Our code analysis engine has found that the malware sample 5bd8f9cbd108abc53fb1c44b8d10239a2a0a9dd20c698fd2fb5dc1938ae7ba96 is a variant of Beast ransomware. This sample was recently reported as Boramae ransomware by Cyfirma https://www.cyfirma.com/research/boramae-ransomware/.
We compared this sample with the Beast ransomware sample 4c44ac1eea4bc7f4ea542d611b5658d7ac2729d79abe750da83f1581cd832eaf discovered by Cybereason in October 2024 https://www.cybereason.com/blog/threat-analysis-beast-ransomware
Code analysis revealed that both samples share nearly identical code. The key difference is that the Boramae sample was statically linked with OpenSSL 1.1.0, significantly increasing its code size. While the original sample contains approximately 150 relevant functions, the Boramae variant includes up to 2,500 functions—making analysis substantially more complex. Using our technology, we identified the OpenSSL usage at the function level and isolated the malware functions for direct comparison.
The main differences are in the string obfuscation techniques. While some strings in the variant use a stacked format, others maintain the original Beast format using strcpy. The variant's XOR decryption routine is significantly more sophisticated—instead of using a fixed key for string decryption, it stores the key in the first 4 bytes of the input string. This key then increments by 1 for each XOR operation on individual letters, making it more complex than Beast's original version:
Beyond the more complex XOR decryption routine, some instances use subtractive decryption instead of simple XOR operations.
The variant enhances Beast's original string-hiding method by incorporating additional obfuscation techniques: stacked strings, XOR-based incremental key stream encryption, and subtraction-based decryption.
The Boramae sample contains the same graphical user interface (GUI) as Beast, which can be accessed by pressing Ctrl+Alt+666, as detailed in Cybereason's analysis. The GUI's embedded strings confirm that this variant incorporates code from Beast’s interface, as shown in the image below displaying the GUI that appears in the Boramae sample.
Other notable differences include changes to the ransom note, file extension (.boramae), and the removal of the "BEAST HERE?" mutex creation. The mutex creation functionality is however still present.
This discovery demonstrates how older ransomware threats continue to evolve, not only through rebranding but also by incorporating enhanced functionality to avoid detection.
