RansomHub Ransomware: Emerging Threat and Mitigation Strategies
RansomHub ransomware has quickly gained notoriety since its inception in February 2024. The advisory disseminates known indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) associated with RansomHub
Introduction
On August 29, 2024, the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Multi-State Information Sharing and Analysis Center (MS-ISAC), and Department of Health and Human Services (HHS) released a joint cybersecurity advisory. The advisory, part of the ongoing #StopRansomware campaign, highlights the RansomHub ransomware. This variant has quickly gained notoriety since its inception in February 2024. The advisory disseminates known indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) associated with RansomHub, urging network defenders to implement critical mitigations to reduce the risk of infection.
Report Overview
RansomHub, known initially as Cyclops and Knight, is a ransomware-as-a-service (RaaS) model that has attracted high-profile affiliates from other prominent ransomware families, such as LockBit and ALPHV. Since its emergence, RansomHub has been responsible for encrypting and exfiltrating data from at least 210 victims across various critical infrastructure sectors, including water and wastewater, healthcare, government services, and financial services.
The RansomHub affiliates typically gain initial access through various means, including phishing emails, exploitation of known vulnerabilities, and password-spraying techniques. Vulnerabilities such as CVE-2023-3519 in Citrix ADC and CVE-2023-27997 in FortiOS have been exploited to achieve remote code execution and unauthorized access to target systems.
Once inside the network, affiliates employ tools like AngryIPScanner, Nmap, and PowerShell-based methods to discover networks. They then escalate privileges using tools like Mimikatz and move laterally through the network using Remote Desktop Protocol (RDP) and PsExec. Data exfiltration is conducted through various means, including HTTP POST requests, Amazon AWS S3 buckets, and tools like WinSCP and Rclone.
The ransomware leverages the Curve 25519 encryption algorithm, implementing intermittent encryption to encrypt large files efficiently. Ransom notes typically instruct victims to contact the ransomware group via a unique .onion URL, with ransom demands varying depending on the affiliate responsible for the attack.
RansomHub has significantly affected its victims, particularly in critical infrastructure sectors. Affiliates' double-extortion model—encrypting systems and exfiltrating data—has resulted in severe operational disruptions and financial losses for affected organizations. The broad range of sectors RansomHub targets highlights its potential to cause widespread damage, making it a critical threat to national security and economic stability.
Insights and Analysis
The FBI and CISA emphasize that organizations should not pay ransoms, as doing so does not guarantee file recovery and may encourage further criminal activity. Instead, they recommend a series of mitigation measures, including implementing phishing-resistant multi-factor authentication (MFA), keeping systems updated, and segmenting networks to limit the spread of ransomware.
RansomHub represents a significant and evolving threat in the cybersecurity landscape. Organizations must remain vigilant and proactive in implementing the recommended mitigations to protect against this and other ransomware variants. By following the guidance in the advisory and maintaining a robust cybersecurity posture, organizations can reduce their risk of falling victim to RansomHub and similar threats.
Network defenders are encouraged to review the complete advisory, which is available on the # StopRansomware website, for further details and technical information, including a full list of IOCs and TTPs.
Indicators of Compromise (IOCs)
| Indicator | Type | Description |
|---|---|---|
| 8.211.2[.]97 | IP Address | Known IP address linked to malicious activity, historically associated with QakBot. |
| 45.95.67[.]41 | IP Address | Known IP address linked to RansomHub ransomware operations. |
| 45.134.140[.]69 | IP Address | Known IP address related to malicious activity. |
| 45.135.232[.]2 | IP Address | Known IP address associated with RansomHub-related activities. |
| 89.23.96[.]203 | IP Address | Known IP address involved in distributing ransomware payloads. |
| 188.34.188[.]7 | IP Address | Known IP address linked to RansomHub ransomware operations. |
| 193.106.175[.]107 | IP Address | IP address related to RansomHub activity. |
| 193.124.125[.]78 | IP Address | IP address associated with RansomHub or similar ransomware activities. |
| 193.233.254[.]21 | IP Address | IP address used in RansomHub-related malicious activities. |
| C:\Users%USERNAME%\AppData\Local\Programs\Python\Python311\Scripts\crackmapexec.exe | File Path | Path indicating the presence of CrackMapExec tool, used in network compromises. |
| C:\Users%USERNAME%\AppData\Local\Programs\Python\Python311\Scripts\kerbrute.exe | File Path | Path indicating the use of Kerbrute for Kerberoasting attacks. |
| C:\Users%USERNAME%\Downloads\Anydesk.exe | File Path | Path indicating the use of Anydesk for command and control (C2) purposes. |
| C:\Users%USERNAME%\Desktop\IamBatMan.exe | File Path | Path indicating the presence of a ransomware executable. |
| C:\Users\backupexec\Desktop\stealer_cli_v2.exe | File Path | Path indicating the presence of an information stealer. |
| C:\Users%USERNAME%\Downloads\nmap-7.94-setup.exe | File Path | Path indicating the use of Nmap for network scanning during the attack. |
| C:\Program Files (x86)\Nmap\nmap.exe | File Path | Path indicating the installation of Nmap, likely used for network discovery. |
| C:\Users%USERNAME%\Downloads\mimikatz_trunk\x64\mimikatz.exe | File Path | Path indicating the use of Mimikatz for credential dumping. |
| C:\Users\backupexec\Downloads\x64\mimikatz.exe | File Path | Path indicating another instance of Mimikatz used for credential theft. |
| http[:]//188.34.188[.]7/555 | URL | Malicious URL linked to ransomware operations, possibly used for C2 or payload delivery. |
| http[:]//188.34.188[.]7/555/amba16.ico | URL | Malicious URL associated with RansomHub, possibly serving malicious files. |
| http[:]//89.23.96[.]203/333/1.exe | URL | URL linked to ransomware payload distribution. |
| http[:]//89.23.96[.]203/333/bcrypt.dll | URL | URL distributing malicious DLL files associated with ransomware. |
| brahma2023[@]onionmail.org | Email Address |
Full list can be found the CISA website below.
MITRE ATT&CK Techniques
| Tactic | Technique | ID | Description |
|---|---|---|---|
| Initial Access | Phishing | T1566 | RansomHub affiliates used phishing emails to gain initial access to target systems. |
| Initial Access | Exploit Public-Facing Application | T1190 | Exploitation of known vulnerabilities in Citrix ADC and FortiOS to gain unauthorized access. |
| Execution | Command and Scripting Interpreter | T1059.001 | Use of PowerShell scripts to automate and execute malicious commands within compromised networks. |
| Defense Evasion | Masquerading | T1036 | Renaming of ransomware executables to innocuous file names to evade detection. |
| Credential Access | OS Credential Dumping | T1003 | Use of Mimikatz to dump credentials from compromised Windows systems. |
| Lateral Movement | Remote Desktop Protocol | T1021.001 | Use of Remote Desktop Protocol (RDP) to move laterally within the network after gaining access. |
| Exfiltration | Exfiltration Over Alternative Protocol | T1048.002 | Data exfiltration through asymmetrically encrypted non-C2 protocols, such as HTTP POST requests. |
| Impact | Data Encrypted for Impact | T1486 | RansomHub affiliates encrypted files using Curve 25519, impacting data availability. |
| Impact | Inhibit System Recovery | T1490 | Deletion of volume shadow copies and backups to prevent system recovery after encryption. |
References
Comments ()