Security researchers have uncovered ransomware attacks conducted by the notorious RansomHub group leveraging the unpatched ZeroLogon vulnerability (CVE-2020-1472) to gain initial access to victim environments.
How RansomHub Gains Initial Access?
According to Symantec, in recent attacks RansomHub actors have been exploiting the ZeroLogon flaw in the Windows Netlogon Remote Protocol. This critical remote code execution vulnerability allows attackers to fully compromise Windows domain controllers with a single request without credentials.
Once the initial foothold is established on domain controllers through ZeroLogon, RansomHub operators utilize various remote access and network scanning tools like Atera, Splashtop and NetScan. These tools help facilitate remote access and gather intelligence about targets before ransomware deployment.
After gaining access, RansomHub leverages the iisreset.exe and iisrstas.exe command line utilities to stop IIS services before encrypting files. The ransomware payload is then spread across the victim environment.
How Prevelant is the RansomHub Threat?
RansomHub has grown rapidly to become one of the most prolific ransomware groups. In just 3 months, it has claimed over 60 victims according to Symantec, compared to other major threats. This success has allowed RansomHub to recruit from dismantled groups like BlackCat/ALPHV to improve capabilities.
Connections to Other Ransomware Families
Interestingly, analysis revealed extensive code overlaps between RansomHub and the now-defunct Knight ransomware. The payloads are near identical, suggesting RansomHub operators acquired Knight source code and are reusing it with some modifications.
Symantec analyzed the RansomHub payload and discovered extensive code similarities with the discontinued Knight ransomware. Both payloads are written in the Go programming language and use the same obfuscator, Gobfuscate.
Their help menus, encoding of important strings, and command execution flows are nearly identical. RansomHub and Knight can both restart endpoints in safe mode prior to encryption and have the same command flow.
Even the ransom notes are largely the same, with many verbatim phrases from Knight appearing in RansomHub. However, Symantec believes it’s unlikely the original Knight operators now run RansomHub.
Rather, the RansomHub operators likely purchased the Knight source code when its creators put it up for sale earlier this year. They are now reusing the code with some modifications, like different commands executed via cmd.exe depending on configuration.
In summary, the RansomHub group has effectively leveraged the widespread unpatched ZeroLogon vulnerability to compromise numerous victims and establish itself as a significant ransomware threat. Prompt patching remains critical to prevent destructive attacks exploiting this vulnerability.
