The Beast Returns Analysis of a Beast Ransomware Server
The Beast Returns: Analysis of a Beast Ransomware Server
According to open source reports, Beast is a Ransomware-as-a-Service (RaaS) that was first promoted on the underground forum RAMP in June 2024. Beast ransomware is reportedly the successor to Monster ransomware, which was also offered on RAMP in March 2022. In August 2024, an offline builder for Beast ransomware was promoted with the option to configure builds for Windows systems, network-attached storage (NAS) devices, and VMware ESXi hypervisors. Beast also specifically avoids encrypting data on devices located in Commonwealth of Independent States (CIS) countries, such as Russia, Belarus, and Moldova.
Based on an analysis of the BEAST LEAKS Tor data leak site by RansomLook, Beast ransomware operations paused in November 2025 and resumed in January 2026. The operators have been fairly active, posting several victims to their leak site during February to March 2026. In March 2026, Team Cymru detected an Open Directory on 5.78.84[.]144 hosted at AS212317. Using Team Cymru’s NetFlow-augmented Open Ports collection, a list of notable file names running on Port 8000 was detected. Analysis of the file names revealed on the Beast operator’s server enabled an understanding of the flow of their attacks from start to middle to the end.
Through Team Cymru’s collection system, analysis of the files from the server allowed us to break down the different stages of an intrusion by a Beast ransomware operator. For reconnaissance and network mapping, copies of Advanced IP Scanner, Advanced Port Scanner, and Everything.exe were found. These are legitimate tools often deployed by ransomware groups to map internal networks, find open remote desktop protocol (RDP) or server message block (SMB) ports, and quickly locate sensitive files for exfiltration. Additionally, FolderSize-x64 is used by Beast operators to identify which servers hold the most data, helping the attacker prioritize which machines to encrypt first.
For credential theft, copies of Mimikatz, LaZagne, and Automim were identified, along with enable_dump_pass.reg, a registry modification that forces Windows to store passwords in cleartext in memory (WDigest), making them harvestable by Mimikatz. A script called Kerberos.ps1 was also found, likely used for Kerberoasting. A copy of AnyDesk was also stored on the server, a well-known remote monitoring and management (RMM) tool useful for persistence due to antivirus and endpoint detection and response (EDR) systems not usually blocking it as malicious by default.
To execute commands remotely and access systems across the network, the server had a copy of PsExec, a well-known Windows SysInternals tool, also used by many ransomware groups to spread inside a target environment. A copy of OpenSSH for Windows was also found on the server, which can be used by the attackers to create secure tunnels for remote access. Before encrypting, Beast ransomware operators will steal data to threaten the victim with a public leak via its Tor data leak site called BEAST LEAKS. To be able to steal the data, the Beast operator used MEGASync, another well-known tool used by many ransomware gangs, capable of uploading hundreds of Gigabytes of stolen data. The Beast operator was also using WinSCP and Klink too, which can be used to exfiltrate data via secure file transfer protocol (SFTP) and other protocols.
Perhaps the most interesting discovery from the Beast ransomware server were the files from the final stages of an attack. One file, called disable_backup.bat, is a batch script designed to delete Volume Shadow Copies (VSS) and disable Windows backups. This ensures the victim cannot simply restore their files after the attack. Another file called CleanExit.exe is likely a tool used by the Beast operator to wipe logs and their tools after the encryption is triggered, making forensic recovery harder. Two standout file names are encrypter-windows-cli-x86.exe and encrypter-linux-x64.run, as these are the actual Beast ransomware binaries. The presence of both Windows and Linux (.run) versions of Beast ransomware suggests the targeting of both workstations and Linux Servers on VMware ESXi hypervisors. The analysis of the Beast ransomware server successfully identified a wide array of tools used by the operators, providing a detailed breakdown of their tactics across the entire intrusion lifecycle. Indicators of Compromise (IOCs) including Beast Ransomware SHA256 file hashes and a full list of Open Directory File Names were identified during the analysis.