Beast is a ransomware family and ransomware-as-a-service (RaaS) operation that emerged from the earlier Monster ransomware strain. Multiple sources in the provided content state that Beast was a rebrand of Monster, and Symantec further assessed in 2026 that GodDamn ransomware is the latest rebrand of Beast; Symantec tracks the developer behind Monster, Beast, and GodDamn as Hyadina. Monster was first seen in 2022, and Beast was rebranded from Monster in June 2024. Reporting in the content describes Beast as active as a RaaS program by 2025, with a data-leak site launched in July 2025.
Beast is described as a multi-platform ransomware threat with payloads for Windows, Linux, and VMware ESXi. The content states that support for Linux and ESXi was added after the Monster-to-Beast rebrand. Beast has been associated with encryption across Windows/Linux/ESXi environments, and one source describes it as using the ChaCha20 encryption algorithm. It is also associated with recovery inhibition and backup destruction, including stealthy deletion of Volume Shadow Copy Service (VSS) data. Team Cymru reported that an exposed Beast operator server contained a file named disable_backup.bat designed to delete VSS backups and stop the VSS service. AhnLab analysis cited in the content states that Beast terminates processes related to databases, backup and recovery, antivirus products, Microsoft Office, file editors, and email. The group is also described as stopping security-related and backup-related processes during attacks and combining file encryption with data exfiltration and recovery prevention.
The provided content links Beast intrusions to common ransomware tradecraft and dual-use tooling. Reported tooling and behavior include AnyDesk for remote access and persistence, PsExec for lateral movement, Netscan.exe for host discovery, PowerShell to disable Windows Defender real-time monitoring, and credential theft using Mimikatz and numerous NirSoft utilities including WebBrowserPassView, ChromePass, PasswordFox, MessengerPass, VNCPassView, MailPassView, SniffPass, OperaPassView, CredentialsFileView, WirelessKeyView, ExtPassword, PSTPassword, and NetPass. Team Cymru also reported use of Mega for downloads or exfiltration and a likely log-wiping utility named CleanExit.exe. Intrusion vectors associated with Beast in the content include compromised RDP, SMB scanning, and opportunistic exploitation. One source lists the mutex string "BEAST HERE?".
Symantec’s 2026 reporting on the related GodDamn rebrand provides high-confidence overlap with Beast operations. In the investigated intrusion, attackers used AnyDesk relay infrastructure including 15.235.230[.]188, 185.229.191[.]39, 141.95.145[.]210, and 162.19.171[.]150; deployed a fake Symantec-branded defense-evasion tool named symantec.exe (SHA-256: b29f91a440527fb621d106a2048f6379fff3263c60aeda9c82ff8c1d5ae880a8); and dropped the signed PoisonX kernel driver as g11.sys (SHA-256: 2d91a78e739891c9854c254f5b2a6b84c0e167dfa253466cbccd2cdd1c20145d), which can terminate security-product processes and remove user-mode API hooks. Symantec also reported a related encrypter binary named encrypter-windows-gui-x86.exe with SHA-256 e097f3b445b63b07afacde8d6a67f0be654dd51e228a3610fb0710a1f7e29a69. While these details were observed in the GodDamn rebrand, the content explicitly states there is significant code overlap and continuing operational continuity between Beast and GodDamn.
Victimology in the provided content indicates Beast has targeted multiple sectors and geographies. It is explicitly mentioned in attacks affecting healthcare providers, including a September 2025 breach claim involving MedPeds Associates of Sarasota, and reporting states that newly emerged groups such as Beast contributed to a surge in healthcare-sector ransomware activity in Q3 2025. Additional reporting in the content notes Beast attacks targeting a South Korean pharmaceutical company and a battery safety component manufacturer. The content also places Beast among ransomware groups affecting industrial organizations and describes it as one of the newer fragmented groups active in 2025.
The name "Beast" also appears in the provided content as an unrelated historical Windows RAT/backdoor from 2002 developed by Tataye. However, the dominant and current malware context in the supplied material refers to Beast ransomware, the Monster rebrand, and its later GodDamn rebrand.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
GodDamn ransomware attack indicates that this seemingly new ransomware is in fact the latest rebrand of the Beast ransomware, which in itself was a rebrand of the Monster ransomware.
The Beast ransomware group is a fairly new one, which sprung from another strain — the so-called Monster ransomware gang. It announced itself in 2024, and began operations as a ransomware-as-a-service (RaaS) scheme in February 2025, launching a data-leak site in July.
12 distinct techniques documented for this family, organized by ATT&CK tactic.
The Exe Icon option allows the attacker to change the payload’s icon to improve social engineering effectiveness.
BeastDoor provides process injection capabilities and several builder options, including: Notifications Startup AV-FW Kill Misc Exe Icon
27 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
14 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Ransomware family that rebranded from Monster in June 2024 and later appears to have been rebranded again as GodDamn. The content says Beast added greater customization, improved encryption performance, and support for Linux and VMware ESXi targets.
A ransomware-as-a-service program advertised on RAMP.
Named ransomware involved in a healthcare-sector breach claim.
Ransomware used in a ransomware-as-a-service operation. It is described as going beyond simple file encryption by combining recovery prevention techniques, backup destruction, process termination, log wiping, and data exfiltration.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.