RansomHub Ransomware Targets 210 Victims Since February 2024
As per recent reports, the RansomHub ransomware group threat actors have stolen data from at least 210 victims ever since the group’s inception in February 2024. The victims of these attacks span across various sectors. In this article, we’ll dive into all the details and learn more about the attacks. Let’s begin!
Understanding RansomHub Ransomware
RansomHub is a ransomware-as-a-service (RaaS) platform that descended from Cyclops and Knight. The group has attracted affiliates from other ransomware variants such as LockBit and ALPHV, also known as BlackCat. In a recent analysis, ZeroFox has stated that the RansomHub ransomware activity is on an upward trajectory.
As per the information available, their attacks account for around 2% of all ransomware attacks in Q1 2024, 5.1% in Q2, and 14.2% so far in Q3. Commenting on the targets, an excerpt from the report reads:
“Approximately 34% of RansomHub attacks have targeted organizations in Europe, compared to 25% across the threat landscape.”
It’s worth mentioning here that the key sectors targeted in the RansomHub ransomware attacks include:
- Water and wastewater.
- Information technology.
- Government services and facilities.
- Healthcare and public health.
- Emergency services.
- Food and agriculture.
- Financial services.
- Commercial facilities.
- Critical manufacturing.
- Transportation.
- Communications critical infrastructure.
RansomHub Cyber Attacks Methodology
As far as the attack methodology is concerned, the RansomHub ransomware hackers are known for employing a double extortion technique. These threat actors exfiltrate data and then encrypt the compromised systems. Victims of the RansomHub ransomware attacks are then required to contact the operator via a unique .onion URL.
Those who refuse to comply with the ransom face the risk of having their data published on a data leak site for anywhere between three to ninety days. To gain initial access, the threat actors exploit various known vulnerabilities that include:
- Apache ActiveMQ (CVE-2023-46604).
- Atlassian Confluence Data Center and Server (CVE-2023-22515).
- Citrix ADC (CVE-2023-3519).
- F5 BIG-IP (CVE-2023-46747).
- Fortinet FortiOS (CVE-2023-27997).
- Fortinet FortiClientEMS (CVE-2023-48788).
After gaining initial access, affiliates conduct reconnaissance operations and scan the network using tools like AngryIPScanner and Nmap. In addition, during a RansomHub ransomware attack, hackers also disable anti-virus software using custom tools. The group also uses intermittent encryption for speeding up the process.
It’s worth mentioning here that data exfiltration in a RansomHub ransomware attack is can be carried out using various tools that include:
- PuTTY.
- Amazon AWS S3 buckets.
- HTTP POST requests.
- WinSCP.
- Rclone.
- Cobalt Strike.
- Metasploit.
The group’s complex attack tactics serve as a critical reminder of the evolution ransomware attacks are experiencing. To develop a protection strategy, organizations must understand that such attacks now leverage multi-faceted extortion strategies. Given this, it’s essential to identify and secure all aspects of the network and devices to lower risk and ensure protection.
Conclusion
RansomHub’s rapid rise highlights the growing sophistication of ransomware attacks, leveraging double extortion and targeting critical infrastructure worldwide. Organizations must prioritize securing vulnerabilities, enhancing threat detection, and implementing robust protection strategies. Staying proactive and vigilant is crucial to mitigating the risks posed by evolving ransomware threats like RansomHub.
The sources for this piece include articles in The Hacker News and Bleeping Computer.