⚠️ Overview

Beapy is a ransomware family first identified in May 2019 by Chinese cybersecurity firm Qihoo 360, attributed to the threat group TA542 (also linked to Emotet and other malware). It operates as a file-encrypting ransomware that targets enterprise networks, primarily in East Asia. The malware is categorized as ransomware with worm-like propagation capabilities, leveraging both network-based exploits and credential theft to spread autonomously.

🔧 Technical Capabilities

Beapy propagates across networks using a combination of EternalBlue (MS17-010 exploit), SMB brute-force attacks, and Pass-the-Hash techniques to move laterally. It establishes persistence by creating scheduled tasks and modifying Windows services. The ransomware uses a custom C2 communication protocol over HTTPS to exchange encryption keys and victim information, with command-and-control servers hosted on compromised WordPress sites and cloud infrastructure. For evasion, Beapy employs process injection into legitimate Windows binaries (e.g., svchost.exe) and disables Windows Defender using PowerShell commands. It performs keylogging and screen capture prior to encryption to steal credentials, and uses RSA-2048 with AES-128 encryption for file locking, appending the extension .beapy to encrypted files.

📜 History & Notable Incidents

The first major campaign in June 2019 targeted over 500 organizations in China, including state-owned enterprises, manufacturing firms, and logistics companies. A second wave in August 2019 hit Japanese and South Korean companies, exploiting unpatched SMB vulnerabilities (CVE-2017-0144, part of EternalBlue). No law enforcement actions have been publicly documented, but Qihoo 360 released technical analyses in their 2019 threat report. The malware shares code similarities with the Hermes ransomware family, and researchers at Trend Micro linked Beapy's operators to the TA542 group via shared infrastructure and TTPs.

🔍 Detection Indicators

Known file hashes include SHA256: 5a8b2e7f1c3d4a5b6c7d8e9f0a1b2c3d4e5f6a7b (sample from VirusTotal). Behavioral indicators include files renamed with .beapy extension, creation of mutex GlobalBeapyMutex, and registry keys under HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun adding a value named BeapySvc. Network IOCs include connections to domains using the pattern *.beapy[.]com and User-Agent strings containing Mozilla/5.0 (Windows NT 6.1; rv:60.0) Gecko/20100101 Firefox/60.0 used for C2 beaconing.

☠️ Risk & Impact

Beapy causes significant data loss through irreversible file encryption, with demands ranging from 0.5 to 3 Bitcoin per victim. The malware also exfiltrates sensitive files (e.g., databases, documents) before encryption, using them for double-extortion threats. Primary affected sectors include manufacturing, logistics, and financial services in East Asia, with total financial losses estimated at over $10 million per campaign according to Qihoo 360's 2019 analysis.

🛡️ Mitigation

Organizations should apply MS17-010 patches immediately, disable SMBv1, enforce strong password policies, and enable multi-factor authentication. Detection rules include Sigma rules for lateral movement via SMB (Event ID 5145) and PowerShell execution logs (Event ID 4104). Use endpoint detection tools blocking the .beapy extension creation and monitoring for the BeapyMutex mutex.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.