Since its emergence in early 2024, RansomHub has quickly expanded its operations and now affects over 210 victims across various sectors. This ransomware-as-a-service (RaaS) variant has become a player in the world of cybercrime, targeting infrastructure and large industries with tricky attack methods. With the backing of high-profile affiliates from other notorious ransomware groups like LockBit and ALPHV, RansomHub has gained a reputation for its effectiveness and success.
RansomHub’s Origins
RansomHub was first identified in February 2024 and is considered a descendant of earlier ransomware strains known as Cyclops and Knight. These earlier versions were a less refined version of what would become an efficient RaaS platform, attracting affiliates from other established ransomware groups. RansomHub follows the double extortion model, where attackers both encrypt the victim’s data, and also exfiltrate it, threatening to publish the stolen information if the ransom is not paid.
The U.S. government, through its Cybersecurity and Infrastructure Security Agency (CISA), recently released a joint advisory in collaboration with the FBI, Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Department of Health and Human Services (HHS). The advisory, titled #StopRansomware: RansomHub Ransomware, provides an analysis of the ransomware’s tactics, techniques, and procedures (TTPs), offering network defenders insights to combat this threat.
Tactics and Techniques
RansomHub affiliates utilize a variety of methods to gain access to victim networks. These methods include phishing emails, exploiting known vulnerabilities in widely used software, and password spraying attacks. Some of the exploited vulnerabilities include:
- CVE-2023-3519: A vulnerability in Citrix ADC
- CVE-2023-27997: A vulnerability in Fortinet FortiOS
- CVE-2023-22515: A vulnerability in Atlassian Confluence
Once inside the network, affiliates often use tools like AngryIPScanner and Nmap for reconnaissance and network scanning. To avoid detection, they use living-off-the-land (LotL) techniques, with legitimate software such as Remote Desktop Protocol (RDP), PsExec, and AnyDesk. The attackers also use tools like Mimikatz to steal credentials and escalate privileges within the system. One concerning aspect of RansomHub’s attacks is the group’s use of intermittent encryption, which speeds up the process of encrypting files and makes it harder for victims to recover their data without paying the ransom. The group also disables antivirus software and other security defenses using custom tools, allowing them to operate undetected for longer periods.
Targets and Victims
RansomHub’s reach spans across sectors, with a focus on infrastructure that is considered critical to society. The group has targeted industries including water and wastewater systems, healthcare, government services, emergency services, and transportation. These sectors are important to the functioning of society, making the impact of a ransomware attack devastating.
According to the advisory, 34% of RansomHub’s attacks have occurred in Europe, while 25% of attacks have taken place in the U.S. The group’s victims are not limited to these regions, as they have also targeted companies in other parts of the world. The ransomware group has made it clear that it avoids targeting certain countries, such as Russia, China, and North Korea, likely due to the safe havens these countries provide for cybercriminals.
The group’s use of the double extortion model means that victims who refuse to pay the ransom often have their stolen data published on the dark web. This puts the victim organization at risk, and can also affect their customers, partners, and other third parties whose sensitive data may have been exfiltrated.
Fighting the RansomHub Threat
Given the scale of RansomHub’s operations and the nature of its targets, it is important for organizations to take steps to defend against this threat. CISA’s joint advisory provides several recommendations for mitigating the risk of a RansomHub attack:
- Ensure all software is up to date with the latest patches, including those with known vulnerabilities like Citrix ADC and Fortinet FortiOS, as vulnerabilities such as CVE-2023-3519 and CVE-2023-27997 have been exploited by RansomHub affiliates.
- Use multi-factor authentication (MFA) and enforce password policies to prevent unauthorized access, while reviewing and disabling unused or unnecessary accounts.
- Employ tools that monitor network traffic for unusual activity, such as large data transfers or connections to known malicious IP addresses, to detect suspicious behavior early in the attack.
- Implement endpoint detection and response (EDR) solutions with tamper protection to prevent ransomware from disabling security defenses, ensuring these solutions are updated to tackle the latest threats.
- Conduct data backups and store them in locations inaccessible from the main network, while periodically testing recovery plans to ensure they are effective in the event of an attack.
RansomHub’s emergence as a = ransomware threat displays the danger of cyberattacks targeting infrastructure. With high-profile affiliates from other ransomware groups, RansomHub has demonstrated its ability to inflict = damage on both public and private sector organizations. The use of tactics, such as intermittent encryption and the exploitation of known vulnerabilities, makes it important for organizations to be on top of their cybersecurity measures. For more detailed information on the tactics used by RansomHub and additional mitigation strategies, network defenders are encouraged to review CISA’s #StopRansomware: RansomHub Ransomware advisory.
Photo credits: RareStock, AdobeStock
