THREAT ANALYSIS: Beast Ransomware
By Cybereason Security Services Team
Archived: 2026-04-06 00:19:42 UTC
Cybereason issues Threat Analysis reports to investigate emerging threats and provide practical recommendations for
protecting against them. In this Threat Analysis report, Cybereason investigates the Ransomware-as-a-Service (RaaS) known
as Beast and how to defend against it through the Cybereason Defense Platform.
KEY POINTS
Expanding Marketplace: The Beast Ransomware group provides various tools  with constant version updates.
These updates are made to appeal to wider audiences across the underground cybercrime ecosystem. 
Binary Customizations: The Beast RaaS platform offers affiliates numerous options for building ransomware
binaries that target Windows, Linux, and ESXi systems, enabling tailored configurations to suit different operational
requirements.
Detection And Prevention: The Cybereason Defense Platform employs advanced Anti-Ransomware and Anti-Malware features, designed to detect and block ransomware payloads like Beast before they can execute.
INTRODUCTION
The Beast Ransomware group has been active since 2022. Recently, a Beast Ransomware partnership program and new
capabilities were promoted on the underground forums in June. The group has updated and created various versions to meet
the market demand. 
Invitation to cooperate in Russian, English and Chinese languages.
Previous versions of the Beast Ransomware, also known as Monster, were developed using the Delphi programming
language and offered as a Ransomware-as-a-Service (RaaS) platform.
First Appearance Of Beast Ransomware On The Russian Anonymous Marketplace
TECHNICAL ANALYSIS
Beast Operating System Support – Windows 
The current known Windows versions of Beast demonstrate the following capabilities:
Combination of Elliptic-curve and ChaCha20 encryption model  
Written in the C programming language
https://www.cybereason.com/blog/threat-analysis-beast-ransomware
Page 1 of 10

Beast Windows Binary
Segmented file encryption
ZIP wrapper mode - Files are converted on the fly to .zip with ransom note inside
Multithreaded queue for encryption
Processes/Services termination
Shadow copy delete
Mounting hidden partitions
Subnet scanner
In August 2024, offline builder was promoted with option to configure builds for Windows, NAS, ESXi.
New Beast Offline Builder
Beast Operating System Support – Linux And ESXi
The Beast Linux version has the following capabilities (controllable via command line argument):
Selectable path for encryption
Enable/disable certain functionality
Ransom note generation from external file
Daemon mode
Written in C and Go programming languages
The VMWare ESXi version also has the following additional options:
Option to shut down a VM and machine’s files encryption
Option to exclude some vmid
https://www.cybereason.com/blog/threat-analysis-beast-ransomware
Page 2 of 10

Linux & ESXi Version Parameters
Binary Analysis - BEAST HERE? 
Like most ransomware, the initial compromise often occurs through various infection vectors, such as phishing emails, or
compromised remote desktop protocol (RDP) endpoints.
To prevent multiple instances of Beast running simultaneously on the same system, it creates a unique mutex with the string
“BEAST HERE?”. This ensures efficient execution and enables the attacker to maintain control over the ransomware’s
behavior on the infected system. 
Beast Creates A Mutex Object With BEAST HERE? String
The latest version of Beast Ransomware specifically avoids encrypting data on devices located in Commonwealth of
Independent States (CIS) countries, such as Russia, Belarus, and Moldova. This is achieved through code that checks the
system's default language settings, country code, and retrieves the target's IP address. 
If the ransomware detects that the device is in a CIS country, it halts encryption activities. This strategic exclusion is likely a
tactic to avoid drawing attention or repercussions from authorities in those regions.
Checking Victim IP & Location By Connecting To iplogger.co
Beast performs SMB scans to automatically search for and infect vulnerable computers on nearby networks. This self-propagation mechanism can quickly spread the payload without requiring any human intervention.
https://www.cybereason.com/blog/threat-analysis-beast-ransomware
Page 3 of 10

Beast SMB Scanning
Load Of RstrtMgr DLL (Restart Manager)
RstrtMgr.dll, the Restart Manager, is a critical system component that safeguards open and unsaved files during system
reboots. It acts as a gatekeeper, prompting users to save their work before shutting down to prevent data loss. Beast
Ransomware exploits this DLL in a malicious way. 
Before encrypting a file, the ransomware stops services and processes in order to unlock and safely close open files. 
The list of services targeted by Beast Ransomware is as following:
https://www.cybereason.com/blog/threat-analysis-beast-ransomware
Page 4 of 10

List of services targeted by Beast Ransomware
AcronisAgent BackupExecDiveciMediaService CAARCUpdateSvc GxBlr Intuit.Qui
AcrSch2Svc BackupExecJobEngine CASAD2DWebSvc GxClMgr Memtas
Backup BackupExecManagementService ccEvtMgr GxCVD Mepocs
BackupExecAgentAccelerator BackupExecRPCService ccSetMgr GxFWD Msexchan
BackupExecAgentBrowser BackupExecVSSProvider DefWatch GxVss PDVFSS
VeeamDeploymentService VeeamNFSSvc VeeamTransportSvc VSNAPVSS Vss
YooBackup YooIT Zhudongfangyu MSSQLFDLauncher MSSQLS
SQLTELEMETRY MsDtsServer130 SSISTELEMETRY130 SQLWriter MSSQL$
SQLAgent MSSQLSERVERADHelper100 MSSQLServerOLAPService MsDtsServer100 ReportSe
MSSQL$PROGID MSSQL$WOLTERSKLUWER SQLAgent$PROGID SQLAgent$WOLTERSKLUWER MSSQLF
ReportServer$OPTIMA msftesql$SQLEXPRESS Postgresql-x64-9.4 SavRoam Wscsvc
SQLTELEMETRY$HL MSSQL$OPTIMA SQLSERVERAGENT SQLAgent$VEEAMSQL2012 SQLAgen
Veeam Wuauserv SQLBrowser MSSQL TMBMSe
https://www.cybereason.com/blog/threat-analysis-beast-ransomware
Page 5 of 10

Shadow Copy Delete
When Shadow Copy delete process is initiated by Beast Ransomware, it calls the IWbemServices::ExecQuery(“WQL”,
”Select * FROM Win32_ShadowCopy”)WQL query to get the IEnumWbemClassObject object for querying shadow
copies and IWbemServices::DeleteInstance(“\\MachineName\ROOT\CIMV2:Win32_ShadowCopy.ID=”{Shadow
Copy ID}””) to delete them.
Beast Querying Shadow Copies
Beast Deleting Shadow Copies
File Encryption
Ransomware often employs multithreading to accelerate file encryption.
This technique involves the parent thread identifying and sending files for encryption to child threads. 
The child threads then work concurrently, each encrypting a different file, significantly speeding up the overall encryption
process. This approach leverages the system's hardware capabilities to encrypt files more efficiently.
Beast Ransomware Threads (demonstrating multithreading usage)
Beast uses powerful encryption methods to lock down files on all connected devices in a network. It targets a variety of file
formats, such as documents, pictures, videos, and databases. 
https://www.cybereason.com/blog/threat-analysis-beast-ransomware
Page 6 of 10

Once files are encrypted, victims can't access them unless they have the decryption key, which is controlled by the attackers.
PDF File Encryption Process Example
Encrypted Files
The ransom note thread extracts and decodes the embedded ransom note, which was specified in the malware's settings. This
note is then saved as a "README.txt" file in every directory that isn't explicitly excluded from encryption.
Creation Of The Ransom Note README.txt
Ransom Note
In order to see Beast Ransomware GUI during the encryption process, it is needed to press and hold ALT+CTRL and type
666:
https://www.cybereason.com/blog/threat-analysis-beast-ransomware
Page 7 of 10

Beast Ransomware GUI
Indicators of Compromise - IOCs
Cybereason shared a list of indicators of compromise related to this research :
IOC IOC type Description
iplogger[.]co/1v1i85[.]torrent
Domain
Name
Geofencing IP query 
4c44ac1eea4bc7f4ea542d611b5658d7ac2729d79abe750da83f1581cd832eaf SHA-256
Beast Windows
Encryptor 
369034bf1d793fe56ea4d683a156722d825ad9829fc128117f82a26bc1d0480b SHA-256
Beast Windows
Encryptor 
e01f5c7067dc984dceb883b10444b1a5b0f22ebd500baf9d9a88207f5033285d SHA-256
Beast Windows
Encryptor 
dd09a2ef31d018fd83f186e3eaaccccdaa8a8c8779ced668abb06dc934d89a2d SHA-256
Beast Windows
Encryptor 
dbbe792e6c804518909f8990a836552573522d126547429d6cd3fcb1f60d542c SHA-256
Beast Windows
Encryptor 
Cybereason Recommendations:
Follow and hunt Beast affiliate activity in order to identify pre-ransomware behaviors. 
Promote cybersecurity best practices such as multifactor authentication and patch management.
For Cybereason customers on the Cybereason Defense Platform:
Enable Anti-Malware and set the Anti-Malware > Signatures mode to Prevent, Quarantine, or Disinfect.
Enable Anti-Ransomware (PRP), set Anti-Ransomware to Quarantine mode and enable shadow copy
protection.
https://www.cybereason.com/blog/threat-analysis-beast-ransomware
Page 8 of 10

Enable Application Control.
Keep systems fully patched: Make sure your systems are patched in order to mitigate vulnerabilities.
Regularly backup files and create a backup process and policy : Restoring your files from a backup is the
fastest way to regain access to your data.
Enable Variant Payload Prevention with prevent mode on Cybereason Behavioral execution prevention.
MITRE ATT&CK MAPPING
Tactic Techniques / Sub-Techniques
TA0002: Execution T1047 – Windows Management Instrumentation
TA0002: Execution T1106 - Native API
TA0003: Persistence T1543.003 – Create or Modify System Process: Windows Service
TA0007: Discovery  T1083 - File and Directory Discovery
TA0004: Privilege Escalation T1078.001 – Valid Accounts: Default Accounts
TA0004: Privilege Escalation T1078.002 – Valid Accounts: Domain Accounts
TA0007: Discovery  T1135 - Network Share Discovery
TA0007: Discovery  T1016 - System Network Configuration Discovery
TA0005: Defense Evasion T1406.002 – Obfuscated Files or Information: Software Packing
TA0005: Defense Evasion T1620 - Reflective Code Loading
TA0008: Lateral Movement T1021.002 - Remote Service: SMB/Windows Admin Shares
TA0009: Collection T1119 – Automated Collection
TA0040: Impact T1486 - Data Encrypted for Impact
TA0040: Impact T1489 – Service Stop
TA0040: Impact T1490 – Inhibit System Recovery
References
https://blogs.blackberry.com/en/2022/09/some-kind-of-monster-raas-hides-itself-using-traits-from-other-malware
https://cyberint.com/blog/research/the-nature-of-the-beast-ransomware/
ABOUT THE RESEARCHER
https://www.cybereason.com/blog/threat-analysis-beast-ransomware
Page 9 of 10

Mark Tsipershtein, Security Researcher at Cybereason
Mark Tsipershtein, a security researcher at the Cybereason Security Research Team, focuses on research, analysis
automation and infrastructure. Mark has more than 20 years of experience in SQA, automation, and security research.
Cybereason is dedicated to teaming with Defenders to end cyber attacks from endpoints to the enterprise to everywhere.
Learn more about Cybereason XDR powered by Google Chronicle as well as Cybereason SDR, check out our Extended
Detection and Response (XDR) Toolkit, or schedule a demo today to learn how your organization can benefit from an
operation-centric approach to security.
Source: https://www.cybereason.com/blog/threat-analysis-beast-ransomware
https://www.cybereason.com/blog/threat-analysis-beast-ransomware
Page 10 of 10