RansomHub Ransomware Group Exploits ZeroLogon Vulnerability to Spread Malware

Written by Gabby Lee

June 10, 2024

RansomHub Ransomware Group Exploits ZeroLogon Vulnerability to Spread Malware

Security researchers have uncovered ransomware attacks conducted by the notorious RansomHub group leveraging the unpatched ZeroLogon vulnerability (CVE-2020-1472) to gain initial access to victim environments.

How RansomHub Gains Initial Access?

According to Symantec, in recent attacks RansomHub actors have been exploiting the ZeroLogon flaw in the Windows Netlogon Remote Protocol. This critical remote code execution vulnerability allows attackers to fully compromise Windows domain controllers with a single request without credentials.

Once the initial foothold is established on domain controllers through ZeroLogon, RansomHub operators utilize various remote access and network scanning tools like Atera, Splashtop and NetScan. These tools help facilitate remote access and gather intelligence about targets before ransomware deployment.

After gaining access, RansomHub leverages the iisreset.exe and iisrstas.exe command line utilities to stop IIS services before encrypting files. The ransomware payload is then spread across the victim environment.

How Prevelant is the RansomHub Threat?

RansomHub has grown rapidly to become one of the most prolific ransomware groups. In just 3 months, it has claimed over 60 victims according to Symantec, compared to other major threats. This success has allowed RansomHub to recruit from dismantled groups like BlackCat/ALPHV to improve capabilities.

Connections to Other Ransomware Families

Interestingly, analysis revealed extensive code overlaps between RansomHub and the now-defunct Knight ransomware. The payloads are near identical, suggesting RansomHub operators acquired Knight source code and are reusing it with some modifications.

Symantec analyzed the RansomHub payload and discovered extensive code similarities with the discontinued Knight ransomware. Both payloads are written in the Go programming language and use the same obfuscator, Gobfuscate.

Their help menus, encoding of important strings, and command execution flows are nearly identical. RansomHub and Knight can both restart endpoints in safe mode prior to encryption and have the same command flow.

Even the ransom notes are largely the same, with many verbatim phrases from Knight appearing in RansomHub. However, Symantec believes it’s unlikely the original Knight operators now run RansomHub.

Rather, the RansomHub operators likely purchased the Knight source code when its creators put it up for sale earlier this year. They are now reusing the code with some modifications, like different commands executed via cmd.exe depending on configuration.

In summary, the RansomHub group has effectively leveraged the widespread unpatched ZeroLogon vulnerability to compromise numerous victims and establish itself as a significant ransomware threat. Prompt patching remains critical to prevent destructive attacks exploiting this vulnerability.

Related Articles

How AI is Revolutionizing Phishing Attacks

How AI is Revolutionizing Phishing Attacks

 -  New: New Phishing attacks have long been a major concern for enterprise organizations wordwide. As technology continues to advance, cybercriminals are finding new and innovative ways to exploit vulnerabilities and deceive unsuspecting individuals. In recent years,...

Stay Up to Date With The Latest News & Updates

Join Our Newsletter


Subscribe To Our Newsletter

Sign up to our weekly newsletter summarizing everything thats happened in data security, storage, and backup and disaster recovery

You have Successfully Subscribed!