Comprehensive Threat Exposure Management Platform
Critical Threat Research : Middle-East at WAR: The Rapidly Escalating Iranian Cyber Threat Download the Report Critical Threat Research : Middle-East at WAR: The Rapidly Escalating Iranian Cyber Threat Download the ReportBeast is a Ransomware-as-a-Service (RaaS) platform whose affiliates gain initial access via phishing emails or compromised RDP endpoints, then deploy a curated toolkit for network reconnaissance, credential theft, lateral movement, and data exfiltration before encrypting files using Elliptic-curve and ChaCha20 algorithms. The Beast ransomware group operates a Tor-based data leak site (BEAST LEAKS) to execute double extortion, threatening public exposure of stolen data unless ransom demands are met. Beast ransomware first appeared in March 2022 as an upgraded version of the earlier Monster ransomware, operating as a Ransomware-as-a-Service platform allowing affiliates to generate customized malware builds for Windows, Linux, and VMware ESXi environments. Beast ransomware targets Belgium, Bolivia, Canada, China, Czechia, Denmark, Guatemala, India, South Korea, United Kingdom, and United States across manufacturing, business services, consulting, education, pharmaceutical, healthcare, aerospace, defense, transportation, financial, construction, legal, engineering, real estate, heavy equipment, machinery, government, nonprofits, medicine, IT, and insurance industries worldwide.
Beast ransomware first appeared in March 2022 as an upgraded version of the earlier Monster ransomware. Beast operates as a Ransomware-as-a-Service (RaaS) platform, allowing affiliates to generate customized malware builds for Windows, Linux, and VMware ESXi environments. This Beast ransomware flexibility enables attackers to tailor attacks to different infrastructures while maintaining a consistent core framework across the Beast RaaS operations.
Initial access in Beast ransomware campaigns is typically gained through phishing emails and exposed Remote Desktop Protocol (RDP) services. In several Beast campaigns during 2024, attackers sent emails disguised as copyright complaints or job applications. Beast victims were directed to external download pages hosting compressed archives, often layered to avoid detection. Inside the Beast ransomware archives, the malware was hidden behind document-style icons to appear legitimate and increase the chance of execution in enterprise environments.
Once inside a system, Beast deploys environment-specific ransomware binaries generated through an offline builder, allowing the Beast attack to proceed without an active command-and-control connection. The Beast malware creates a mutex to prevent multiple instances from running and checks the victim’s location, avoiding encryption on systems located in certain CIS countries. Beast then terminates active processes and services to ensure files can be encrypted without interference.
Beast uses multithreaded encryption to speed up the process and secures files with a combination of elliptic-curve cryptography and ChaCha20. Encrypted Beast files either receive a new extension or are placed into password-protected archives containing a ransom note, depending on the chosen configuration. Before launching the final encryption phase, Beast attackers steal sensitive data to support double extortion. Stolen files are uploaded to cloud storage services (MEGASync) using secure transfer tools.
Victims are then threatened with a public data leak on the Beast group’s dedicated leak site, BEAST LEAKS (beast6azu4f7fxjakiayhnssybibsgjnmy77a6duufqw5afjzfjhzuqd.onion), if payment is not made. To prevent recovery, Beast deletes shadow copies, disables backup features, and removes traces of its activity by clearing logs and deleting deployed tools (enable_dump_pass.reg, disable_backup.bat, mimikatz.exe, LaZagne.exe, PsExec.exe). Finally, a Beast ransom note is placed in affected directories, providing instructions for payment in exchange for a decryption key.
Restrict RDP access to trusted IP ranges only, enforce multi-factor authentication (MFA) on all remote access solutions, and disable RDP entirely where it is not operationally required. Exposed RDP endpoints represent a primary initial access vector leveraged by Beast affiliates in RaaS operations.
Enforce the registry setting HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredential = 0 to prevent cleartext credentials from being stored in memory, directly countering the enable_dump_pass.reg-based credential harvesting technique used by Beast operators.
Enforce the principle of least privilege across all accounts, restrict administrative access to dedicated workstations, and monitor for Kerberoasting indicators such as unusual LDAP queries for service accounts with Service Principal Names (SPNs). Rotate all service account passwords regularly to defend against Beast credential theft (Kerberos.ps1).
Enforce host-based firewalls to limit inbound and outbound SMB connections between endpoint systems. Deploy network detection rules to alert on anomalous internal SMB scanning activity, which is a reliable early indicator of Beast’s self-propagation behavior across Windows networks.
Maintain offline, immutable backups of all critical systems and data, stored in a network segment not accessible from the primary environment. Monitor for WMI-based shadow copy enumeration and deletion queries (Select FROM Win32_ShadowCopy), and alert on any VSS deletion operations executed by Beast ransomware (disable_backup.bat).
Block unauthorized use of MEGASync and other cloud synchronization utilities through application control policies and firewall rules restricting outbound connections to Mega[.]nz. Establish DLP controls and monitor for anomalous data staging or large outbound transfer events preceding Beast ransomware detonation.
Initial Access:
Execution:
Persistence:
Defense Evasion:
Credential Access:
Discovery:
Lateral Movement:
Collection:
Exfiltration:
Impact:
Get through updates and upcoming events, and more directly in your inbox