RansomHub (Ransomware Group) – Threat Actor

Overview

Common targets

The gang’s website states that they refrain from targeting CIS, Cuba, North Korea, and China and non-profit organizations. Threat actors are listing victims from various countries without following a specific pattern, targeting a diverse range of nations such as the US, Brazil, Indonesia, and Vietnam. While notably large companies have not appeared on the list so far, healthcare-related institutions, which are considered critical sectors, are among the listed victims.

Attack Vectors

Ransomware. Recent attacks have leveraged the old but critical ZeroLogon vulnerability: CVE-2020-1472 (CVSS: 10).

How they operate

RansomHub, a newly emerged player in the ransomware landscape since early 2024, operates distinctly within the realm of cybercrime by blending traditional tactics with modern strategies. The group, comprised of hackers from various global locations, operates under a structured framework reminiscent of Russian cybercrime organizations. They explicitly avoid targeting specific countries like CIS, Cuba, North Korea, and China, which aligns with typical operational preferences observed among Russian-affiliated cybercriminal groups. Functioning as a Ransomware-as-a-Service (RaaS) entity, RansomHub recruits affiliates primarily through forums such as RAMP, where they offer a generous 90% share of ransom payments upfront to build trust and attract capable partners. This approach contrasts sharply with past incidents, such as the ALPHV scam, which eroded trust in RaaS models due to non-payment issues. By offering such favorable terms, RansomHub positions itself uniquely in the cybercrime ecosystem, appealing to skilled affiliates seeking reliable financial gain. Technically, RansomHub leverages ransomware strains written in Golang, a programming language valued for its efficiency and cross-platform capabilities. This adaptation allows their malware to operate stealthily across diverse systems, complicating detection and mitigation efforts by cybersecurity teams. The group demonstrates a keen understanding of vulnerabilities and exploits, as evidenced by their use of the ZeroLogon vulnerability (CVE-2020-1472) to compromise domain controllers. This tactic provides them with extensive network access, facilitating the deployment of ransomware payloads across compromised environments. Operationally, RansomHub employs a range of tools and tactics to execute their attacks effectively. They utilize remote access tools like Atera and Splashtop for initial network compromise and reconnaissance, enhancing their ability to identify and exploit vulnerabilities within targeted networks. Tools such as NetScan aid in network reconnaissance, allowing them to map out target environments and identify critical assets for encryption or exfiltration. Victimology-wise, RansomHub’s targets span various sectors and geographies, with notable incidents affecting healthcare institutions and companies in the US, Brazil, Indonesia, and Vietnam. While major corporations have not yet surfaced among their victims, their focus on critical sectors underscores their disruptive potential and the broader impact of ransomware on global cybersecurity.

Mitigation

Defense and Mitigation Strategies:

• Implement robust backup strategies.
• Maintain stringent patch management protocols.
• Deploy advanced endpoint protection solutions.
• Conduct regular security audits and penetration testing.
• Adopt network segmentation strategies.
• Enhance user access controls.
• Develop and test incident response plans.
• Educate and train employees on cybersecurity.
• Enhance email and web security.
• Regularly verify and test backup data.

References:

• RansomHub: New Ransomware has Origins in Older Knight
• Dark Web Profile: RansomHub
• RansomHub Draws in Affiliates with Multi-OS Capability and High Commission Rates
• New RansomHub ransomware gang has ties to older Knight group
• RansomHub. Because every abandoned affiliate needs a home.
• The rise of RansomHub: Uncovering a new ransomware-as-a-service operation