Introduction
Beast ransomware emerged in 2022 as an enhanced iteration of the earlier “Monster” ransomware. It operates under a Ransomware-as-a-Service (RaaS) model, offering affiliates rich customization options to create tailored binaries targeting Windows, Linux, and VMware ESXi systems. Key technical capabilities include hybrid Elliptic-Curve + ChaCha20 encryption, segmented file encryption, ZIP wrapper mode (encrypting files into zip archives with embedded ransom notes), multithreaded processing, termination of services, shadow copy deletion, hidden partition usage, and subnet scanning. Affiliates are provided configurable offline builders, enabling streamlined deployment across multiple platforms. While Beast’s functional power is well-documented, details on its specific victims, sectors targeted, and leak site activity remain limited in public sources.
Activities and Tactics
Information pending cataloguing.
Notable Campaigns
Information pending cataloguing.
Tactics, Techniques, and Procedures (TTPs)
Information pending cataloguing.
Notable Indicators of Compromise (IOCs)
No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.
Malware and Tools
Ransomware Tool Matrix observations
| Category | Observed tools |
|---|---|
| Credential Theft | Automim, LaZagne, Mimikatz |
| Discovery | Advanced IP Scanner, Advanced Port Scanner, Everything.exe, SoftPerfect NetScan |
| Exfiltration | MEGA, WinSCP |
| LOLBAS | PsExec |
| Networking | Klink, OpenSSH |
| RMM Tools | AnyDesk |
Attribution and Evidence
Information pending cataloguing.
References
References pending cataloguing.