The RansomHub ransomware group has compromised and extracted data from at least 210 victims since its emergence in February 2024, according to U.S. government sources.
The affected sectors encompass a broad range, including water and wastewater management, IT, government services and facilities, healthcare, emergency services, food and agriculture, financial services, commercial properties, critical manufacturing, transportation, and vital communications infrastructure.
“RansomHub represents a ransomware-as-a-service (RaaS) variant—formerly known as Cyclops and Knight—that has proven to be an effective and prosperous model. It has recently attracted high-profile affiliates from other notable variants like LockBit and ALPHV,” government agencies reported.
This RaaS variant, descended from Cyclops and Knight, has seen an influx of notable affiliates from other prominent ransomware groups following a recent series of law enforcement actions.
According to ZeroFox’s analysis released last month, RansomHub’s share of total ransomware activity is on the rise. It accounted for about 2% of all attacks in Q1 2024, 5.1% in Q2, and has surged to 14.2% in Q3.
“Approximately 34% of RansomHub’s attacks have targeted organizations in Europe, compared to 25% across the broader threat landscape,” noted the company.
RansomHub employs a double extortion technique, where they exfiltrate data and encrypt systems to demand ransom. Victims are instructed to contact the attackers via a specific .onion URL. Those who refuse to pay see their data published on a leak site for periods ranging from three to 90 days.
The group gains initial access to victim networks by exploiting known vulnerabilities in various systems, including Apache ActiveMQ (CVE-2023-46604), Atlassian Confluence Data Center and Server (CVE-2023-22515), Citrix ADC (CVE-2023-3519), F5 BIG-IP (CVE-2023-46747), Fortinet FortiOS (CVE-2023-27997), and Fortinet FortiClientEMS (CVE-2023-48788), among others.
Following this, affiliates conduct reconnaissance and network scanning using tools such as AngryIPScanner, Nmap, and other living-off-the-land (LotL) methods. They also disable antivirus software using custom tools to evade detection.
“After gaining initial access, RansomHub affiliates create user accounts for persistence, re-enable disabled accounts, and utilize Mimikatz on Windows systems to gather credentials [T1003] and escalate privileges to SYSTEM,” the U.S. government advisory states.
“Subsequently, they move laterally within the network using methods like Remote Desktop Protocol (RDP), PsExec, AnyDesk, Connectwise, N-Able, Cobalt Strike, Metasploit, or other common command-and-control (C2) techniques.”
Another feature of RansomHub’s attacks is intermittent encryption, which accelerates the process. Data exfiltration is conducted through various tools, including PuTTY, Amazon AWS S3 buckets, HTTP POST requests, WinSCP, Rclone, Cobalt Strike, Metasploit, and others.
In related news, Palo Alto Networks Unit 42 recently explored tactics associated with the ShinyHunters ransomware, now tracked as Bling Libra. This group has shifted from selling or publishing stolen data to extorting victims. The group, first identified in 2020, acquires legitimate credentials from public repositories to infiltrate organizations’ Amazon Web Services (AWS) environments.
“The group uses tools like the Amazon Simple Storage Service (S3) Browser and WinSCP to gather information on S3 bucket configurations, access objects, and delete data,” researchers Margaret Zimmermann and Chandni Vaya reported.
The evolving landscape of ransomware attacks now features complex, multi-faceted extortion strategies, including triple and quadruple extortion schemes, as noted by SOCRadar.
“Triple extortion amplifies the threat by adding additional disruption methods beyond encryption and exfiltration,” the company stated.
“This might involve launching a DDoS attack against the victim’s systems or extending threats to the victim’s clients, suppliers, or other associates to inflict further operational and reputational damage.”
Quadruple extortion involves reaching out to third parties with business ties to the victim, either extorting them or threatening to expose their data, thereby applying additional pressure on the victim to comply with the ransom demands.
The lucrative nature of RaaS models has spurred the emergence of new ransomware variants such as Allarich, Cronus, CyberVolk, Datablack, DeathGrip, Hawk Eye, and Insom. It has also led Iranian state actors to collaborate with groups like NoEscape, RansomHouse, and BlackCat, sharing in the proceeds of these illicit operations.