Ransomware operation CosmicBeetle, also known as Spacecolon or NONAME, has been suspected to be a RansomHub affiliate following an attack against an Indian manufacturing firm in early June that involved the deployment of the latter's ransomware and endpoint detection and response killer after an attempted intrusion with the CosmicBeetle-linked ScRansom backdoor, reports SC Media.
RansomHub EDR extraction via WinRAR from a Music folder-stored archive has further cemented the link with CosmicBeetle, which usually leverages such an attack technique and has not been done by other RansomHub affiliates, an analysis from ESET revealed. Such a development comes after CosmicBeetle's previous efforts to strengthen ransomware operations through the impersonation of the LockBit ransomware gang.
"The NoName group's activities identify two critical trends in the current ransomware landscape. First, the complexity of ransomware tools is increasing, and second, ransomware gangs are becoming more organized, experimenting with strategies like affiliate programs and impersonation to extend their reach," said KnowBe4 security awareness advocate James McQuiggan.