TechTarget and Informa Tech’s Digital Business Combine. TechTarget and Informa TechTarget and Informa Tech’s Digital Business Combine. Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities. Dark Reading Resource Library Black Hat News Omdia Cybersecurity Advertise Newsletter Sign-Up Newsletter Sign-Up Cybersecurity Topics Related Topics Application Security Cybersecurity Careers Cloud Security Cyber Risk Cyberattacks & Data Breaches Cybersecurity Analytics Cybersecurity Operations Data Privacy Endpoint Security ICS/OT Security Identity & Access Mgmt Security Insider Threats IoT Mobile Security Perimeter Physical Security Remote Workforce Threat Intelligence Vulnerabilities & Threats Recent in Cybersecurity Topics Application Security AI Conundrum: Why MCP Security Can't Be Patched Away AI Conundrum: Why MCP Security Can't Be Patched Away by Jai Vijayan Mar 19, 2026 4 Min Read Cyber Risk Researchers: Meta, TikTok Steal Personal & Financial Info When Users Click Ads Researchers: Meta, TikTok Steal Personal & Financial Info When Users Click Ads by Nate Nelson Mar 18, 2026 6 Min Read World Related Topics DR Global Middle East & Africa Asia Pacific Latin America Recent in World See All Application Security Real-Time Banking Trojan Strikes Brazil's Pix Users Real-Time Banking Trojan Strikes Brazil's Pix Users by Alexander Culafi Mar 13, 2026 4 Min Read Threat Intelligence Iran's Cyber-Kinetic War Doctrine Takes Shape Iran's Cyber-Kinetic War Doctrine Takes Shape by Alexander Culafi Mar 6, 2026 4 Min Read The Edge DR Technology Events Related Topics Upcoming Events Podcasts Webinars SEE ALL Resources Related Topics Resource Library Newsletters Podcasts Reports Videos Webinars White Papers Partner Perspectives Dark Reading Resource Library Threat Intelligence Cyber Risk Cybersecurity Operations Endpoint Security News Cyber OpSec Fail: Beast Gang Exposes Ransomware Server Files on a central cloud server used by the ransomware group highlight a systematic, aggressive attack on network backups as a key TTP. Robert Lemos , Contributing Writer March 20, 2026 4 Min Read Source: Zsolt Biczo via Shutterstock An open server hosted on a German cloud provider's systems has been discovered, containing the entire toolset of a member of the Beast ransomware group. The find exposes the tactics, techniques, and procedures of the threat actor, but also reveals that Beast shares many of those TTPs with other ransomware gangs. According to threat-intelligence firm Team Cymru, the ransomware toolset includes those used for reconnaissance, network mapping, credential theft, and exfiltration, as well as techniques for persistence and moving laterally through the local environment. Many of the tools, such as AnyDesk for remote management and Mega for downloads, have both legitimate and malicious uses — and those tools are commonly used by many ransomware groups, says Will Thomas, senior threat intelligence advisor for Team Cymru. "The way that a lot of ransomware groups operate is, they're reusing a lot of the tools that other ransomware groups use," he says. "For many companies, it is not as hard as it seems to actually defend against [these attacks], because as long as you have the right protections in place to block these [tools] from being able to run on your systems, they're not going to be able to hit you." Related: Interlock Ransomware Targets Cisco Enterprise Firewalls Ransomware continues to be a persistent problem, albeit one with which companies are slowly coming to grips. In 2025, only half of attacks resulted in encryption, the lowest in six years and down from a high of 70% in 2024, according to Sophos' "The State of Ransomware 2025" report . Yet, 49% of organizations affected by an attack paid the ransom, the second highest in six years, the report found. Common Ransomware Tools, Uncommon Attribution The Beast ransomware group is a fairly new one, which sprung from another strain — the so-called Monster ransomware gang. It announced itself in 2024, and began operations as a ransomware-as-a-service (RaaS) scheme in February 2025, launching a data-leak site in July. The group is known for using tools to find and delete backups, and to stop security- and backup-related processes. Beast terminates processes that have to do with "databases, backup and recovery, antivirus products, Office, file editors, and emails," threat-intelligence researchers from South Korea-based AhnLabs stated in an October analysis of the group. "Beast ransomware goes beyond simple file encryption and employs a complex attack method that combines structural recovery prevention techniques and data exfiltration," AhnLab researchers stated. "As such, establishing an early detection and rapid response system is crucial." Related: EU Sanctions Companies in China, Iran for Cyberattacks Many of the tools used by ransomware gangs are common, such as these tools found on a Beast ransomware operator's server. Source: Team Cymru For that reason, companies should not only have backups, but resilient backups. Ransomware gangs will seek out and destroy any backup, especially Windows volume shadow copies or network-attached backups. In the latest server analysis, Team Cymru's Thomas found a file, "disable_backup.bat," designed to delete backups made with the Volume Shadow Copy Service (VSS) on Microsoft Windows and to halt the service. More advanced backup methods — if online — may fare no better, he says. "Other organizations will use backup and replication software, so that [they] can back up sensitive files — things like Active Directory, copies of Active Directory and other sensitive files, servers and stuff — to a backup system," he says. "However, the backup system is still connected to the network, so when the ransomware gang gets in and encrypts everything on the network, that gets encrypted as well." Off-site logging is also critical because the Beast ransomware server also uses another file, CleanExit.exe, that is likely a tool to wipe logs after the ransomware was triggered, Team Cymru stated in its analysis. Enterprises Beware Cyber War on Backups Companies should use endpoint detection and response (EDR) systems to detect malicious activity, or better yet, MDR — the managed version of those systems. They should also use allow-listing to track approved applications. Related: DarkSword: iPhone Exploit Kit Serves Spies & Thieves Alike "If you have EDR tools on agents running on your systems, the commands and processes that are run to trigger these is very easy to spot," he says. "Most EDRs will have the ability to just ... block [a dual-use tool] by default because it's such a high-risk process, or is too high-risk of an action to do without authorization." Being able to find attackers' servers — especially when those servers have the ransomware payload files — is a key win, says Thomas. Because the groups are using many of the same tools, threat researchers are hard-pressed to attribute specific attacks to specific groups. For example, the Beast ransomware gang uses the Mega desktop app for exfiltration, but so does Akira, Conti, and a score of other groups . The ransomware binary allows researchers to know which ransomware gang is behind the attack, Thomas says. "If you just see that list of tools minus the binaries, then we don't really know which ransomware gang it is necessarily," he says. "It's only because the binaries are there, we can then attribute to which ransomware gang it is." About the Author Robert Lemos Contributing Writer Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends. See more from Robert Lemos More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report The ROI of AI in Security Cybersecurity Forecast 2026 ThreatLabz 2025 Ransomware Report Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars Editor's Choice Cybersecurity Operations Why Stryker's Outage Is a Disaster Recovery Wake-Up Call Why Stryker's Outage Is a Disaster Recovery Wake-Up Call by Jai Vijayan Mar 12, 2026 5 Min Read Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks Threat Intelligence Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats Jan 2, 2026 Cyber Risk Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult Jan 12, 2026 | 7 Min Read Endpoint Security CISOs Face a Tighter Insurance Market in 2026 Jan 5, 2026 | 7 Min Read Threat Intelligence 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child Jan 30, 2026 | 8 Min Read Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. Subscribe Webinars Building a Robust SOC in a Post-AI World Thurs, March 19, 2026 at 1pm EST Retail Security: Protecting Customer Data and Payment Systems Thurs, April 2, 2026 at 1pm EST Rethinking SSE: When Unified SASE Delivers the Flexibility Ente