Beast Ransomware Gang's OPSEC Collapse: Exposed Server Reveals Full Attack Toolkit

A Ransomware Crew Left the Door Wide Open

In March 2026, threat intelligence firm Team Cymru discovered a fully exposed server belonging to the Beast ransomware group, hosted on German cloud infrastructure at IP address 5.78.84.144 (AS212317) [1][2]. The server was running an open directory on Port 8000, accessible to anyone who found it [2]. Inside: the group's complete operational toolkit, including reconnaissance utilities, credential theft scripts, data exfiltration software, and ransomware binaries [1].

This isn't a partial leak or a breadcrumb trail. It's the entire playbook, laid bare by elementary misconfiguration. For defenders, the exposure offers a rare, unfiltered look at how a modern ransomware-as-a-service (RaaS) operation arms its affiliates and structures its attacks.

Background: Beast and Its Lineage

Beast ransomware is believed to be the successor to the Monster ransomware operation, with activity dating back to at least June 2024 [3]. The group runs a double extortion model, stealing data before encrypting systems and threatening to publish it on their Tor-based "BEAST LEAKS" data leak site [3].

According to analysis of the BEAST LEAKS site by RansomLook, Beast operations paused in November 2025, then resumed in January 2026 [2]. The group remained active through March 2026 when Team Cymru made its discovery [1]. The timing matters: Beast was in the middle of an active campaign cycle when its infrastructure was found wide open.

Team Cymru researchers noted a key characteristic of Beast's tooling: none of it is novel. Many of the tools found on the exposed server appear in the open-source Ransomware Tool Matrix, a community knowledge base that tracks which legitimate and dual-use tools different ransomware groups favor [3]. As one researcher put it, "the way that a lot of ransomware groups operate is, they're reusing a lot of the tools that other ransomware groups use" [1]. This shared tooling ecosystem means defenders can apply detection logic broadly across multiple threat groups.

The Exposed Toolkit: Reconnaissance and Network Mapping

The server contained a methodical collection of tools organized by attack phase. For initial reconnaissance and network mapping, Beast operators relied on well-known dual-use utilities [2]:

• Advanced IP Scanner: Used to map network topology and identify live hosts.
• Advanced Port Scanner: Deployed to find open RDP and SMB ports across target environments.

These are free, widely available tools that blend into normal IT administration activity. That's exactly why ransomware crews love them. They generate minimal noise in security telemetry unless defenders are specifically watching for anomalous use patterns.

Credential Theft and Privilege Escalation

Beast's credential harvesting approach combined registry manipulation with Active Directory attacks [3]:

• enable_dump_pass.reg: A Windows Registry modification file designed to force the system to store passwords in cleartext, making them extractable from memory [3].
• Kerberos.ps1: A script for executing Kerberoasting attacks against Active Directory service accounts [3].

Kerberoasting targets service principal names (SPNs) tied to service accounts, requesting Kerberos tickets that can be cracked offline. Weak service account passwords fall quickly. The presence of a dedicated script for this technique signals that Beast affiliates routinely target Active Directory environments with poor service account hygiene.

Lateral Movement and Persistence

Once inside a network, Beast operators used standard remote execution and tunneling tools [1][2]:

• PsExec: Microsoft's own SysInternals tool for executing commands on remote Windows systems [2].
• OpenSSH for Windows: Used to create encrypted tunnels for persistent remote access [2].
• AnyDesk: A legitimate remote management tool repurposed for maintaining persistent access to compromised hosts [1].

AnyDesk is a favorite across multiple ransomware families because it's a signed, trusted application that many endpoint protection platforms won't flag by default. Defenders who don't maintain allowlists for remote access tools will miss this entirely.

Backup Destruction: The Critical TTP

The most operationally significant finding was Beast's systematic approach to destroying backups before deploying ransomware. The exposed server contained a batch script called disable_backup.bat, designed to interfere with backup systems [1].

Team Cymru researchers specifically called this out: "Files on a central cloud server used by the ransomware group highlight a systematic, aggressive attack on network backups as a key TTP" [1]. This is the step that transforms a ransomware incident from a recovery exercise into a crisis. Organizations that store backups on network-accessible shares, or rely solely on Volume Shadow Copies for recovery, are giving Beast exactly what it needs to maximize pressure.

Data Exfiltration

Beast's double extortion model requires efficient data theft before encryption. The toolkit included multiple exfiltration utilities [1][2]:

• MEGASync: Used to upload stolen data to Mega cloud storage accounts [1].
• WinSCP: An SFTP client for exfiltrating data over secure file transfer [2].
• Klink: Found alongside WinSCP on the server [2].
• Everything.exe: A rapid file search engine used to locate high-value files across compromised systems [1].
• FolderSize-x64: A utility for identifying which servers hold the most data, helping operators prioritize exfiltration targets [1].

The combination of Everything.exe and FolderSize is notable. These tools let operators quickly triage a network, identify crown jewels, and focus exfiltration efforts on the most damaging data. This isn't spray-and-pray. It's targeted theft.

Ransomware Deployment

The final phase of Beast's kill chain includes ransomware binaries for multiple platforms [3]:

• Windows ransomware binaries: For encrypting Windows systems.
• Linux ransomware variants: Consistent with Beast's reported capability to target VMware ESXi hypervisors [2].

The ESXi targeting is significant. Many organizations run critical workloads on VMware infrastructure. A single compromised ESXi host can mean dozens of encrypted virtual machines.

IOC Table

MITRE ATT&CK Mapping

Based on the tools and scripts found on the exposed server:

Detection and Hunting

Network-level indicators: Monitor for outbound connections to Mega cloud storage domains (.mega.nz, .mega.co.nz). Large-volume uploads to Mega from servers that don't normally use cloud sync tools are high-confidence exfiltration indicators. Block the exposed IP 5.78.84.144 at the perimeter, though Beast will almost certainly rotate infrastructure [2].

Endpoint telemetry: Hunt for Advanced IP Scanner and Advanced Port Scanner execution on systems where these tools aren't part of approved IT workflows. Both leave distinct process creation events. Query for advancedportscan.exe and advancedipscanner.exe in your EDR.

Backup integrity: Alert on any commands that attempt to interfere with backup systems. Any legitimate use of backup deletion commands should be rare in production environments.

Kerberoasting detection: Monitor for spikes in TGS-REQ traffic for service accounts, particularly RC4-encrypted ticket requests. The Kerberos.ps1 script will generate anomalous Kerberos traffic patterns. Event ID 4769 in Windows Security logs with encryption type 0x17 (RC4) is a strong signal.

RMM tool abuse: Audit for unauthorized AnyDesk installations. Check for AnyDesk.exe running on systems where it's not deployed by IT. Cross-reference with your approved remote access tool inventory.

Registry manipulation: Alert on modifications to HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest with UseLogonCredential set to 1, which is what enable_dump_pass.reg likely targets [3].

Analysis

Beast's toolkit exposure confirms what experienced incident responders already know: most ransomware groups aren't writing custom zero-days. They're combining off-the-shelf tools in a reliable, repeatable workflow. Every tool found on this server is either freely available or a legitimate IT utility [3]. The sophistication lies in the process, not the technology.

The group's capability to target both Windows and Linux systems, including VMware ESXi, indicates Beast affiliates are equipped to attack enterprise virtualization infrastructure [2]. This broadens the blast radius of a single compromise considerably.

Beast's operational pause from November 2025 to January 2026 [2], followed by resumed activity with a fully provisioned attack server, suggests a regrouping period. RaaS operations frequently pause to retool, recruit new affiliates, or rebrand. The fact that Beast returned with a centralized, well-organized toolkit points to a maturing operation, which makes the OPSEC failure all the more ironic.

References

1. Cyber OpSec Fail: Beast Gang Exposes Ransomware Server - Dark Reading
2. Beast Ransomware Toolkit: A Proactive Threat Intelligence Report - Team Cymru
3. Beast Ransomware's Malicious Capabilities Exposed: Inside the Leaked Directory - News4Hackers

Hunt Guide: Hunt Report: Beast Ransomware Infrastructure and Attack Toolkit

Hypothesis: If Beast ransomware affiliates are active in our environment, we expect to observe reconnaissance tool execution (Advanced IP/Port Scanner), Kerberoasting attempts, backup deletion commands, and data exfiltration to MEGA cloud storage in Windows Security, Sysmon, and network proxy logs.

Intelligence Summary: Beast ransomware group's operational server at 5.78.84.144 was discovered with an exposed toolkit including reconnaissance utilities, credential theft scripts, and ransomware binaries. The group uses standard dual-use tools in a systematic approach targeting both Windows and VMware ESXi systems, with a focus on backup destruction before encryption.

Confidence: High | Priority: Critical

Scope

• Networks: All Windows domains, with focus on systems with access to backup infrastructure and VMware management networks
• Timeframe: Past 30 days for initial sweep, continuous monitoring going forward
• Priority Systems: Domain controllers, backup servers, VMware vCenter/ESXi hosts, file servers, executive workstations

MITRE ATT&CK Techniques

T1018 — Remote System Discovery (Discovery) [P2]

Beast uses Advanced IP Scanner to map network topology and identify live hosts for targeting

Splunk SPL:

index=* sourcetype=WinEventLog:Security OR sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational (EventCode=1 OR EventCode=4688) (Image="*\\advanced*ip*scanner*.exe" OR CommandLine="*advanced*ip*scanner*" OR OriginalFileName="Advanced IP Scanner") | stats count by Computer, User, Image, CommandLine | where count > 5

Elastic KQL:

(event.code:("1" OR "4688") AND (process.executable:*advanced*ip*scanner*.exe OR process.command_line:*advanced*ip*scanner* OR process.pe.original_file_name:"Advanced IP Scanner"))

Sigma Rule:

title: Beast Ransomware Network Discovery via Advanced IP Scanner
id: 8b4e7f3a-9c2d-4e1a-8f5b-3d2e1a0b9c8d
status: experimental
description: Detects execution of Advanced IP Scanner used by Beast ransomware for network reconnaissance
references:
    - https://www.team-cymru.com/post/beast-ransomware-server-toolkit-analysis
author: Threat Hunt Team
date: 2024/03/15
modified: 2024/03/15
tags:
    - attack.discovery
    - attack.t1018
    - ransomware.beast
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|contains:
            - 'advanced_ip_scanner'
            - 'advancedipscanner'
        - OriginalFileName: 'Advanced IP Scanner'
        - Product: 'Advanced IP Scanner'
    condition: selection
falsepositives:
    - Legitimate IT administration
level: medium

Monitor for execution outside of approved IT scanning windows. Correlate with subsequent port scanning activity.

T1046 — Network Service Discovery (Discovery) [P2]

Beast uses Advanced Port Scanner to identify open RDP and SMB ports across target networks

Splunk SPL:

index=* sourcetype=WinEventLog:Security OR sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational (EventCode=1 OR EventCode=4688) (Image="*\\advanced*port*scan*.exe" OR CommandLine="*advanced*port*scan*" OR OriginalFileName="Advanced Port Scanner") | transaction Computer maxspan=30m | where eventcount > 1

Elastic KQL:

(event.code:("1" OR "4688") AND (process.executable:*advanced*port*scan*.exe OR process.command_line:*advanced*port*scan* OR process.pe.original_file_name:"Advanced Port Scanner"))

Sigma Rule:

title: Beast Ransomware Port Scanning Activity
id: 7c5e9f2b-8a3d-4b2c-9e1f-2a3b4c5d6e7f
status: experimental
description: Detects execution of Advanced Port Scanner used by Beast ransomware
references:
    - https://www.team-cymru.com/post/beast-ransomware-server-toolkit-analysis
author: Threat Hunt Team
date: 2024/03/15
modified: 2024/03/15
tags:
    - attack.discovery
    - attack.t1046
    - ransomware.beast
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|contains:
            - 'advanced_port_scanner'
            - 'advancedportscan'
        - OriginalFileName: 'Advanced Port Scanner'
    condition: selection
falsepositives:
    - Legitimate network vulnerability scanning
level: medium

Alert on port scanning from non-IT workstations. Check for subsequent RDP/SMB connection attempts.

T1003 — OS Credential Dumping (Credential Access) [P1]

Beast deploys enable_dump_pass.reg to force Windows to store passwords in cleartext memory for extraction

Splunk SPL:

index=* sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=13 TargetObject="*\\Control\\SecurityProviders\\WDigest\\UseLogonCredential" Details=1 | eval severity="critical" | table _time, Computer, User, TargetObject, Details, severity

Elastic KQL:

(event.code:"13" AND registry.path:*\\Control\\SecurityProviders\\WDigest\\UseLogonCredential AND registry.data.strings:"1")

Sigma Rule:

title: Beast Ransomware WDigest Credential Dumping Preparation
id: 4a5b2c7e-9f8d-3a1b-7c2e-8f9a3b5c7d8e
status: stable
description: Detects registry modification to enable WDigest cleartext password storage
references:
    - https://www.news4hackers.com/beast-ransomwares-malicious-capabilities-exposed-inside-the-leaked-directory/
author: Threat Hunt Team
date: 2024/03/15
modified: 2024/03/15
tags:
    - attack.credential_access
    - attack.t1003
    - ransomware.beast
logsource:
    product: windows
    category: registry_set
detection:
    selection:
        TargetObject|endswith: '\Control\SecurityProviders\WDigest\UseLogonCredential'
        Details: 'DWORD (0x00000001)'
    condition: selection
falsepositives:
    - Unlikely
level: critical

This is a critical detection - immediate isolation recommended. Check for subsequent LSASS access attempts.

T1558.003 — Kerberoasting (Credential Access) [P1]

Beast uses Kerberos.ps1 script to request service tickets for offline cracking of service account passwords

Splunk SPL:

index=* sourcetype=WinEventLog:Security EventCode=4769 Ticket_Encryption_Type=0x17 Service_Name!="*$" | bucket span=5m _time | stats count by _time, Account_Name, Service_Name | where count > 5 | eval risk_score=case(count>20, "critical", count>10, "high", count>5, "medium")

Elastic KQL:

(event.code:"4769" AND winlog.event_data.TicketEncryptionType:"0x17" AND NOT winlog.event_data.ServiceName:*$)

Sigma Rule:

title: Beast Ransomware Kerberoasting Attack Pattern
id: 5d8f3b9a-2c4e-6a7d-8b5f-9c3a4e6b7d8f
status: experimental
description: Detects potential Kerberoasting activity with RC4 encryption
references:
    - https://www.news4hackers.com/beast-ransomwares-malicious-capabilities-exposed-inside-the-leaked-directory/
author: Threat Hunt Team
date: 2024/03/15
modified: 2024/03/15
tags:
    - attack.credential_access
    - attack.t1558.003
    - ransomware.beast
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4769
        TicketEncryptionType: '0x17'
    filter:
        ServiceName|endswith: '$'
    timeframe: 5m
    condition: selection and not filter | count() > 5
falsepositives:
    - Legitimate service ticket requests with RC4
level: high

Disable RC4 encryption in AD. Monitor for PowerShell invoking Kerberos ticket requests.

T1570 — Lateral Tool Transfer (Lateral Movement) [P1]

Beast uses PsExec for remote command execution and lateral movement across compromised networks

Splunk SPL:

index=* sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational (EventCode=1 OR EventCode=17 OR EventCode=18) (Image="*\\psexec*.exe" OR Image="*\\psexesvc.exe" OR PipeName="\\psexesvc*") | eval lateral_movement="true" | table _time, Computer, User, Image, TargetHost, PipeName

Elastic KQL:

(event.code:("1" OR "17" OR "18") AND (process.executable:(*\\psexec*.exe OR *\\psexesvc.exe) OR file.name:\\psexesvc*))

PsExec creates named pipes starting with \psexesvc. Monitor for service creation events following PsExec execution.

T1219 — Remote Access Software (Command and Control) [P2]

Beast maintains persistence through AnyDesk remote management software

Splunk SPL:

index=* sourcetype=WinEventLog:Security OR sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational (EventCode=1 OR EventCode=4688) (Image="*\\AnyDesk.exe" OR CommandLine="*anydesk*" OR Product="AnyDesk") NOT User IN ("approved_IT_user1", "approved_IT_user2") | join type=outer Computer [search index=* sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=3 Image="*\\AnyDesk.exe"]

Elastic KQL:

(event.code:("1" OR "4688") AND (process.executable:*\\AnyDesk.exe OR process.command_line:*anydesk* OR process.pe.product:"AnyDesk") AND NOT user.name:("approved_IT_user1" OR "approved_IT_user2"))

Maintain allowlist of approved RMM tools and users. Check for AnyDesk installations outside of software deployment systems.

T1490 — Inhibit System Recovery (Impact) [P1]

Beast executes disable_backup.bat to destroy backups before ransomware deployment

Splunk SPL:

index=* sourcetype=WinEventLog:Security OR sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational (EventCode=1 OR EventCode=4688) (CommandLine="*vssadmin*delete*shadows*" OR CommandLine="*wbadmin*delete*backup*" OR CommandLine="*bcdedit*recoveryenabled*no*" OR CommandLine="*wmic*shadowcopy*delete*" OR Image="*\\disable_backup.bat") | eval critical_impact="true" | table _time, Computer, User, CommandLine, critical_impact

Elastic KQL:

(event.code:("1" OR "4688") AND (process.command_line:(*vssadmin*delete*shadows* OR *wbadmin*delete*backup* OR *bcdedit*recoveryenabled*no* OR *wmic*shadowcopy*delete*) OR process.executable:*\\disable_backup.bat))

Sigma Rule:

title: Beast Ransomware Backup Destruction
id: 8f7a3c9b-5d2e-4a8c-9b7f-3e5d8a9c7b6e
status: stable
description: Detects backup deletion commands associated with Beast ransomware
references:
    - https://www.darkreading.com/threat-intelligence/opsec-beast-gang-exposes-ransomware-server
author: Threat Hunt Team
date: 2024/03/15
modified: 2024/03/15
tags:
    - attack.impact
    - attack.t1490
    - ransomware.beast
logsource:
    category: process_creation
    product: windows
detection:
    selection_vssadmin:
        CommandLine|contains|all:
            - 'vssadmin'
            - 'delete'
            - 'shadows'
    selection_wbadmin:
        CommandLine|contains|all:
            - 'wbadmin'
            - 'delete'
    selection_bcdedit:
        CommandLine|contains|all:
            - 'bcdedit'
            - 'recoveryenabled'
            - 'no'
    selection_wmic:
        CommandLine|contains|all:
            - 'wmic'
            - 'shadowcopy'
            - 'delete'
    selection_script:
        Image|endswith: '\disable_backup.bat'
    condition: 1 of selection_*
falsepositives:
    - Legitimate backup management (rare)
level: critical

Critical pre-ransomware indicator. Immediate isolation required. Verify backup integrity on isolated systems.

T1567.002 — Exfiltration to Cloud Storage (Exfiltration) [P1]

Beast uses MEGASync to exfiltrate stolen data to MEGA cloud storage before encryption

Splunk SPL:

index=* sourcetype=proxy OR sourcetype=dns ("mega.nz" OR "mega.co.nz" OR "megatools" OR "megasync") | bucket span=1h _time | stats sum(bytes_out) as total_bytes, count by _time, src_ip, dest | where total_bytes > 1073741824 | eval exfil_gb=round(total_bytes/1073741824,2)

Elastic KQL:

(dns.question.name:(*.mega.nz OR *.mega.co.nz) OR url.domain:(mega.nz OR mega.co.nz) OR process.executable:*MEGAsync*)

Large uploads to MEGA from servers are high-confidence exfiltration. Block MEGA domains at proxy/firewall.

T1486 — Data Encrypted for Impact (Impact) [P1]

Beast deploys ransomware binaries targeting both Windows systems and VMware ESXi hypervisors

Splunk SPL:

index=* sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=11 (TargetFilename="*.beast" OR TargetFilename="*.BEAST" OR TargetFilename="*_BEAST_README.txt" OR TargetFilename="*HOW_TO_DECRYPT*") | eval ransomware_detected="true" | table _time, Computer, TargetFilename, ransomware_detected

Elastic KQL:

(event.code:"11" AND file.name:(*.beast OR *.BEAST OR *_BEAST_README.txt OR *HOW_TO_DECRYPT*))

Monitor for mass file renaming events and creation of ransom notes. Check VMware logs for unusual shutdown/encryption patterns.

Indicators of Compromise

IOC Sweep Queries (Splunk):

index=* (src_ip="5.78.84.144" OR dest_ip="5.78.84.144" OR "5.78.84.144") | stats count by sourcetype, src_ip, dest_ip, dest_port | table _time, src_ip, dest_ip, dest_port, count

index=* sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational (EventCode=1 OR EventCode=11) (Image="*\\disable_backup.bat" OR TargetFilename="*\\disable_backup.bat" OR CommandLine="*disable_backup.bat*") | table _time, Computer, User, EventCode, Image, TargetFilename, CommandLine

index=* sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational (EventCode=1 OR EventCode=11) (Image="*\\enable_dump_pass.reg" OR TargetFilename="*\\enable_dump_pass.reg" OR CommandLine="*enable_dump_pass.reg*" OR CommandLine="*reg*import*enable_dump_pass*") | table _time, Computer, User, EventCode, Image, TargetFilename, CommandLine

index=* sourcetype=XmlWinEventLog:Microsoft-Windows-PowerShell/Operational OR sourcetype=WinEventLog:Microsoft-Windows-PowerShell/Operational (EventCode=4104 OR EventCode=4103) (ScriptBlockText="*Kerberos*" OR Path="*\\Kerberos.ps1" OR Message="*Kerberos.ps1*") | table _time, Computer, User, ScriptBlockText, Path

index=* sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=1 Image="*\\AnyDesk.exe" NOT (User IN ("approved_IT_users")) | stats count by Computer, User, ParentImage, CommandLine | where count > 0

index=* sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational (EventCode=1 OR EventCode=3) (Image="*\\MEGASync.exe" OR Image="*\\MEGAsync.exe" OR DestinationHostname="*.mega.nz" OR DestinationHostname="*.mega.co.nz") | table _time, Computer, User, Image, DestinationHostname, DestinationPort

YARA Rules

Beast_Ransomware_Artifacts — Detects Beast ransomware toolkit components and artifacts

rule Beast_Ransomware_Toolkit {
    meta:
        description = "Detects Beast ransomware toolkit components"
        author = "Threat Hunt Team"
        date = "2024-03-15"
        reference = "https://www.team-cymru.com/post/beast-ransomware-server-toolkit-analysis"
        tlp = "WHITE"
        adversary = "Beast Ransomware"
    
    strings:
        $script1 = "disable_backup.bat" ascii wide nocase
        $script2 = "enable_dump_pass.reg" ascii wide nocase
        $script3 = "Kerberos.ps1" ascii wide nocase
        $tool1 = "advancedipscanner" ascii wide nocase
        $tool2 = "advancedportscanner" ascii wide nocase
        $tool3 = "MEGASync" ascii wide
        $ransom1 = "BEAST" ascii wide
        $ransom2 = "_BEAST_README" ascii wide
        $ransom3 = "HOW_TO_DECRYPT" ascii wide
        $ransom4 = "BEAST LEAKS" ascii wide
        
    condition:
        any of ($script*) or 
        2 of ($tool*) or
        any of ($ransom*)
}

Suricata Rules

SID 3000001 — Detects potential connection to Beast ransomware infrastructure

alert tcp $HOME_NET any -> 5.78.84.144 any (msg:"ET MALWARE Beast Ransomware Infrastructure Communication"; flow:to_server,established; content:"GET"; http_method; content:"8000"; http_port; reference:url,www.team-cymru.com/post/beast-ransomware-server-toolkit-analysis; classtype:trojan-activity; sid:3000001; rev:1;)

SID 3000002 — Detects MEGA cloud storage exfiltration domains used by Beast

alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE Beast Ransomware MEGA Exfiltration DNS Query"; dns_query; content:"mega.nz"; nocase; endswith; reference:url,www.darkreading.com/threat-intelligence/opsec-beast-gang-exposes-ransomware-server; classtype:data-exfiltration; sid:3000002; rev:1;)

SID 3000003 — Detects MEGA cloud storage alternate domain

alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE Beast Ransomware MEGA Exfiltration Alternate Domain"; dns_query; content:"mega.co.nz"; nocase; endswith; reference:url,www.darkreading.com/threat-intelligence/opsec-beast-gang-exposes-ransomware-server; classtype:data-exfiltration; sid:3000003; rev:1;)

Data Source Requirements

Sources

• Cyber OpSec Fail: Beast Gang Exposes Ransomware Server - Dark Reading
• Beast Ransomware Toolkit: A Proactive Threat Intelligence Report - Team Cymru
• Beast Ransomware's Malicious Capabilities Exposed: Inside the Leaked Directory - News4Hackers