Overview
- RaaS Operation: RansomHub operates as a Ransomware-as-a-Service (RaaS), providing infrastructure and code to affiliates.
- Rapid Emergence: Quickly established itself as a major threat in early 2024.
- Aliases: Also known as Cyclops and Knight.
- Double Extortion: Employs a double-extortion model, encrypting systems and stealing data for maximum impact.
- Affiliate Recruitment: Actively recruits affiliates from other RaaS groups, exploiting disruptions in the cybercriminal landscape.
- Broad Targeting: Attacks span various critical infrastructure sectors.
- Sophisticated Operations: Demonstrates advanced technical capabilities and operational sophistication.
- Potential Russia Ties: Indicators suggest a possible connection to Russia, though not definitively confirmed.
Known Aliases of RansomHub
Cyclops, Knight
Country of Origin of RansomHub
While the precise location remains unconfirmed, statements on the RansomHub website indicating a refusal to target CIS, Cuba, North Korea, and China suggest a potential origin in a country with close ties to Russia, or possibly Russia itself. This is inferred from the group’s likely desire to avoid targeting entities within their own nation or allied states to evade law enforcement scrutiny.
Most Recent Attacks of RansomHub
The CISA advisory mentions attacks as recent as August 2024, affecting at least 210 victims across various critical infrastructure sectors. Tripwire mentions a June 2024 surge in attacks, with nearly 80 new victims.
Here are just a few of them:
- Florida Department of Health: RansomHub claimed responsibility for an attack, publishing 100 GB of stolen data after a ransom demand went unmet.
- Christie’s Auction House: Christie’s Auction House Suffered an attack just before a big auction. The event was attributed to RansomHub.
- Change Healthcare: Initially attacked by ALPHV/BlackCat in February 2024, Change Healthcare was subsequently targeted by RansomHub in April 2024, with the threat actor posting sensitive medical and financial data and demanding ransom payments from insurance companies. This highlights RansomHub’s opportunistic targeting of previously compromised entities.
- Bologna FC (November 2024): A ransomware attack resulted in the theft of approximately 200GB of data, including players’ medical records, business plans, and financial documents. The data was threatened to be leaked.
- Coppell, Texas (November 2024): A city-wide ransomware attack disrupted technology services, impacting WiFi, court operations, library services, and permit/inspection platforms. Government phone systems and utility bill platforms were also affected, requiring extended payment deadlines.
- Halliburton (August 2024): A ransomware attack on this global energy supplier caused an estimated $35 million in losses and forced a shutdown of IT systems, disrupting customer services. The full scope of the data breach is still under investigation.
- Patelco Credit Union (June 2024): A data breach, active since May 2024, exposed the personally identifiable information (PII) of 726,000 individuals. The stolen data included names, social security numbers, and birthdates. Victims were offered two years of identity protection services.
- Mexican Government (November 2024): RansomHub claimed to have stolen 313GB of government data, including contracts, insurance information, financial records, and confidential files. A sample of the stolen data was shared on their extortion portal.
Common Methods of Infiltration Used by RansomHub
- Phishing Emails: RansomHub affiliates utilize phishing emails to gain initial access to systems (T1566 in MITRE ATT&CK framework).
- Exploitation of Known Vulnerabilities: Exploiting publicly known vulnerabilities in software is a key tactic. Specific CVEs observed include:
- CVE-2023-3519 (Citrix ADC)
- CVE-2023-27997 (FortiOS, FortiProxy)
- CVE-2023-46604 (Apache ActiveMQ)
- CVE-2023-22515 (Confluence)
- CVE-2023-46747 (BIG-IP)
- CVE-2023-48788 (FortiClientEMS)
- CVE-2017-0144 (Windows SMB)
- CVE-2020-1472 (Netlogon)
- CVE-2020-0787 (Zerologon – potentially exploited in conjunction with CVE-2020-1472)
- Password Spraying: Targeting accounts compromised in previous data breaches (T1110.003).
- Proof-of-Concept Exploits: Obtaining exploits from sources like ExploitDB and GitHub (T1588.005).
- Network Scanning: Using tools like AngryIPScanner, Nmap, and PowerShell-based techniques (T1018, T1046, T1059.001).
Tools of Trade Used by RansomHub
RansomHub itself is a Ransomware-as-a-Service (RaaS) operation. The actual ransomware payload used by affiliates may vary, but the CISA advisory details technical aspects of the RansomHub encryption process, including the use of the Curve 25519 Elliptic Curve Encryption algorithm. The ransomware executable typically appends a random file extension to encrypted files and leaves a ransom note titled “How To Restore Your Files.txt”.