Credential Theft
- Automim
- LaZagne
- Mimikatz
Beast is a financially motivated ransomware-as-a-service (RaaS) operation and cybercriminal group associated with double-extortion attacks involving data theft and file encryption.
Profile source: Mallory opens in a new tabBEAST
Beast is a financially motivated ransomware-as-a-service (RaaS) operation and cybercriminal group associated with double-extortion attacks involving data theft and file encryption. The group is widely assessed as a successor to, or enhanced evolution of, the Monster ransomware lineage, with reporting also linking later GodDamn ransomware activity to a Monster -> Beast -> GodDamn development chain attributed to a developer or cluster tracked as Hyadina. Beast emerged in 2024, later formalized RaaS operations, and has operated a dedicated leak site to pressure victims through public exposure.
Beast targets organizations across multiple sectors and geographies, including healthcare, manufacturing, technology, government-related entities, and enterprises in Asia, Europe, and North America. Public reporting places it among active ransomware groups affecting South Korean organizations and links it to intrusions against healthcare providers and industrial firms. Victimology and ecosystem reporting indicate opportunistic targeting rather than a narrowly specialized vertical focus.
Operationally, Beast uses broadly available and dual-use tooling rather than uniquely distinctive malware tradecraft. Observed and reported tooling includes remote access software, credential-dumping utilities, network scanners, lateral movement frameworks, and exfiltration tools. Tradecraft associated with Beast includes compromised remote access services, SMB scanning, opportunistic exploitation, credential theft, persistence through remote administration tools, lateral movement with utilities such as PsExec and SSH-based tooling, and pre-encryption data exfiltration to support extortion. Exposed operator infrastructure has shown use of reconnaissance and file-discovery tools, credential access utilities including Mimikatz, LaZagne, and related password-harvesting mechanisms, and cloud-based exfiltration tooling.
A notable characteristic of Beast intrusions is aggressive impairment of recovery and defensive controls. The group has been observed terminating security, database, office, and backup-related processes, deleting volume shadow copies, disabling backup mechanisms, and likely attempting log wiping or cleanup after execution. Reporting also indicates Beast supports multi-platform payloads, with Windows and Linux encryptors observed, implying capability to target Linux servers and VMware ESXi environments in addition to Windows networks.
Beast is best understood as part of the broader fragmented ransomware ecosystem in which affiliates and operators reuse common tools, infrastructure, and playbooks shared across multiple crews. It has been advertised in underground criminal forums as a RaaS program and is frequently discussed alongside other contemporary ransomware families. Known related names and lineage references include Monster and GodDamn; Beast itself is generally the most recognized name used by defenders and researchers.
Ransomware.live
Ransomware.live
recovery24.email@onionmail.comblackpool@zohomail.euambulafixdata@zohomail.euambulafixdata@onionmail.orgbr.fixdata24@proton.mebr.fixdata24@onionmail.comhelpdata24@zohomail.euhelpdata24@onionmail.orge5aaa213818fe835f2716914238119fee746753aa4808e24aed817e929e6dcb892E5D1A8ECFC69E7967E7A9DC1C9A735CD8DCE965D12EF01F19966C7101EAF071B4CDEA310E989.248.163.120052867b2b3f2004b4f94d5d401f41697e8c736be68d609c0f8a8a47c706570aa5eDerp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.