NoName’s Notorious Rise: Targeting SMBs, Now Aligning with RansomHub?

The NoName ransomware group has spent over three years attempting to build its reputation, targeting small and medium-sized businesses worldwide with their encryption tools. ESET specialists have suggested that NoName may now be partnering with RansomHub.

Hackers are employing customized tools from the Spacecolon malware family. To infiltrate networks, they use brute-force attacks and exploit older vulnerabilities. Recently, NoName introduced a new ransomware—ScRansom, which has replaced Scarab.

Researchers have been tracking the group’s activities since 2023, assigning it the codename CosmicBeetle. ESET emphasizes that although ScRansom is less complex compared to other well-known threats, it continues to evolve and poses a significant danger.

ScRansom supports partial encryption with various speed modes, offering attackers flexibility. The program also overwrites file contents with a constant value, making recovery impossible. It can operate on all types of media—local, remote, and removable. Before initiating encryption, ScRansom disables key Windows processes and services, including Windows Defender, shadow copies, and virtualization-related processes.

The encryption used by ScRansom is complex, combining AES-CTR-128 and RSA-1024 algorithms. However, the multi-stage encryption process can sometimes result in errors, preventing decryption even with the correct keys. In one case, a victim received 31 decryption keys but still couldn’t recover all the files.

ScRansom continues to evolve. The virus itself is written in Delphi, as are other CosmicBeetle tools. Interestingly, the ransomware requires human interaction to launch, making it difficult to detect in automated sandboxes. The latest versions are automated, requiring minimal interaction. ScRansom attacks files on all drives and employs several encryption modes, one of which completely destroys data, rendering recovery impossible.

In addition to brute-force attacks, NoName actively exploits vulnerabilities commonly found in the infrastructure of small and medium-sized businesses. These include CVE-2017-0144 (EternalBlue), CVE-2020-1472 (ZeroLogon), FortiOS SSL-VPN vulnerabilities (CVE-2022-42475), and flaws in Veeam and Active Directory. NoName’s attacks also exploit CVE-2017-0290 through a specialized script that disables Windows security features.

The group’s efforts to make a name for themselves are not limited to introducing new ransomware. Researchers have noticed that CosmicBeetle has begun using the leaked source code of the LockBit virus, imitating the notorious criminal group both in ransom demands and on data leak websites. This tactic helps convince victims to pay, believing they are dealing with more experienced criminals.

In September 2023, CosmicBeetle created a site that was a replica of LockBit’s, where data from victims of both NoName and LockBit were published. In November, the attackers went further, registering the domain lockbitblog[.]info and using the LockBit brand to continue their attacks.

The use of leaked encryption tools, as seen with LockBit, is a common practice among less experienced ransomware groups. It allows them not only to capitalize on a recognizable brand but also to acquire a reliable ransomware variant. During one incident, after a failed attempt to deploy ScRansom, the hackers switched to using RansomHub’s tools, leading researchers to speculate on a possible partnership between NoName and this group.

While definitive proof of collaboration is lacking, the continued development of ScRansom and the shift to using LockBit’s tools suggest that NoName has no intention of halting its operations.