Key Takeaways

• RansomHub ransomware emerged in February 2024 and has rapidly become a significant threat, targeting a wide range of sectors, including critical infrastructure like water treatment, healthcare, and government services.
• RansomHub uses a double-extortion model, encrypting data and exfiltrating it to demand ransoms. Victims must pay not only to regain access to their encrypted data but also to prevent the public release of stolen information.
• Cyble’s Vision platform reported that the ransomware employs sophisticated techniques, such as exploiting zero-day vulnerabilities like Zerologon and using advanced data exfiltration methods. It utilizes tools for scanning networks, mapping potential targets, and evading detection.
• RansomHub affiliates gain access through phishing, exploiting known vulnerabilities (e.g., CVE-2023-3519), and password spraying. They also leverage tools like AngryIPScanner and Nmap for network mapping and Mimikatz for credential harvesting.
• To avoid detection, RansomHub renames ransomware executables, clears system logs, and disables security tools using methods like Windows Management Instrumentation (WMI).
• RansomHub has affected various industries worldwide, highlighting the indiscriminate nature and extensive reach of modern ransomware threats.

Overview

On August 29, 2024, a joint advisory was issued by the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Department of Health and Human Services (HHS).

This advisory shed light on RansomHub ransomware, a formidable new threat in the cyber landscape.

As part of the #StopRansomware initiative, this update aims to arm network defenders with crucial information on RansomHub’s tactics, techniques, and procedures (TTPs), as well as indicators of compromise (IOCs). The Traffic Light Protocol (TLP) of CLEAR indicates that this information is intended for open dissemination to bolster collective defenses against ransomware.

RansomHub, also identified as Cyclops and Knight, emerged in February 2024 and has rapidly become a significant player in the ransomware arena. It has targeted a broad spectrum of sectors, including critical infrastructure such as water treatment, healthcare, and government services.

Notably, RansomHub employs a double-extortion model, encrypting data and then exfiltrating it to demand ransom payments. Victims are pressured not only to pay the ransom to regain access to their encrypted data but also to avoid having their stolen information published online.

Operational Dynamics of RansomHub

According to Cyble’s vision report, RansomHub appears to be an evolution of the Knight ransomware group, with ties to ALPHV affiliates and a distinctive Ransomware-as-a-Service (RaaS) model. This model includes a prepayment scheme, adding a layer of complexity to the attack process.

The ransomware exploits known vulnerabilities like Zerologon for initial access, further underscoring its sophisticated nature. The group’s operations reveal a preference for utilizing advanced techniques, including zero-day vulnerabilities and sophisticated data exfiltration methods.

RansomHub has shown a wide-ranging impact, affecting industries from aerospace and defense to agriculture, automotive, and healthcare. Its global reach is evident in the diverse list of targeted countries and sectors, illustrating the ransomware’s indiscriminate nature and extensive impact.

RansomHub affiliates gain access through a range of methods, such as phishing, which involves sending out mass or spear-phishing emails, and the exploitation of vulnerabilities like CVE-2023-3519 and CVE-2023-27997. They also use password spraying to attempt entry through weak or compromised credentials.

Once inside, the group utilizes tools like AngryIPScanner and Nmap to scan and map networks, identifying potential targets for lateral movement. To evade detection, RansomHub employs several techniques, including renaming ransomware executables to benign names, clearing system logs to obstruct forensic analysis, and disabling security tools using methods such as Windows Management Instrumentation (WMI).

For privilege escalation and lateral movement, they harvest credentials with tools like Mimikatz and use RDP, PsExec, and command-and-control tools to navigate within the network. Data exfiltration is achieved through various methods, including the use of cloud storage services like AWS S3 buckets and HTTP POST requests to transfer data.

RansomHub secures files through Curve 25519 elliptic curve encryption, encrypting data in chunks and appending metadata with encryption keys. They leverage both legitimate and repurposed tools, such as Cobalt Strike for lateral movement and file execution, PowerShell for scripting and automation, and WinSCP and RClone for file transfers and syncing with cloud storage. The advisory also lists Indicators of Compromise (IOCs) associated with RansomHub, including specific file paths, IP addresses, and URLs related to the ransomware’s operations.

Mitigation Strategies

• Immediately disconnect affected systems from the network to prevent the ransomware from spreading to other devices. This isolation helps contain the threat and limits damage while investigations and remediation efforts are underway.
• Restore affected systems using clean, verified backups to remove any traces of the ransomware and ensure the system is free of malware. Ensure that backups are recent and complete, and test them before restoring.
• Update and secure all user and administrative account credentials that may have been compromised. Implement new, strong passwords and consider additional authentication measures to bolster security.
• Thoroughly analyze system artifacts such as running processes, network connections, and other indicators of compromise. This helps to understand the scope of the breach, identify potential vulnerabilities, and guide remediation efforts.
• Notify relevant authorities such as CISA (Cybersecurity and Infrastructure Security Agency) or the FBI. Provide detailed information about the attack, including how it occurred, what systems were affected, and the impact. This aids in coordinating response efforts and potentially preventing similar attacks.
• Develop and maintain a comprehensive recovery plan that includes multiple copies of critical data stored in secure, geographically separate locations. Ensure backups are encrypted and protected against unauthorized access or tampering.
• Password Management: Enforce strong, unique passwords for all accounts and implement policies such as regular password changes and account lockouts after failed login attempts. Consider using password managers to securely store and manage credentials.

Conclusion

The RansomHub ransomware represents a complicated threat to organizations across various sectors. Its sophisticated techniques and extensive reach necessitate a proactive and comprehensive approach to cybersecurity.

By implementing the recommended mitigations and staying informed about evolving threats, organizations can better protect themselves against ransomware attacks. For additional resources and guidance on ransomware defense, organizations are encouraged to visit stopransomware.gov and engage with relevant cybersecurity communities.

Sources: https://www.ic3.gov/Media/News/2024/240829.pdf

Related