███████╗██╗ ██╗██╗██╗ ███╗ ███╗██╗ ██╗████████╗███████╗██╗ ██╗ ██╔════╝██║ ██║██║██║ ████╗ ████║██║ ██║╚══██╔══╝██╔════╝╚██╗██╔╝ █████╗ ██║ ██║██║██║ ██╔████╔██║██║ ██║ ██║ █████╗ ╚███╔╝ ██╔══╝ ╚██╗ ██╔╝██║██║ ██║╚██╔╝██║██║ ██║ ██║ ██╔══╝ ██╔██╗ ███████╗ ╚████╔╝ ██║███████╗ ██║ ╚═╝ ██║╚██████╔╝ ██║ ███████╗██╔╝ ██╗ ╚══════╝ ╚═══╝ ╚═╝╚══════╝ ╚═╝ ╚═╝ ╚═════╝ ╚═╝ ╚══════╝╚═╝ ╚═╝

⚠

Beast

ransomware1 mutex signatures

[BASIC_INFORMATION]

FAMILY_NAME:

Beast

CATEGORY:

RANSOMWARE

DESCRIPTION:

Beast is a Ransomware-as-a-Service (RaaS) platform active since 2022 that targets Windows, Linux, and ESXi systems. It uses a combination of Elliptic-curve and ChaCha20 encryption, written in C programming language. The malware includes capabilities for shadow copy deletion, service termination, SMB scanning for lateral movement, and multithreaded file encryption. It strategically avoids CIS countries (Russia, Belarus, Moldova) by checking system language settings and IP geolocation.

ALIASES:

MonsterBeast RaaS

TAGS:

raasfile_encryptionmulti_platformsmb_propagationshadow_copy_deleteservice_terminationchacha20elliptic_curve

[MUTEX_SIGNATURES](1)

[MUTEX_01]

BEAST HERE?

ANALYST: @adhikara13 DATE: 2025-01-15

REFERENCES:

https://www.cybereason.com/blog/threat-analysis-beast-ransomware

[QUICK_ACTIONS]

[THREAT_INTELLIGENCE]

ATTRIBUTION:

⚠Beast RaaS Group

FIRST_OBSERVED:

2022

[SIGMA_RULE]

[STATISTICS]

MUTEX_COUNT:1

THREAT_ACTORS:1

ALIASES:2

TAGS:8

CATEGORY:RANSOMWARE

Malware profile loaded successfully