The Beast Ransomware Hidden in the GUI
The Beast ransomware group is a group that evolved from the Monster ransomware strain. They emerged as a Ransomware-as-a-Service (RaaS) in February 2025, and officially launched their Tor-based data leak site in July. As of August 2025, they have publicly disclosed 16 victim organizations from the United States, Europe, Asia, and Latin America. The victims come from various industries including manufacturing, construction, healthcare, business services, and education. Each victim has a separate negotiation email, indicating that the actual data leaks and ransom demands are carried out by different partners. There is no official information available on the scale of their attacks or the exact ransom amounts they demand. The Beast group continues to engage in their activities actively.
The main method of distribution is by scanning the active SMB port within a breached system and attempting to spread to shared folders on the network. Phishing emails are disguised as copyright infringement warnings or fake resumes, and are sometimes distributed with Vidar Infostealer.
Figure 1. BEAST ransomware group’s DLS
Initial Routine
1. Filter Systems That Are Under Attack
The ransomware filters the target country where the malware is running using the GetLocaleInfo and GetSystemDefaultUILanguage functions. Based on the country or language setting of the system from each WINAPI, if the country is not on the list specified by the threat actor, the ransomware does not perform any malicious behaviors and terminates immediately.
|
WINAPI |
Excluded Countries |
| GetLocaleInfo | Armenia, Azerbaijan, Belarus, Georgia, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Turkmenistan, Ukraine, Uzbekistan, Argentina, Cyprus, Vietnam |
| GetSystemDefaultUILanguage | Armenia, Azerbaijan (Latin and Cyrillic), Belarus, Georgia, Kazakhstan, Kyrgyzstan, Moldova, Russia (Russia and Moldova), Tajikistan, Turkmenistan, Ukraine, Uzbekistan (Latin and Cyrillic) |
Table 1. List of countries for system filtering
Most of the countries excluded from the two APIs are former Soviet Union (USSR) member states or regions under Russia’s political and economic influence. Armenia, Azerbaijan, Belarus, Georgia, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Turkmenistan, Ukraine, and Uzbekistan were all part of the former USSR and are currently members of the Commonwealth of Independent States (CIS) or regions under Russia’s influence.
Thus, excluding these countries from the code or implementing logic to avoid their execution is generally intended to restrict the execution of malware in these regions because “users in Russia and CIS countries are at a higher risk of infection and detection”.
2. Decryption of the .data section
When the program is executed, it checks for the presence of the “!!!CONFIG!!!” and “!!!PASSWORD!!!” strings in the .data section. If neither of these strings is found, the program extracts the top 0x30 bytes of data from the .data section and combines this value with a specific string to configure the ChaCha20 algorithm. This is then used to decrypt the rest of the data in the .data section.
Figure 2. Component of the ChaCha20 algorithm, “expand 32-byte k”
Figure 3. The .data section being decrypted by the ChaCha20 algorithm
If the “!!!CONFIG!!!” and “!!!PASSWORD!!!” strings are present before decryption, the decryption process of the .data section is skipped, and a procedure to check the argument value is added. It is also likely that there are versions that receive a configuration file or password as an argument to execute.
Preparing Encryption
1. Self-Replication and Run Key Registration
Despite being ransomware, the malware has a logic of maintaining persistence by self-replicating under specific conditions (flag set) and registering to the Run key.
|
Type |
Path |
|
Self-Replication |
%ALLUSERPROFILE%\{GUID-like string}\gugbuhan.exe |
|
Run Key |
HKCU\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run |
Table 2. Target paths
2. Extension Configuration
Files infected with the Beast ransomware have the format {OriginalFileName}.{GUID-like-string}.{Extension}. The GUID-like string is an 18-byte identifier generated by the SHA-512 hash inside the malware, and the entire string is used as the extension or file name identifier.
Of the 18 bytes, the top 9 bytes differ depending on the environment as they are derived from the result of hashing the host’s system information (environment, identifier, etc.) with SHA-512. The bottom 9 bytes are a fixed value hardcoded into the binary, so the same ransomware strain will have the same bottom 9 bytes when executed in different environments.
The extension that is added last is defined in the decrypted .data section, and the string is obtained and used at runtime.
3. Delete ShadowCopy
This behavior disrupts file recovery by deleting ShadowCopy, which is key to recovering from ransomware attacks. The threat actor implemented this feature using a WMI query. First, they called CoCreateInstance() based on the CLSID of IWbemLocator and IWbemContext. Then, the acquired COM interface is used to call the method in the following flow.
This method involves triggering WMI queries using COM objects. By accessing the “ROOT\CIMV2” path and using the ExecQuery() function, all ShadowCopy classes present in the system can be enumerated. The paths are then obtained from the Get() function, and the ShadowCopy classes are deleted using the DeleteInstance() function.
| index | Method | Main Argument |
|
1 |
IWbemContext::SetValue() | __ProviderArchitecture, 64 |
|
2 |
IWbemLocator::ConnectServer() | ROOT\\CIMV2 |
|
3 |
IWbemServices::ExecQuery() | SELECT * FROM Win32_ShadowCopy |
|
4 |
IWbemClassObject::Get() | __PATH” |
|
5 |
IWbemServices::DeleteInstance() | – |
Table 3. COM interfaces called to delete ShadowCopy
4. Terminate Process and Service
To maximize the success rate of encryption and the damage caused, the ransomware terminates processes and services that act as obstacles when encrypting files. Some of the items that it attempts to terminate include those related to databases, backup and recovery, antivirus products, Office, file editors, and emails.
|
Target Process |
|
agntsvc.exe, agntsvc.exeagntsvc.exe, agntsvc.exeencsvc.exe, agntsvc.exeisqlplussvc.exe, apache.exe, backup.exe, dbeng50.exe, dbsnmp.exe, encsvc.exe, excel.exe, firefox.exe, firefoxconfig.exe, infopath.exe, isqlplussvc.exe, kingdee.exe, msaccess.exe, msftesql.exe, mspub.exe, mydesktopqos.exe, mydesktopservice.exe, mysqld-nt.exe, mysqld-opt.exe, mysqld.exe, ncsvc.exe, notepad.exe, ocautoupds.exe, ocomm.exe, ocssd.exe, onenote.exe, oracle.exe, outlook.exe, powerpnt.exe, sqbcoreservice.exe, sql.exe, sqlagent.exe, sqlbrowser.exe, sqlserver.exe, sqlservr.exe, sqlwriter.exe, steam.exe, synctime.exe, tbirdconfig.exe, thebat.exe, thunderbird.exe, tomcat.exe, tomcat6.exe, u8.exe, ufida.exe, visio.exe, winword.exe, wordpad.exe, xfssvccon.exe |
Table 4. List of processes that can be terminated
|
Target Service |
|
AcronisAgent, AcrSch2Svc, backup, BackupExecAgentAccelerator, BackupExecAgentBrowser, BackupExecDiveciMediaService, BackupExecJobEngine, BackupExecManagementService, BackupExecRPCService, BackupExecVSSProvider, CAARCUpdateSvc, CASAD2DWebSvc, ccEvtMgr, ccSetMgr, DefWatch, GxBlr, GxCIMgr, GxCVD, GxFWD, GxVss, Intuit.QuickBooks.FCS, memtas, mepocs, msexchange, PDVFSService, QBCFMonitorService, QBFCService, QBIDPService, RTVscan, SavRoam, sophos, sql, stc_raw_agent, svc$, veeam, VeeamDeploymentService, VeeamNFSSvc, VeeamTransportSvc, VSNAPVSS, vss, wscsvc, wuauserv, YooBackup, YooIT, zhudongfangyu, MSSQLFDLauncher, MSSQLSERVER, SQLSERVERAGENT, SQLBrowser, SQLTELEMETRY, MsDtsServer130, SSISTELEMETRY130, SQLWriter, MSSQL$VEEAMSQL2012, SQLAgent$VEEAMSQL2012, MSSQL, SQLAgent, MSSQLServerADHelper100, MSSQLServerOLAPService, MsDtsServer100, ReportServer, SQLTELEMETRY$HL, TMBMServer, MSSQL$PROGID, MSSQL$WOLTERSKLUWER, SQLAgent$PROGID, SQLAgent$WOLTERSKLUWER, MSSQLFDLauncher$OPTIMA, MSSQL$OPTIMA, SQLAgent$OPTIMA, ReportServer$OPTIMA, msftesql$SQLEXPRESS, postgresql-x64-9.4 |
Table 5. List of services that have ended
5. GUI
The Beast ransomware can activate the GUI window in Debug mode. You can enter the window using the [Ctrl+Alt+666] shortcut. In this window, you can specify the folder to encrypt and manually execute many of the features covered in the “Encryption Preparation” stage. You can also check the current progress of the encryption in real-time.
Figure 4. Beast ransomware GUI window
Encryption
The file is encrypted using the chacha20 encryption algorithm.
Figure 5. chacha20 encryption
The encrypted file has a Magic value of 8 bytes at the end of the file. This Magic value is used to determine whether the file is already encrypted by comparing it with the end of the file data when a file is selected for encryption. This Magic value is hardcoded in the malware’s internal logic and can change depending on the version.
- Magic(Hex) : 66 6B EA 57 1A BE 16 66
The encrypted file, including the Magic value, is 0xA0 larger than the original file size. This is because the values used in encryption are inserted into the file as metadata. The metadata includes the original file size, the key value used in encryption, and other data required for decryption.
Figure 6. Internal structure of the encrypted file
Finally, the extension of the encrypted file is changed using the MoveFile() function.
Figure 7. Changing the file extension using the MoveFile method
Recently, Beast ransomware has been actively distributed to various corporate environments, targeting a wide range of systems instead of specific industries. As analyzed in this report, Beast ransomware uses a public key embedded within the malware and a hybrid encryption algorithm based on ChaCha20 to encrypt files. The private key required for decryption is only stored on the threat actor’s server. Additionally, a 0xA0-sized metadata is inserted into the encrypted file, which includes decryption verification information. The ransomware also applies block encryption and header overwriting techniques to large files with ZIP structures, making data recovery impossible.
Due to these characteristics, decryption is virtually impossible unless the encryption algorithm or key management system is rendered ineffective. Therefore, companies should focus on minimizing the risk of infection by performing system vulnerability assessments, strengthening backup systems, controlling external access, separating the network of critical assets, and conducting regular security checks, instead of attempting to decrypt the files after an attack has occurred.
Beast ransomware goes beyond simple file encryption and employs a complex attack method that combines structural recovery prevention techniques and data exfiltration. As such, establishing an early detection and rapid response system is crucial.
