RansomHub is a quickly emerging ransomware threat actor observed attacking several organizations across multiple sectors around the globe.
Since its public debut in February 2024, the group has named more than 200 victims on its .onion site where it extorts organizations under threat of leaking exfiltrated data.
Description:
RansomHub has accumulated significant momentum despite its relatively short tenure in the ransomware-as-a-service (RaaS) space, accounting for over 14.2 percent of global ransomware attacks in Q3 2024 according to ZeroFox. The targets include manufacturing, retail, service providers, healthcare, and many more across most continents (primarily Europe and North America).
The sharp uptick of malicious activity has caused the American Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) to recently publish a joint advisory on the actor, its techniques, indicators of compromise, and suggested mitigations.
The group is highly suspected to be linked to the Lockbit and ALPHV groups, two other highly prolific ransomware threat actors, members of which are likely now affiliated with RansomHub. This gives the group significant technical expertise in EDR/antivirus evasion techniques, vulnerability exploitation, phishing attacks, and more.
The threat actors leverage the double-extortion model of encrypting victim’s systems and exfiltrating data for extortion purposes. A ransom note is left on the system that urges the victim to visit a unique .onion URL with a client ID to communicate with the actor, a prerequisite for the ransom value to be shared with the target. The victim will then have between three and 90 days to pay the ransom before their data is published on the group’s data leak site.
Due to the successes seen by the group, analysts expect RansomHub will remain a highly prominent ransomware actor for a while, attracting malicious affiliates and spreading its target base across even more sectors and countries with time. As with any ransomware threat, proactive safety measures are the most effective at minimizing damage incurred by target organizations.
Recommendations:
To prevent RansomHub and other ransomware attacks, it is recommended to take the following measures:
- Back up your data regularly and store it offline or separately, to restore them without paying the ransom if infection occurs.
- Install updates for operating systems, software and firmware as soon as they are released.
- Require phishing-resistant, non-SMS-based multi-factor authentication for as many services as possible.
- Limit user privileges and access to the minimum necessary for their roles. This can reduce the risk of ransomware spreading to other devices or systems through compromised accounts.
- Use secure passwords to avoid credential leakage.
- Educate users to both recognize and report phishing attempts.
If compromise is detected, organizations should:
- Quarantine or take potentially affected hosts offline.
- Reimage compromised hosts.
- Provision new account credentials.
- Collect and review artifacts such as running processes/services, unusual authentications, and recent network connections.
References:
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-242a
- https://intel471.com/blog/hunting-for-ransomhub-and-antivirus-killers
- https://thehackernews.com/2024/09/ransomhub-ransomware-group-targets-210.html
- https://www.zerofox.com/blog/ransomhub-extortion-attacks-on-sharp-upward-trajectory/
- https://www.forbes.com/sites/daveywinder/2024/08/31/fbi-issues-urgent-ransomware-attack-warning-do-these-3-things-now/