RansomHub
RansomHub is a ransomware-as-a-service (RaaS) variant, previously known as Cyclops and Knight.
The Origin of RansomHub
Emerging in February 2024, the group has encrypted and exfiltrated data from over 210 victims, leveraging high-profile affiliates from other ransomware groups such as LockBit and ALPHV. RansomHub's operation focuses on a double extortion model, where affiliates encrypt systems and exfiltrate data, threatening to publish stolen data if ransoms are not paid. The group is known for its professionalism and technical sophistication.
Targets
RansomHub's Targets
Countries targeted by RansomHub
RansomHub has a global reach, with victims primarily in the United States and Europe, focusing on critical infrastructure and key industries.
The group claims to avoid targeting the Commonwealth of Independent States (CIS), Cuba, North Korea, and China, likely due to operational safe havens or legal protections.
Figure source: Cyberint
Industries targeted by RansomHub
RansomHub targets a broad range of industries, with the top sectors being Business Services, Retail, and Manufacturing. Other industries frequently impacted include Educational Services, Government, Finance, Construction, Healthcare, Technology, and Critical Infrastructures. The group's focus on critical sectors highlights its broad operational scope, posing a significant threat to both public and private entities.
Despite the group's efficiency, they claim not to target non-profit organizations.
Industries targeted by RansomHub
RansomHub targets a broad range of industries, with the top sectors being Business Services, Retail, and Manufacturing. Other industries frequently impacted include Educational Services, Government, Finance, Construction, Healthcare, Technology, and Critical Infrastructures. The group's focus on critical sectors highlights its broad operational scope, posing a significant threat to both public and private entities.
Despite the group's efficiency, they claim not to target non-profit organizations.
RansomHub's Victims
Over 324 organizations have fallen victim to RansomHub since its emergence, with a notable focus on public infrastructure, including healthcare systems and government facilities. These attacks disrupt vital services, leading to significant operational downtimes and substantial ransom demands.
Attack Method
RansomHub's Attack Method
RansomHub affiliates gain access through phishing emails, exploiting vulnerabilities, and password spraying. Common vulnerabilities exploited include CVE-2023-3519 (Citrix ADC), CVE-2023-27997 (Fortinet), and CVE-2020-1472 (Netlogon privilege escalation).
Once inside, affiliates escalate privileges using tools like Mimikatz, enabling full control over compromised systems.
They disable security tools, clear logs, and rename ransomware executables to blend into system files, evading detection.
Using credential dumping tools and password spraying, affiliates gather administrative credentials to access high-value systems.
Network reconnaissance is conducted using tools like Nmap and PowerShell to identify valuable targets and plan further exploitation.
Affiliates move laterally using tools like Remote Desktop Protocol (RDP), PsExec, and AnyDesk, gaining access to additional systems within the network.
Sensitive data is exfiltrated using tools like Rclone and WinSCP, often for double extortion purposes, where the stolen data is used as leverage in ransom negotiations.
The ransomware is executed across the victim’s network, encrypting files using Curve 25519 elliptic-curve encryption.
Data is exfiltrated through encrypted protocols, cloud accounts, or direct transfers to attacker-controlled servers.
RansomHub’s encryption renders victim systems inoperable, often leading to extensive operational downtime. Affiliates delete backups and volume shadow copies to prevent recovery efforts, maximizing the pressure on victims to pay the ransom.
Initial Access
RansomHub affiliates gain access through phishing emails, exploiting vulnerabilities, and password spraying. Common vulnerabilities exploited include CVE-2023-3519 (Citrix ADC), CVE-2023-27997 (Fortinet), and CVE-2020-1472 (Netlogon privilege escalation).
Privilege Escalation
Once inside, affiliates escalate privileges using tools like Mimikatz, enabling full control over compromised systems.
Defense Evasion
They disable security tools, clear logs, and rename ransomware executables to blend into system files, evading detection.
Credential Access
Using credential dumping tools and password spraying, affiliates gather administrative credentials to access high-value systems.
Discovery
Network reconnaissance is conducted using tools like Nmap and PowerShell to identify valuable targets and plan further exploitation.
Lateral Movement
Affiliates move laterally using tools like Remote Desktop Protocol (RDP), PsExec, and AnyDesk, gaining access to additional systems within the network.
Collection
Sensitive data is exfiltrated using tools like Rclone and WinSCP, often for double extortion purposes, where the stolen data is used as leverage in ransom negotiations.
Execution
The ransomware is executed across the victim’s network, encrypting files using Curve 25519 elliptic-curve encryption.
Exfiltration
Data is exfiltrated through encrypted protocols, cloud accounts, or direct transfers to attacker-controlled servers.
Impact
RansomHub’s encryption renders victim systems inoperable, often leading to extensive operational downtime. Affiliates delete backups and volume shadow copies to prevent recovery efforts, maximizing the pressure on victims to pay the ransom.
MITRE ATT&CK Mapping
TTPs used by RansomHub
TA0001: Initial Access
T1566
Phishing
T1190
Exploit Public-Facing Application
TA0002: Execution
T1059
Command and Scripting Interpreter
TA0003: Persistence
No items found.
TA0004: Privilege Escalation
No items found.
TA0005: Defense Evasion
T1562
Impair Defenses
TA0006: Credential Access
T1003
OS Credential Dumping
TA0007: Discovery
No items found.
TA0008: Lateral Movement
T1021
Remote Services
TA0009: Collection
No items found.
TA0011: Command and Control
No items found.
TA0010: Exfiltration
T1048
Exfiltration Over Alternative Protocol
TA0040: Impact
T1486
Data Encrypted for Impact
Platform Detections
How to Detect RansomHub with Vectra AI
FAQs
What industries does RansomHub primarily target?
RansomHub attacks critical infrastructure sectors such as healthcare, financial services, and government facilities.
What countries are most affected by RansomHub?
The group primarily targets organizations in the United States and Europe, avoiding CIS countries, Cuba, North Korea, and China.
How does RansomHub gain initial access?
Affiliates exploit known vulnerabilities, use phishing attacks, and leverage stolen credentials to infiltrate systems.
What are RansomHub's data exfiltration methods?
They use tools like Rclone and WinSCP to exfiltrate sensitive data over encrypted channels.
How does RansomHub escalate privileges within a network?
Affiliates use tools like Mimikatz to extract credentials and escalate to system-level privileges.
What encryption method does RansomHub use?
RansomHub affiliates use Curve 25519 elliptic-curve encryption to lock victims’ files.
How do RansomHub affiliates avoid detection?
They disable security tools, clear logs, and rename ransomware executables to blend in with legitimate files.
What tools does RansomHub use for lateral movement?
Tools like Remote Desktop Protocol (RDP), AnyDesk, and PsExec are used for moving laterally within compromised networks.
What mitigation strategies can help prevent RansomHub attacks?
Implementing phishing-resistant multi-factor authentication (MFA), patching vulnerabilities, and segmenting networks are key mitigation strategies.
What is the impact of a RansomHub attack?
Victims often experience significant downtime and data loss due to encryption and the deletion of backups, leading to operational paralysis and high ransom demands.