Threat actors associated with RansomHub The ransomware group has encrypted and stolen data from at least 210 victims since its inception in February 2024, the US government said.
Victims span a variety of sectors, including water and sanitation, information technology, government services and facilities, health and public health, emergency services, food and agriculture, financial services, commercial facilities, critical manufacturing, transportation and communications. .
“RansomHub is a Ransomware-as-a-Service variant formerly known as Cyclops and Knight that has proven to be an efficient and successful service model (recently attracting high-profile affiliates from other prominent variants such as LockBit and ALPHV).” government institutions said.
A Ransomware-as-a-Service (RaaS) variant that is the offspring of Cyclops and Knight, the cybercrime operation has attracted high-profile affiliates from other prominent variants such as LockBit and ALPHV (aka BlackCat) following a recent wave of law enforcement actions.
An analysis by ZeroFox published late last month noted that RansomHub activity as a share of all ransomware activity observed by the cybersecurity vendor is increasing, accounting for approximately 2% of all attacks in Q1 2024, 5.1% in Q2, and 14.2% % so far in Q3.
“Approximately 34% of RansomHub’s attacks targeted organizations in Europe, compared to 25% of global threats,” the company said in a statement. noted.
The group is known to use a double extortion model to steal data and encrypt systems in order to extort victims who are prompted to contact operators via a unique .onion URL. Targeted companies that refuse to agree to a ransom demand post their information on the data breach site for between three and 90 days.
Initial access to the victim’s environment is facilitated by exploiting known security vulnerabilities in Apache ActiveMQ (CVE-2023-46604), Atlassian Confluence data center and server (CVE-2023-22515), Citrix ADC (CVE-2023-3519), F5 BIG-IP (CVE-2023-46747), Fortinet FortiOS (CVE-2023-27997), and Fortinet FortiClientEMS (CVE-2023-48788) devices, among others.
After this step, affiliates perform reconnaissance and network scanning using programs such as AngryIPScanner, Nmap, and other LOS (LotL) techniques. RansomHub attacks also involve disarming with antivirus software custom tools fly under the radar.
“After initial access, RansomHub affiliates created user accounts for retention, re-enabled disabled accounts, and used Mimikatz on Windows systems to harvest credentials (T1003) and elevate privileges to SYSTEM,” the US government advisory said.
“The branches then moved inside the network using methods including Remote Desktop Protocol (RDP), PsExec, AnyDesk, Connectwise, N-Able, Cobalt Strike, Metasploit, or other widely used Command and Control (C2) methods.”
Another notable aspect of RansomHub attacks is the use of ad hoc encryption to speed up the data theft process using tools such as PuTTY, Amazon AWS S3, HTTP POST requests, WinSCP, Rclone, Cobalt Strike, Metasploit, and other methods.
The development comes after Palo Alto Networks Unit 42 unpacked the tactics associated with the ShinyHunters ransomware, tracked as Bling Libra, highlighting its shift to extorting victims as opposed to their traditional tactics of selling or publishing stolen data. Threat actor was born for the first time in 2020.
“A group obtains legitimate credentials obtained from public repositories to gain initial access to an organization’s Amazon Web Services (AWS) environment,” security researchers Margaret Zimmerman and Chandni Vaya said.
“While the permissions associated with the compromised credentials limited the impact of the breach, Bling Libra penetrated the organization’s AWS environment and conducted reconnaissance operations. The threat team used tools such as the Amazon Simple Storage Service (S3) browser and WinSCP to gather information. in S3 bucket configurations, accessing S3 objects and deleting data.”
It’s also the result of a significant evolution in ransomware attacks, which have gone beyond file encryption and employ sophisticated, multifaceted extortion strategies, even using triple and quadruple ransomware schemes, according to SOCRadar.
“Triple ransomware raises the stakes by threatening additional means of disruption beyond encryption and exfiltration,” the company said said.
“This may include launching a DDoS attack against the victim’s systems or issuing direct threats to the victim’s customers, suppliers, or other partners in order to cause additional operational and reputational damage to those ultimately targeted in the extortion scheme.”
Quadruple extortion ups the ante by contacting and extorting third parties who do business with victims, or by threatening victims to disclose third party data in order to further pressure the victim to pay.
The lucrative nature of RaaS models has caused a surge in new ransomware variants such as Alarich, Kronos, CyberVolk, The data is black, DeathGrip, Hawk eyeand Insam. It also led to Iranian national statesmen cooperate with famous groups like NoEscape, RansomHouse and BlackCat in exchange for a reduction in illegal income.
