Ransomware newcomer RansomHub claiming one victim per day


Ransomware ecosystem newcomer RansomHub already has at least 210 scalps under its belt. The victims include various organizations from critical infrastructure sectors in the US.

RansomHub emerged in February 2024 and has already established itself as a successful ransomware-as-a-service model.

The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and other agencies released a joint advisory to help companies defend against this adversary. The advisory sheds light on how RansomHub gains access, encrypts, exfiltrates the data, and extorts the victims.

ADVERTISEMENT

The gang’s primary targets are critical infrastructure sectors: water and wastewater, information technology, government services and facilities, healthcare and public health, emergency services, food and agriculture, financial services, commercial facilities, critical manufacturing, transportation, and communications.

A network of affiliates uses double extortion tactics, threatening to publicly release the locked information. The ransom notes usually do not include an initial demand or payment instructions but rather provide victims instructions to contact the gang via a unique .onion URL on the dark web.

Ransom notes typically leave 3-90 days to pay the ransom before the group publishes the stolen data.

Massive amounts of tools

Cybercriminals use a wide palette of initial access methods to infiltrate networks. These methods range from phishing emails to password-spraying targets that were compromised in previous data breaches. According to the advisory, their arsenal contains at least nine exploits for vulnerabilities in software like Citrix ADC, Forti OS, Apache ActiveMQ, and others.

After gaining access to internet-facing systems, the affiliates scan the network using tools such as AngryIPScanner, Nmap, and PowerShell-based living-off-the-land methods.

Affiliates choose innocuous file names, such as Windows.exe, to evade detection. They use a credential dumper called Mimikatz to gather credentials and escalate privileges.

Researchers observed at least seven different methods for lateral movement, such as Remote Desktop Protocol, Anydesk, CObalt Strike, Metasploit, and others.

ADVERTISEMENT

The same is true for data exfiltrations – at least seven tools were executed during data exfiltration, such as PuTTY, AWS S3 buckets and tools, HTTP Post requests, and WinSCP.

The ransomware executable uses unique pairs of public/private keys for each victim organization. It attempts to stop many programs and processes to successfully encrypt the files. The ransomware changes file names with a randomized file extension and leaves a ransom note that’s generally titled “How To Restore Your Files.txt.”

The advisory provides a full list of known indicators of compromise, including IP addresses, tools, known URLs, email addresses, and others.