A meticulous examination of a newly emergent ransomware variant dubbed RansomHub has identified it as an updated and rebranded iteration of Knight ransomware, itself an evolution of the earlier Cyclops malware.
Knight ransomware, also known as Cyclops 2.0, made its debut in May 2023, utilizing double extortion techniques to expropriate and encrypt victim data for monetary extortion. This ransomware operates across a spectrum of platforms, including Windows, Linux, macOS, ESXi, and Android.
Promoted and traded on the RAMP cybercrime forum, Knight ransomware has been disseminated through phishing and spear-phishing campaigns, employing malicious attachments as the vector.
By late February 2024, the ransomware-as-a-service (RaaS) operation ceased, and its source code was offered for sale. This transaction likely facilitated its transition to a different operator, who rebranded and relaunched it as RansomHub.
RansomHub, which claimed its inaugural victim the same month, has since been implicated in a spate of ransomware attacks targeting entities such as Change Healthcare, Christie’s, and Frontier Communications. The group has declared its intention to abstain from targeting entities within the Commonwealth of Independent States (CIS), Cuba, North Korea, and China.
“Both payloads are crafted in Go, with most variants obfuscated using Gobfuscate,” Symantec, a Broadcom subsidiary, disclosed in a report shared with The Hacker News. “The significant code overlap between the two families makes differentiation challenging.”
Both ransomware strains exhibit identical help menus on the command line, with RansomHub incorporating a new “sleep” function that delays execution for a specified duration (in minutes). This feature has also been observed in Chaos/Yashma and Trigona ransomware families.
Knight and RansomHub share similar obfuscation techniques for string encoding, ransom notes dropped post-encryption, and capabilities to restart a host in safe mode before initiating encryption.
The primary distinction lies in the commands executed via cmd.exe, although the sequence and method of invocation relative to other operations remain consistent, Symantec noted.
RansomHub attacks exploit known security vulnerabilities (e.g., ZeroLogon) to gain initial access and deploy remote desktop tools like Atera and Splashtop prior to ransomware deployment.
Malwarebytes’ statistics indicate that the ransomware family was linked to 26 confirmed attacks in April 2024 alone, ranking it behind Play, Hunters International, Black Basta, and LockBit.
Mandiant, a Google-owned entity, revealed in a recent report that RansomHub is attempting to recruit affiliates displaced by recent shutdowns or exit scams involving groups such as LockBit and BlackCat.
“One former Noberus affiliate, known as Notchy, is now reportedly collaborating with RansomHub,” Symantec reported. “Additionally, tools previously associated with another Noberus affiliate, Scattered Spider, were utilized in a recent RansomHub attack.”
“The rapid establishment of RansomHub’s operations suggests the involvement of veteran operators with significant experience and connections in the cyber underworld.”
This development coincides with a resurgence in ransomware activity in 2023, following a “slight dip” in 2022. Notably, about one-third of the 50 new ransomware families identified this year are variants of previously known ransomware, highlighting the growing trend of code reuse, actor overlaps, and rebranding.
“In nearly one-third of incidents, ransomware was deployed within 48 hours of initial attacker access,” Mandiant researchers observed. “Seventy-six percent (76%) of ransomware deployments occurred outside of work hours, predominantly in the early morning.”
These attacks are also marked by the use of commercially available and legitimate remote desktop tools to facilitate intrusions, rather than relying on Cobalt Strike.
“The increasing reliance on legitimate tools likely reflects attackers’ efforts to evade detection and reduce the time and resources needed to develop and maintain custom tools,” Mandiant stated.
The resurgence of ransomware attacks has been accompanied by the emergence of new variants such as BlackSuit, Fog, and ShrinkLocker. The latter has been observed using a Visual Basic Script (VBScript) to exploit Microsoft’s native BitLocker utility for unauthorized file encryption in extortion attacks targeting Mexico, Indonesia, and Jordan.
ShrinkLocker derives its name from its method of creating a new boot partition by reducing each available non-boot partition by 100 MB, converting the unallocated space into a new primary partition, and utilizing it to reinstall boot files to enable recovery.
“This threat actor demonstrates extensive knowledge of VBScript and Windows internals and utilities such as WMI, diskpart, and bcdboot,” Kaspersky noted in its analysis of ShrinkLocker, adding that they likely “already had full control of the target system when the script was executed.”