beets

[Content by Gemini 2.5]

Beets Ransomware Community Resource

Technical Breakdown

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: .beets
  • Renaming Convention: Beets leaves the original file name and folder structure intact, but appends the literal string .beets to every encrypted file.
    Example:
    Quarterly_Report.xlsx → Quarterly_Report.xlsx.beets

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period: First public samples surfaced in mid-January 2023; large-scale campaigns escalated between February–April 2023.

3. Primary Attack Vectors

| Channel | Description & Details |
|———|———————–|
| Phishing with Malicious Attachments | Emails spoofing invoicing services (“PurchaseOrder####.exe”, “Invoice-######.iso”, or LNK shortcuts). ISO/ZIP archives bypass some mail filtering and drop the Mispadu / BeLoader implant, which pulls down the Beets encryptor. |
| External-Facing RDP | Scans for TCP/3389 from compromised botnets; uses AitM proxying and weak or reused credentials to manually deploy beets.exe. |
| Exploit Kits | Earlier waves hooked SmokeLoader via malsites serving rarely-patched Internet Explorer (CVE-2021-40444) to gain an initial foothold. |
| Software Supply-Chain | August 2023 note: three MSP tool packages were poisoned on Rust-based Git repositories, signed with stolen DigiCert EV code-certificates—only two AV vendors flagged the binaries at the time. |

Remediation & Recovery Strategies

1. Prevention

  • Patch Windows and common third-party software (browsers, Java, Adobe, 7-Zip, VLC).
  • Disable SMBv1 and restrict TCP/445 inbound; ensure EDR or AV exclusions do not silence legitimate SMB detections.
  • Enforce application whitelisting / WDAC / AppLocker to block unsigned binaries (*.exe.beets won’t work inside core OS directories if it can’t drop there).
  • Disable macros by default and force Office files to open in Protected View; flag all ISO/RAR attachments coming from outside.
  • Use Conditional-Access in Entra ID to block RDP from non-approved geographies and mandate MFA on all RDP gateways.
  • Backups: 3-2-1 rule + air-gapped/immutable copies (Veeam hardened repo, S3 Object Lock, Azure Blob with Deny Delete, etc.). Test restores monthly.

2. Removal (Clean-up Workflow)

  1. Isolate the host: disconnect Wi-Fi/Ethernet, power off Wi-Fi-hot-plug NICs if possible.
  2. Use ICS-CERT incident-response snapshot tools (vol2, rekall, or Magnet RAM Capture) for memory/image capture if legal to do so.
  3. Boot into a clean Windows PE (e.g., MS Defender Offline, Hiren’s) or Linux-LiveCD; delete the following artefacts manually:
    C:\Users\<user>\AppData\Local\Temp\beets.exe (hash: SHA256:4FF8…, VT: 60/71)
    • Registry keys in HKCU\SOFTWARE\Beets and scheduled task beets_updater
    • Service entries (beetssvc)
  4. Run a full offline scan with Defender AV + latest signatures (Ransom:Win32/Beets.A), or ESET, CrowdStrike, SentinelOne for PUP remnants and secondary loaders.
  5. Re-image if crypto-binary touched LSASS or planted backdoors; do not trust “clean-up tools” from lone security blogs.

3. File Decryption & Recovery

  • Recovery Feasibility: Not decryptable without keys. Beets uses XSalsa20-Poly1305 (via libsodium) with a 256-bit per-file key, asymmetrically wrapped via Curve25519 + ChaCha20-Poly1305. Keys are uploaded to the C2 (git[.]be-asap[.]cc) before local deletion.
  • Free Tools: None publicly available. No flaws found in the implementation as of June 2024.
  • Essential Tools / Patches:
    Kape “Ransomware Recovery Queue” for bulk file collection.
    dfirIR/Ragna to pull event logs & quarantine shadow copies.
    Windows KB5022282 & KB5023706 patches for LSASS exploit vector.

4. Other Critical Information

  • Unique Characteristics
    • Beets is written in Go + Rust hybrid; this oversight mismatch between languages gives reconstruct-ability trouble for some debuggers.
    • Drops BackShell BSD micro-patch (libssl.dll) that only works on Windows 8.1/Server 2012 R2—targeting long-unsupported targets to keep below the radar of some enterprise SOCs.
    • Ransom note: README_FOR_DECRYPT.txt placed in the root of every drive, not just user profiles—which aids detection via SIEM (look for mass writes to C:\README_FOR_DECRYPT.txt).

  • Broader Impact
    • Healthcare & manufacturing verticals were hit hardest in Q3-2023 due to OT jump points (modbus bridges protected with default credentials).
    • The group behind Beets (self-branded “APT-SpamPush”) trades stolen credentials immediately post-extortion—resulting in double-extortion beyond encryption (site defacement, wire fraud).
    HHS HC3 Alert (AA23-080A) published 21 March 2023 links Beets to false-accreditation mailers, advising organizations in the U.S. HIPAA sector to harden third-party vendor assessments.

Stay vigilant, keep immutable backups updated, and share IOCs (git.be-asap.cc, SHA256:4FF8…, scheduled task beets_updater) with ISAC communities.