shadow Copies\r\nBeast Deleting Shadow Copies\r\nFile Encryption\r\nRansomware often employs multithreading to accelerate file encryption.\r\nThis technique involves the parent thread identifying and sending files for encryption to child threads. \r\nThe child threads then work concurrently, each encrypting a different file, significantly speeding up the overall encryption\r\nprocess. This approach leverages the system's hardware capabilities to encrypt files more efficiently.\r\nBeast Ransomware Threads (demonstrating multithreading usage)\r\nBeast uses powerful encryption methods to lock down files on all connected devices in a network. It targets a variety of file\r\nformats, such as documents, pictures, videos, and databases. \r\nhttps://www.cybereason.com/blog/threat-analysis-beast-ransomware\r\nPage 6 of 10\n\nOnce files are encrypted, victims can't access them unless they have the decryption key, which is controlled by the attackers.\r\nPDF File Encryption Process Example\r\nEncrypted Files\r\nThe ransom note thread extracts and decodes the embedded ransom note, which was specified in the malware's settings. This\r\nnote is then saved as a \"README.txt\" file in every directory that isn't explicitly excluded from encryption.\r\nCreation Of The Ransom Note README.txt\r\nRansom Note\r\nIn order to see Beast Ransomware GUI during the encryption process, it is needed to press and hold ALT+CTRL and type\r\n666:\r\nhttps://www.cybereason.com/blog/threat-analysis-beast-ransomware\r\nPage 7 of 10\n\nBeast Ransomware GUI\r\nIndicators of Compromise - IOCs\r\nCybereason shared a list of indicators of compromise related to this research :\r\nIOC IOC type Description\r\niplogger[.]co/1v1i85[.]torrent\r\nDomain\r\nName\r\nGeofencing IP query \r\n4c44ac1eea4bc7f4ea542d611b5658d7ac2729d79abe750da83f1581cd832eaf SHA-256\r\nBeast Windows\r\nEncryptor \r\n369034bf1d793fe56ea4d683a156722d825ad9829fc128117f82a26bc1d0480b SHA-256\r\nBeast Windows\r\nEncryptor \r\ne01f5c7067dc984dceb883b10444b1a5b0f22ebd500baf9d9a88207f5033285d SHA-256\r\nBeast Windows\r\nEncryptor \r\ndd09a2ef31d018fd83f186e3eaaccccdaa8a8c8779ced668abb06dc934d89a2d SHA-256\r\nBeast Windows\r\nEncryptor \r\ndbbe792e6c804518909f8990a836552573522d126547429d6cd3fcb1f60d542c SHA-256\r\nBeast Windows\r\nEncryptor \r\nCybereason Recommendations:\r\nFollow and hunt Beast affiliate activity in order to identify pre-ransomware behaviors. \r\nPromote cybersecurity best practices such as multifactor authentication and patch management.\r\nFor Cybereason customers on the Cybereason Defense Platform:\r\nEnable Anti-Malware and set the Anti-Malware \u003e Signatures mode to Prevent, Quarantine, or Disinfect.\r\nEnable Anti-Ransomware (PRP), set Anti-Ransomware to Quarantine mode and enable shadow copy\r\nprotection.\r\nhttps://www.cybereason.com/blog/threat-analysis-beast-ransomware\r\nPage 8 of 10\n\nEnable Application Control.\r\nKeep systems fully patched: Make sure your systems are patched in order to mitigate vulnerabilities.\r\nRegularly backup files and create a backup process and policy : Restoring your files from a backup is the\r\nfastest way to regain access to your data.\r\nEnable Variant Payload Prevention with prevent mode on Cybereason Behavioral execution prevention.\r\nMITRE ATT\u0026CK MAPPING\r\nTactic Techniques / Sub-Techniques\r\nTA0002: Execution T1047 – Windows Management Instrumentation\r\nTA0002: Execution T1106 - Native API\r\nTA0003: Persistence T1543.003 – Create or Modify System Process: Windows Service\r\nTA0007: Discovery  T1083 - File and Directory Discovery\r\nTA0004: Privilege Escalation T1078.001 – Valid Accounts: Default Accounts\r\nTA0004: Privilege Escalation T1078.002 – Valid Accounts: Domain Accounts\r\nTA0007: Discovery  T1135 - Network Share Discovery\r\nTA0007: Discovery  T1016 - System Network Configuration Discovery\r\nTA0005: Defense Evasion T1406.002 – Obfuscated Files or Information: Software Packing\r\nTA0005: Defense Evasion T1620 - Reflective Code Loading\r\nTA0008: Lateral Movement T1021.002 - Remote Service: SMB/Windows Admin Shares\r\nTA0009: Collection T1119 – Automated Collection\r\nTA0040: Impact T1486 - Data Encrypted for Impact\r\nTA0040: Impact T1489 – Service Stop\r\nTA0040: Impact T1490 – Inhibit System Recovery\r\nReferences\r\nhttps://blogs.blackberry.com/en/2022/09/some-kind-of-monster-raas-hides-itself-using-traits-from-other-malware\r\nhttps://cyberint.com/blog/research/the-nature-of-the-beast-ransomware/\r\nABOUT THE RESEARCHER\r\nhttps://www.cybereason.com/blog/threat-analysis-beast-ransomware\r\nPage 9 of 10\n\nMark Tsipershtein, Security Researcher at Cybereason\r\nMark Tsipershtein, a security researcher at the Cybereason Security Research Team, focuses on research, analysis\r\nautomation and infrastructure. Mark has more than 20 years of experience in SQA, automation, and security research.\r\nCybereason is dedicated to teaming with Defenders to end cyber attacks from endpoints to the enterprise to everywhere.\r\nLearn more about Cybereason XDR powered by Google Chronicle as well as Cybereason SDR, check out our Extended\r\nDetection and Response (XDR) Toolkit, or schedule a demo today to learn how your organization can benefit from an\r\noperation-centric approach to security.\r\nSource: https://www.cybereason.com/blog/threat-analysis-beast-ransomware\r\nhttps://www.cybereason.com/blog/threat-analysis-beast-ransomware\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.cybereason.com/blog/threat-analysis-beast-ransomware"
	],
	"report_names": [
		"threat-analysis-beast-ransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775439137,
	"ts_updated_at": 1775791324,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ed632ceecb19d364df2cdab77d7d9a66d0c8dec5.pdf",
		"text": "https://archive.orkl.eu/ed632ceecb19d364df2cdab77d7d9a66d0c8dec5.txt",
		"img": "https://archive.orkl.eu/ed632ceecb19d364df2cdab77d7d9a66d0c8dec5.jpg"
	}
}