RansomHub Ransomware Group Hits 210 Targets Across Critical Sectors

Threat actors associated with the RansomHub ransomware group have encrypted and stolen data from over 210 victims since the group’s emergence in February 2024, according to the U.S. government. These victims span various critical sectors, including water and wastewater, information technology, government services, healthcare, emergency services, food and agriculture, financial services, commercial facilities, critical manufacturing, transportation, and communications infrastructure.

RansomHub, a ransomware-as-a-service (RaaS) variant previously known as Cyclops and Knight, has established itself as an effective and lucrative service model, attracting affiliates from other well-known ransomware groups like LockBit and ALPHV (also known as BlackCat), especially following recent law enforcement crackdowns.

According to a late July report by ZeroFox, RansomHub’s activity has been increasing, accounting for approximately 2% of all ransomware attacks in Q1 2024, 5.1% in Q2, and 14.2% in Q3. The report also highlighted that about 34% of RansomHub’s attacks have targeted organizations in Europe, compared to 25% across the broader threat landscape.

The group is notorious for employing a double extortion model, where data is both exfiltrated and systems encrypted. Victims are then coerced into contacting the operators through a unique .onion URL. Companies that refuse to meet the ransom demands risk having their information published on a data leak site, typically for a duration of three to 90 days.

RansomHub gains initial access to victims’ networks by exploiting known vulnerabilities in devices such as Apache ActiveMQ (CVE-2023-46604), Atlassian Confluence Data Center and Server (CVE-2023-22515), Citrix ADC (CVE-2023-3519), F5 BIG-IP (CVE-2023-46747), Fortinet FortiOS (CVE-2023-27997), and Fortinet FortiClientEMS (CVE-2023-48788). After gaining entry, affiliates conduct reconnaissance and network scanning using tools like AngryIPScanner, Nmap, and other living-off-the-land (LotL) techniques. RansomHub’s attacks often involve disabling antivirus software with custom tools to evade detection.

Once inside the network, RansomHub affiliates create user accounts to maintain persistence, re-enable disabled accounts, and use tools like Mimikatz to gather credentials and escalate privileges to SYSTEM level. They then move laterally across the network using methods such as Remote Desktop Protocol (RDP), PsExec, AnyDesk, Connectwise, N-Able, Cobalt Strike, Metasploit, or other commonly used command-and-control (C2) tools.

A notable tactic in RansomHub’s arsenal is the use of intermittent encryption to speed up the attack process, coupled with data exfiltration through tools like PuTTY, Amazon AWS S3 buckets, HTTP POST requests, WinSCP, Rclone, Cobalt Strike, Metasploit, and others.

This development coincides with Palo Alto Networks Unit 42’s analysis of the tactics employed by the ShinyHunters ransomware group, now tracked as Bling Libra. The analysis noted that Bling Libra has shifted from selling or publishing stolen data to focusing on extortion. The group initially came to prominence in 2020 and has since been using legitimate credentials sourced from public repositories to gain access to organizations’ Amazon Web Services (AWS) environments. Despite the limited permissions associated with the compromised credentials, Bling Libra has conducted extensive reconnaissance within AWS environments, using tools like the Amazon Simple Storage Service (S3) Browser and WinSCP to access and delete S3 objects.

The evolution of ransomware attacks has seen a shift from simple file encryption to more complex, multi-layered extortion strategies, including triple and quadruple extortion schemes, as noted by SOCRadar. Triple extortion introduces additional threats, such as Distributed Denial of Service (DDoS) attacks or direct threats to a victim’s clients or suppliers, aiming to inflict further operational and reputational damage. Quadruple extortion involves extorting third parties connected to the primary victim or threatening to expose third-party data to increase pressure on the original target.

The profitability of RaaS models has spurred the emergence of new ransomware variants, including Allarich, Cronus, CyberVolk, Datablack, DeathGrip, Hawk Eye, and Insom. This trend has also led to collaborations between Iranian state-sponsored actors and known ransomware groups like NoEscape, RansomHouse, and BlackCat, in exchange for a share of the illicit profits.