Since its first appearance in February 2024 on the infamous "RAMP" hacking forum, RansomHub has rapidly gained notoriety for its aggressive tactics and high-profile targets.

RansomHub is believed to be an updated and rebranded version of the older Knight ransomware. The rebranding and evolution have made RansomHub a formidable force in the digital extortion industry.

Tactics and Techniques

RansomHub employs a variety of tactics to breach its targets. Initial access is usually achieved through software vulnerabilities, phishing or the reuse of credentials. Once inside a network, the ransomware encrypts files on the system, meaning they can no longer be accessed. This can cause significant disruption to the operation of a business, and this tactic is employed to apply more pressure to the victim of the attack.

After encrypting the files, the group will keep the decryption key to itself, and will only release it to the victim if they agree to pay a ransom. This is RansomHub's main source of income, and is what attracts affiliates to its platform in the first place.  The group also employs a double-extortion strategy, whereby they will also threaten to release the stolen data to public if the ransom is not paid. This data can include critical key information that can cause businesses to go into bankruptcy, as well as undermine the safety of all individuals whose data may appear in the breach.

On the note of income, RaaS platforms have become known to maintain very sophisticated hierarchies and affiliate programs. The degree of professionalism that is observed within these criminal enterprises is enticing to would-be affiliates, who benefit greatly through access to the software that is provided to them by the ransomware operator, the security in exfiltrating the data and in receiving the ransom payment. The benefits and income security, as well as things like better guarantee of anonymity and access to targets, makes joining a platform more economically viable to a bad actor than 'flying solo'. This is how they are able to attract a higher quality of hackers to their platforms, who are able to pull off more challenging and more lucrative attacks.

Impact and Reach of RansomHub Attacks

Per the FBI, RansomHub has breached over 210 organizations to date, primarily targeting critical infrastructure sectors in the U.S., including healthcare, government, and financial services.

In response to the growing threat, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), along with other agencies, has issued advisories detailing RansomHub’s tactics and providing guidance on mitigation. Organizations are urged to implement robust cybersecurity measures, including regular software updates, employee training on phishing, and maintaining offline backups of critical data.

How to protect your business from RaaS

Here is a run-down of the mitigations that are recommended by CISA, who have made recommendations to several key parties including blue teams and software manufacturers.

To network defenders and security professionals:

• Implement a recovery plan where sensitive data is backed up onto a separate network or device
• Maintain a stringent password policy for system users
• Keep all operating systems and software up to date
• Employ Multi-Factor Authentication
• Keep networks segmented to reduce the spread of malware
• Monitor indicators of compromise (IOCs)
• Stress test your network using frameworks such as MITRE's ATT&CK

To software developers:

• Embed security protocols into your product architecture
• Make Multi-Factor Authentication the default, particularly for admins

Stay alerted

RansomHub’s rapid ascension in the ransomware industry underscores the importance of vigilance and proactive cybersecurity measures. As cyber threats continue to evolve, staying informed and prepared is crucial for organizations to protect themselves against threats such as ransomware.

Sources

https://go.intel471.com/hubfs/Emerging%20Threats/RansomHub%20Ransomware%20-%20Emerging%20Threat.pdf

https://www.bleepingcomputer.com/news/security/fbi-ransomhub-ransomware-breached-210-victims-since-february/

https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-242a

https://go.intel471.com/hubfs/Emerging%20Threats/RansomHub%20Ransomware%20-%20Emerging%20Threat.pdf

The information contained in this article is provided for informational purposes only and does not constitute professional advice and is not guaranteed to be accurate, complete, reliable, current or error-free.