Ddos 
BEAST ransomware group’s DLS | Image: ASEC
Researchers at the AhnLab Security Intelligence Center (ASEC) have released an in-depth analysis of the Beast ransomware group, a rapidly expanding Ransomware-as-a-Service (RaaS) operation that evolved from the Monster ransomware family. Emerging in February 2025, Beast launched its Tor-based data leak site by July and had already disclosed 16 victims across the United States, Europe, Asia, and Latin America by August.
According to AhnLab, “The Beast ransomware group is a group that evolved from the Monster ransomware strain. They emerged as a Ransomware-as-a-Service (RaaS) in February 2025, and officially launched their Tor-based data leak site in July.” The group’s leak site displays victims spanning industries such as manufacturing, construction, healthcare, business services, and education, suggesting a non-targeted, high-volume monetization strategy.
The Beast ransomware spreads primarily through phishing campaigns and SMB exploitation.
ASEC explains that the group’s distribution methods include “scanning the active SMB port within a breached system and attempting to spread to shared folders on the network.” Attackers also distribute the ransomware via “phishing emails disguised as copyright infringement warnings or fake resumes, sometimes accompanied by Vidar Infostealer.”
Once a foothold is established, the malware conducts environment checks to determine whether to execute or terminate. Specifically, it filters victims by locale and language settings to exclude systems from Russia, CIS nations, and a handful of other regions — a hallmark of financially motivated groups operating from post-Soviet territories.
“If the country is not on the list specified by the threat actor, the ransomware does not perform any malicious behaviors and terminates immediately,” the report states.
ASEC’s analysis reveals that Beast employs ChaCha20 as its primary encryption algorithm, configured through dynamic key derivation. Upon execution, the malware checks for embedded markers — “!!!CONFIG!!!” and “!!!PASSWORD!!!” — within its .data section. If these strings are absent, Beast automatically decrypts the section using a ChaCha20-based key setup initialized from a hardcoded 32-byte key string.
The ransomware uses the ChaCha20 algorithm to decrypt the .data section, which contains the encryption configuration and runtime parameters, the report notes, emphasizing the custom implementation of the algorithm’s key expansion routine — expand 32-byte k.
Once configured, Beast executes its encryption phase with precision. Each file is transformed into the format:
{OriginalFileName}.{GUID-like-string}.{Extension} — where the GUID-like value is derived from SHA-512 hashes of system identifiers. This design ensures that every infection instance produces unique identifiers, complicating decryption and detection efforts.
Even as a ransomware strain, Beast incorporates self-replication and persistence mechanisms more typical of long-lived trojans. When executed under certain flags, the malware replicates itself to %ALLUSERPROFILE% under a GUID-named folder and registers persistence under the Windows Run key:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
It then proceeds to delete Shadow Volume Copies, using a sequence of WMI COM interface calls to ensure that all backup snapshots are removed — effectively destroying recovery points.
ASEC detailed that the malware “accesses the ROOT\CIMV2 path and uses the ExecQuery() function to enumerate and delete all ShadowCopy classes present in the system.”
To maximize the damage of its encryption, Beast terminates processes related to databases, antivirus software, backup tools, email clients, and productivity applications.
ASEC lists over 80 processes and services forcibly terminated by Beast, including sqlservr.exe, oracle.exe, veeam.exe, excel.exe, outlook.exe, and firefox.exe. The targeted services include major backup and database management systems such as Acronis, Veeam, MSSQL, and QuickBooks.
This approach ensures encryption success and disruption of critical business operations, while preventing security tools from intervening mid-attack.
Unlike many ransomware variants that operate invisibly, Beast includes an interactive Graphical User Interface (GUI) designed for debugging and manual testing. Analysts discovered that pressing the Ctrl + Alt + 666 key combination opens an internal control panel where the operator can select directories, monitor progress in real time, and trigger encryption manually.
During encryption, Beast appends a Magic value — 66 6B EA 57 1A BE 16 66 — to every encrypted file. This 8-byte signature is used to verify whether a file has already been processed. The ransomware also injects 0xA0 bytes of metadata into each file, storing the original file size, ChaCha20 key material, and decryption validation data, making each file slightly larger than its original form.
As AhnLab notes, “Due to these characteristics, decryption is virtually impossible unless the encryption algorithm or key management system is rendered ineffective.”
The encryption process also incorporates block-based encryption and header overwriting techniques, specifically targeting large files like ZIP archives to ensure irreversible corruption, even if partial decryption were achieved.
Related Posts:
- Beast Ransomware: RaaS Platform Targets Windows, Linux, and VMware ESXi
- Lumma Stealer Malware Now Using ChaCha20 Cipher for Evasion
- New Yurei Ransomware Emerges: Go-Based Variant Uses Advanced Anti-Forensics for Irreversible Double Extortion
- From TEA to ChaCha20: The Evolution of the Rimasuta Botnet
- Hackers Exploit Google Ads to Spread Malware Disguised as Popular Software
Donate