'Ransomware in focus' is our new series unravelling the complexities of ransomware groups throughout the ecosystem. By detailing their business strategies, target victims, and the tactics, techniques, and procedures (TTPs) behind their operations, we hope to arm businesses with essential knowledge required to confront and overcome the challenges posed by ransomware.
In this instalment, Melissa DeOrio, Global Threat Intelligence Lead, examines the operations of RansomHub.
Background
First observed in late February 2024, the Ransomware-as-a-service (‘RaaS’) group has quickly proven themselves to be one of the most prolific groups in today’s ransomware ecosystem, claiming at least 227 victims in just 207 days. According to the group’s leak site, the group is comprised of members from various global locations and maintains rules not to attack Russian-affiliated nations, such as former Soviet Union countries, Cuba, North Korea or China. These specifications typically indicate the geographic operating location of affiliates, who are often allowed to operate freely as long as local citizens remain unaffected.
Motivations
RansomHub is a financially-motivated group that opportunistically targets all sectors, however, RaaS rules prohibit attacks on non-profit organisations. RansomHub seeks to exfiltrate sensitive information from a target, encrypt their data, and monetise through extortion.
Business model
RansomHub differentiates itself from the typical RaaS model by providing an increased level of autonomy and higher commission rates for participating affiliates. In advertisements for the group, the RaaS promised affiliates a 90% commission, making it the highest paying group currently known in the market. Additionally, the group lets affiliates collect their own ransom payments directly, paying the RaaS only after a ransom is received. This decision is believed to be an attempt to gain affiliate trust following two major fraud incidents in early 2024 within both the ALPHV and LockBit RaaS groups.
Affiliations
We assess with moderate confidence that it is highly likely that RansomHub operators purchased the Knight Ransomware source code and leverage this code in their attacks. This assessment is based on numerous public industry reports which indicate a significant degree of code similarities between the binaries from multiple technical analyses, the application of the same encryption algorithms, and the timing between the sale of Knight’s source code and inception of RansomHub.
Affiliates previously associated with ALPHV are believed to have joined the RaaS. This assessment is based on the re-extortion of Change Healthcare by RansomHub with the same data used by ALPHV to extort the same victim in February 2024. Additionally, a member of the Scattered Spider threat group is also believed to work for RansomHub. This is based on the identification of several TTPs linked to Scattered Spider during attacks which subsequently resulted in data being posted on RansomHub’s leak site. Examples of these TTPs include the use of social engineering attacks to orchestrate victim account password resets via American-accented speakers, use of tools ngrok, Remmina and Tailscale, techniques used to exploit the CyberArk password management system.
Victimology
Since their emergence in February 2024, RansomHub has gained notoriety for a number of high-profile attacks carried out against organisations across several critical infrastructure sectors. Despite this, we assess with moderate confidence that the group targets organisations opportunistically rather than in a targeted manner.
67%
of victims were SMEs
The majority of RansomHub's victims to date have been small-medium sized businesses (businesses with fewer than 1,000 employees).
Companies targeted in the last 30 days, by country*
Source: ecrime.ch
Notable Attacks
- In April 2024, the group listed Change Healthcare on their extortion site, following a reported USD 22 million ransomware payment to ALPHV, the group who originally extorted them.
- On 21 August 2024, Halliburton attributed the group to an attack which caused widespread disruption to their customers across the oil and gas industry. The total impact of the attack is still unknown.
- Since their inception the group has gained notoriety for several high-profile attacks, including those on Christie’s auction house, Frontier Communications telecommunications company, and the Rite Aid drugstore chain, which resulted in the breach of 2.2 million customers’ personally identifiable information (PII).
Companies targeted in the last 30 days, by sector*
Source: ecrime.ch
*Data based on victims posted to the actor’s leak site, and thus unlikely to be comprehensive of all victims.
Tactics, Techniques and Procedures (TTPs)
Initial access
Initial access methods include exploitation of publicly exposed remote services such as Remote Desktop Protocol (RDP) and Virtual Private Networks (VPNs) through password spraying, phishing and spear-phishing campaigns and the exploitation of known vulnerabilities. Specifically, the group has been observed exploiting the following vulnerabilities: CVE-2023-3519, CVE-2023-27997, CVE-2023-46604, CVE-2023-22515, CVE-2023-46747, CVE-2023-48788, CVE-2017-0144, and CVE-2020-0787.
Propagation
Once within a network, RansomHub leverages tools like ngrok for reverse proxy and Anydesk for persistence and uses Mimikatz to steal credentials. The group has been observed using a 2020 ZeroLogon flaw in the Windows NetLogon Remote Protocol (CVE-2020-1472) for privilege escalation, and evades defences by clearing application, system and security event logs with the wevtutil.exe tool to enable lateral movement throughout a network.
Encryption
The ransomware used by the group is capable of targeting Windows, Linux and ESXi instances. Unlike other RaaS models, the ransomware binary will drop a ransom note and change the wallpaper of a victim’s endpoint immediately upon execution but before encryption has completed. The group’s ransomware binary uses elliptic curve encryption, employing a unique public/private key for each victim which appends a unique 6-digit alphanumeric code extensions to encrypted files. To inhibit recovery efforts, RansomHub’s binary is programmed to delete volume shadow copies through the vssadmin.exe program.
Extortion
RansomHub demands ransom payments in cryptocurrency and threatens to publish exfiltrated data on their leak site in absence of payment. The group has been observed using particularly aggressive pressure tactics to secure payment; during negotiations these have included threats to contact the victim’s clients directly and threats to publish a defamatory blog post detailing the organisation’s security flaws. In the event of failed negotiations, the group has in some cases impersonated the victim’s IT team to inform clients about the incident and notify them that their data was impacted, continued to send ransom notes to staff via email weeks after the incident and claimed to regain access to the victim’s network.
