RansomHub has compromised 210 victims since its inception earlier this year. That’s according to a joint cybersecurity advisory, ‘#StopRansomware: RansomHub Ransomware’, recently released by the Cybersecurity and Infrastructure Security Agency (CISA) the Federal Bureau of Investigation (FBI), Multi-State Information Sharing and Analysis Center (MS-ISAC), and Department of Health and Human Services (HHS).
Aimed at cybersecurity professionals and network defenders, the advisory reveals information gleaned from FBI investigations regarding tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), and RansomHub activity detection methods.
Read on to get the low-down about RansomHub and the critical information contained in the advisory.
What is Ransomhub?
Ransomhub is a ransomware-as-a-service (RaaS) business operation that offers easy tools that other cybercriminals can rent as affiliates. Formerly known as Cyclops and Knight, the RaaS group makes it easy for those who don’t have the skills to create their own malicious code to launch ransomware attacks. Ransomhub has also attracted high-profile affiliates from other popular ransomware variants like LockBit and ALPHV.
The 210 victims of Ransomhub include people working in sectors like information technology, government services, healthcare and public health, emergency services, food and agriculture, and critical manufacturing.
Tactics and techniques
The central coercion model is double-extortion, where affiliates encrypt systems and exfiltrate data to extort victims. The specific exfiltration method used varies from affiliate to affiliate.
The initial ransom note doesn’t usually include ransom demand or payment instructions, but gives victims a client ID, instructing them to contact the ransomware group through a unique .onion URL, which can be accessed via the Tor browser. The victim generally has between three and 90 days to pay the ransom. If they fail to pay, the ransomware group will release their stolen data on the RansomHub Tor data leak site.
Common initial access methods include phishing emails, exploitation of known vulnerabilities, and password spraying. Known vulnerabilities exploited by Ransomhub affiliates include:
- Publicly accessible Confluence Data Center and Server instances that permit creating unauthorized Confluence administrator accounts and access.
- The Remote Code Execution vulnerability on the Java OpenWire protocol marshaller, such as in Apache ActiveMQ.
- The Remote Code Execution vulnerability on Citrix ADC (NetScaler).
Consult the advisory for a more in-depth look at Ransomhub’s tactics and techniques for extorting victims.
Tips for mitigation
- Keep all software, firmware, and OS up to date. This is one of the most effective ways you can reduce and avoid exposure to security threats and being exploited through known vulnerabilities.
- Implement network segmentation to control the traffic flows between various subnetworks and prevent the spread of ransomware.
- Use a networking monitoring tool to identify and investigate potential ransomware on your network. Something that logs and reports network traffic is ideal.
- And more.
For further information on protecting your network, check out CISA’s Stop Ransomware website.
Cora is a digital copywriter for SSLs.com. Having eight years of experience in online content creation, she is a versatile writer with an interest in a wide variety of topics, ranging from technology to marketing.