According to the U.S. government, threat actors associated with the RansomHub ransomware group have targeted and encrypted data from over 210 victims since its establishment in February 2024.
The victims come from various sectors such as water and wastewater, information technology, government services, healthcare, emergency services, financial services, transportation, and more. RansomHub, previously known as Cyclops and Knight, operates as a ransomware-as-a-service variant and has attracted affiliates from other well-known ransomware groups like LockBit and ALPHV.
ZeroFox reported that RansomHub’s ransomware activity has been on the rise, representing 2% of attacks in Q1 2024, 5.1% in Q2, and 14.2% in Q3.
Approximately 34% of RansomHub attacks target European organizations, with a focus on the double extortion model. Victims who refuse to pay the ransom have their data leaked on a dedicated site for a specified period.
The group gains initial access through exploiting vulnerabilities in various systems like Apache ActiveMQ, Atlassian Confluence, Citrix ADC, and others. Affiliates leverage tools like AngryIPScanner and Nmap for reconnaissance and network scanning.
After gaining access, affiliates establish persistence by creating user accounts and leveraging tools like Mimikatz for credential gathering. They move laterally within the network using methods like Remote Desktop Protocol (RDP) and Cobalt Strike.
RansomHub’s attacks involve intermittent encryption to expedite the process, with data exfiltration observed through tools like WinSCP, Cobalt Strike, and Metasploit.
The rise of ransomware attacks has seen a shift towards complex extortion strategies, including triple and quadruple extortion schemes. These tactics involve threats beyond encryption and data exfiltration, such as DDoS attacks and pressuring third-parties.
The success of ransomware-as-a-service models has led to the emergence of new variants like Allarich, Cronus, CyberVolk, Datablack, DeathGrip, Hawk Eye, and Insom. Additionally, Iranian nation-state actors have been collaborating with known ransomware groups for financial gain.
For more exclusive content, follow us on Twitter and LinkedIn.