RansomHub, a highly successful ransomware-as-a-service (RaaS) organization that emerged recently, has already victimized at least 210 entities across various sectors. These victims include government agencies, IT and communication companies, healthcare providers, financial institutions, emergency services, manufacturing companies, transportation entities, and commercial establishments.
The affiliates of RansomHub have employed a wide range of tactics and techniques to carry out their attacks, as outlined in an advisory jointly compiled by the FBI, CISA, the Department of Health and Human Services, and the Multi-State Information Sharing and Analysis Center. Initial access is typically gained through methods such as phishing emails, password spraying, and exploitation of known vulnerabilities in internet-facing systems like Citrix NetScaler, Fortigate, and Atlassian Confluence.
Once inside the network, the affiliates utilize network scanning tools for reconnaissance, deploy ransomware executables disguised as harmless files, delete logs and disable antivirus and endpoint detection and response (EDR) products, manipulate user accounts using tools like Mimikatz, and move laterally across the network using various remote access tools such as RDP, PsExec, and Cobalt Strike.
To exfiltrate data, the attackers employ a variety of methods including PuTTY, Amazon AWS S3 buckets/tools, HTTP POST requests, WinSCP, Rclone, Cobalt Strike, and Metasploit. The ransomware execution typically does not encrypt executable files but appends a random file extension to file names and leaves a ransom note titled “How To Restore Your Files.txt” on the compromised system, instructing victims to contact the ransomware group via a unique .onion URL accessible through the Tor browser.
The success of RansomHub can be attributed to the skills and expertise of its affiliates, many of whom were previously associated with other ransomware groups like LockBit and ALPHV/BlackCat. Following law enforcement crackdowns, failed comeback attempts, and exit scams by these groups, skilled operatives were drawn to join RansomHub due to its flexible structure and payment model.
RansomHub operators enticed potential affiliates by offering them the opportunity to collect ransom payments directly from victims and only paying a service fee to the organization. This approach, along with the diverse tactics employed by the affiliates, has made RansomHub a formidable force in the ransomware landscape.
To combat the threat posed by RansomHub and its affiliates, defenders are advised to implement a range of mitigation strategies outlined in the advisory issued by CISA. By staying vigilant and incorporating necessary security measures, organizations can better protect themselves against the evolving tactics of ransomware operators like RansomHub.