Intel 471 Issues a Warning on RansomHub

2024-10-10

Since its first appearance in February 2024 on the infamous "RAMP" hacking forum, RansomHub has rapidly gained notoriety for its aggressive tactics and high-profile targets.

RansomHub is believed to be an updated and rebranded version of the older Knight ransomware. The rebranding and evolution have made RansomHub a formidable force in the digital extortion industry.

Tactics and Techniques

RansomHub employs a variety of tactics to breach its targets. Initial access is usually achieved through software vulnerabilities, phishing or the reuse of credentials. Once inside a network, the ransomware encrypts files on the system, meaning they can no longer be accessed. This can cause significant disruption to the operation of a business, and this tactic is employed to apply more pressure to the victim of the attack.

After encrypting the files, the group will keep the decryption key to itself, and will only release it to the victim if they agree to pay a ransom. This is RansomHub's main source of income, and is what attracts affiliates to its platform in the first place.  The group also employs a double-extortion strategy, whereby they will also threaten to release the stolen data to public if the ransom is not paid. This data can include critical key information that can cause businesses to go into bankruptcy, as well as undermine the safety of all individuals whose data may appear in the breach.

On the note of income, RaaS platforms have become known to maintain very sophisticated hierarchies and affiliate programs. The degree of professionalism that is observed within these criminal enterprises is enticing to would-be affiliates, who benefit greatly through access to the software that is provided to them by the ransomware operator, the security in exfiltrating the data and in receiving the ransom payment. The benefits and income security, as well as things like better guarantee of anonymity and access to targets, makes joining a platform more economically viable to a bad actor than 'flying solo'. This is how they are able to attract a higher quality of hackers to their platforms, who are able to pull off more challenging and more lucrative attacks.

Impact and Reach of RansomHub Attacks

Per the FBI, RansomHub has breached over 210 organizations to date, primarily targeting critical infrastructure sectors in the U.S., including healthcare, government, and financial services.

In response to the growing threat, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), along with other agencies, has issued advisories detailing RansomHub’s tactics and providing guidance on mitigation. Organizations are urged to implement robust cybersecurity measures, including regular software updates, employee training on phishing, and maintaining offline backups of critical data.

How to protect your business from RaaS

Here is a run-down of the mitigations that are recommended by CISA, who have made recommendations to several key parties including blue teams and software manufacturers.

To network defenders and security professionals:

  • Implement a recovery plan where sensitive data is backed up onto a separate network or device
  • Maintain a stringent password policy for system users
  • Keep all operating systems and software up to date
  • Employ Multi-Factor Authentication
  • Keep networks segmented to reduce the spread of malware
  • Monitor indicators of compromise (IOCs)
  • Stress test your network using frameworks such as MITRE's ATT&CK

To software developers:

  • Embed security protocols into your product architecture
  • Make Multi-Factor Authentication the default, particularly for admins

 

Stay alerted

RansomHub’s rapid ascension in the ransomware industry underscores the importance of vigilance and proactive cybersecurity measures. As cyber threats continue to evolve, staying informed and prepared is crucial for organizations to protect themselves against threats such as ransomware.

Sources

https://go.intel471.com/hubfs/Emerging%20Threats/RansomHub%20Ransomware%20-%20Emerging%20Threat.pdf

https://www.bleepingcomputer.com/news/security/fbi-ransomhub-ransomware-breached-210-victims-since-february/

https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-242a

https://go.intel471.com/hubfs/Emerging%20Threats/RansomHub%20Ransomware%20-%20Emerging%20Threat.pdf

 

The information contained in this article is provided for informational purposes only and does not constitute professional advice and is not guaranteed to be accurate, complete, reliable, current or error-free.

 

 

Related news

A Brief History of Ransomware | White Blue Ocean
A Brief History of Ransomware
2023-11-10

Ransomware is continuously developing and becoming more and more sophisticated. It isn’t going anywhere anytime soon, but where did it come from? Where did it go? And how has it evolved?

Read more
SIAE Data Breach
2021-10-21

News of the latest cyberattack comes from Italy, where on the afternoon of the 20th October it was disclosed that SIAE, the Italian Society of Authors and Publishers, was targeted by a ransomware attack. SIAE, which was founded in 1882, is the Italian copyright collecting agency for artists in different areas of the entertainment industry, including television, music, theatre, visual arts and literature, and aims to guarantee that artists receive the right remuneration for their work.

Read more
Ransomware attack results in the shutdown of the Colonial Pipeline
2021-06-15

The cyberattack that at the beginning of May targeted and caused the shutdown of the Colonial Pipeline, the largest fuel pipeline in the US, was a powerful example of the threat posed by the rising number of ransomware attacks, and the detrimental effect they can have not only on businesses but on national critical infrastructure.

Read more
Ransomware in 2021: a growing global threat
2021-12-14

Ransomware is not a new threat, but in recent years it has grown so exponentially that it has become one of the most prominent global threats, not only in the digital world but in the physical one as well.

Read more
Malicious Browser Extensions
Malicious Browser Extensions
2022-11-18

Browser Extensions can improve the convenience, productivity, and efficiency of browsers; however, they are not always secure as they look and can pose a significant challenge to cybersecurity. As a matter of fact, extensions can be easily downloaded with just one click, typically have full access to the contents of any web page the user loads and can handle sensitive data. This has made extensions a valuable target for threat actors.

Read more
2023 Cybersecurity Threats and Trends | White Blue Ocean
2023 Cybersecurity Threats and Trends
2023-07-05

is perpetrated. In this article, we will take you through some key points which illustrate the direction that cybercrime is taking. This might help to inform users about the types of attacks we can expect throughout the rest of 2023.

Read more
Evil Corp The New Targets of the National Crime Agency
2024-10-25

Evil Corp, a notorious Russian cybercrime group, has been hit with sanctions by the UK, US, and Australia following their involvement in ransomware attacks. The group is also known for its connections to the Russian Government. Recent international efforts, including Operation Cronos, aim to disrupt their activities and weaken their influence on the global ransomware industry.

Read more

Contacts

Let's talk

Please fill in the form below (fields with * are mandatory) and we will respond to your request as soon as possible!