How RansomHub went from zero to 210 victims in six months
RansomHub, a ransomware-as-a-service (RaaS) outfit that “popped up” earlier this year, has already amassed at least 210 victims (that we know of).
Its affiliates have hit government services, IT and communication companies, healthcare institutions, financial organizations, emergency services, manufacturing and transportation outfits, and commercial facilities.
And, according to an advisory compiled by the FBI, CISA, the Department of Health and Human Services and the Multi-State Information Sharing and Analysis Center, the affiliates’ tactics and techniques are as diverse as their victims.
Tactics, techniques and tools used by RansomHub’s affiliates
Initial access is gained via phishing emails, password spraying, and exploitation of known vulnerabilities in internet-facing systems (Citrix NetScaler, Fortigate, Atlassian Confluence, etc.)
The affiliates are:
- Using a variety of network scanning tools for reconnaissance
- Deploying ransomware executables that have been renamed to look innocuous
- Deleting logs and disabling AV and EDR products
- Creating or re-enabling user accounts, using Mimikatz for gathering credentials
- Moving laterally by leveraging RDP, PsExec, Cobalt Strike, and a number of legitimate remote access tools (AnyDesk, Connectwise)
- Exfiltrating data via PuTTY, Amazon AWS S3 buckets/tools, HTTP POST requests, WinSCP, Rclone, Cobalt Strike, Metasploit, and other methods
“The ransomware executable does not typically encrypt executable files. A random file extension is added to file names and a ransom note generally titled How To Restore Your Files.txt is left on the compromised system,” the advisory says.
“The note provides victims with a client ID and instructs them to contact the ransomware group via a unique .onion URL (reachable through the Tor browser). The ransom note typically gives victims between three and 90 days to pay the ransom (depending on the affiliate) before the ransomware group publishes their data on the RansomHub Tor data leak site.”
RansomHub’s success is due to skilled affiliates
The diversity of the tactics and techniques employed by RansomHub affiliates means that defenders should employe a wide variety of mitigations, which have been outlined in CISA’s advisory.
“RansomHub is a ransomware-as-a-service variant—formerly known as Cyclops and Knight—that has established itself as an efficient and successful service model,” the agencies noted.
The success of the RansomHub operation is due to its ability to attract skilled former affiliates of LockBit and ALPHV/BlackCat in the wake of law enforcement takedowns, failed comebacks, and an exit scam.
RansomHub operators enticed potential affiliates to join their operation by promising that they would not have to be exclusively tied it, and by allowing them to collect ransom payments (and only then paying the “service fee”).