BEAST

Beast is a ransomware-as-a-service (RaaS) ransomware group and leak-site extortion actor. Reporting in the provided content describes Beast as active since June 2024, with some sources citing activity since 2022, and as a successor or outgrowth of the Monster ransomware strain/group. Beast launched a data-leak site, BEAST LEAKS, in July 2025 and conducts double extortion, combining data theft with encryption. The group is described as supporting multi-platform payloads for Windows, Linux, and VMware ESXi, with exposed tooling showing both Windows and Linux encryptors. Observed intrusion tradecraft in the content includes compromised RDP, SMB scanning, and opportunistic exploitation. Exposed Beast operator infrastructure analyzed by Team Cymru showed tooling for reconnaissance, network mapping, credential theft, persistence, lateral movement, exfiltration, backup destruction, and cleanup. Specifically mentioned tools and methods include Advanced IP Scanner, Advanced Port Scanner, Everything.exe, FolderSize-x64, Mimikatz, LaZagne, Automim, Kerberos.ps1 for Kerberoasting, enable_dump_pass.reg to force cleartext password storage in memory, PsExec, OpenSSH for Windows, AnyDesk for persistence, and MEGASync, WinSCP, and Klink for exfiltration. Beast is also described as terminating database, backup/recovery, antivirus, Microsoft Office, file editor, and email processes during attacks. Recovery prevention behavior includes deleting Volume Shadow Copies and disabling Windows backups via disable_backup.bat, and a CleanExit.exe utility was assessed as likely intended to wipe logs after execution. The content states Beast announced itself in 2024, began operating as a RaaS scheme in February 2025, and is a relatively new actor. It was listed among RaaS programs advertised on the RAMP cybercrime forum. Reporting also places Beast among newly emerged or newly active ransomware groups in 2025 and notes healthcare-sector impact, including claims that groups such as Beast, The Gentlemen, and Cephalus contributed to increased healthcare targeting in Q3 2025. Victim and targeting references in the content include healthcare organizations such as Meadowlark Hills and MedPeds Associates of Sarasota, both claimed by Beast, as well as a South Korean pharmaceutical company and a battery safety component manufacturer. Beast was reported as the second most active ransomware group in South Korea in Q1 2026 with three incidents. Additional claimed victim references include Xiamen Tungsten Co. (XTC), though the provided content notes that such leak-site claims were not independently verified. Known alias/sub-group relationship in the provided content: Beast is described as a successor to Monster ransomware / the Monster ransomware strain. No other high-confidence aliases are directly supported beyond the name Beast.