In the latest wave of cyber attacks involving the increasingly notorious RansomHub ransomware, hackers have taken advantage of the ZeroLogon vulnerability in the Windows Netlogon Remote Protocol from 2020 (CVE-2020-1472) to gain initial access to target systems. This flaw, which allows for privilege escalation when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, has been a key entry point for RansomHub operatives, according to experts.

Before deploying the ransomware payload, the attackers have utilized a variety of dual-use tools, including remote access solutions like Atera and Splashtop, along with network scanners like NetScan. These tools have helped the threat actors gain and maintain access to the compromised networks, as reported by cybersecurity researchers at Symantec Broadcom. The attackers have also employed command-line tools such as iisreset.exe and iisrstas.exe to disrupt Internet Information Services (IIS) on infected systems.

RansomHub, classified as a ransomware-as-a-service (RaaS) operation, has become a significant cybersecurity threat since its emergence in February. Symantec currently ranks it as the fourth most prevalent ransomware strain in terms of victims, trailing behind Lockbit, Play, and Qilin. BlackFog, among other security firms monitoring the threat landscape, has identified over sixty organizations that have fallen prey to RansomHub in the few months the group has been active. While many of the victims are smaller businesses, notable entities such as Christie’s Auction House and UnitedHealth Group subsidiary Change Healthcare have also been targeted.

According to Dick O’Brien, a principal intelligence analyst at Symantec, RansomHub has publicly claimed a total of 61 victims over the past three months. This figure pales in comparison to Lockbit’s 489 victims, but it demonstrates the group’s growing impact in the cybercrime landscape. RansomHub emerged following law enforcement crackdowns on major ransomware players like Lockbit and ALPHV/BlackCat, seizing the opportunity to recruit new affiliates and expand its operations.

Extensive code similarities have been observed between RansomHub and an older ransomware strain known as Knight, which has since been discontinued. The overlap in code structure, programming language, and operational tactics between the two families suggests that RansomHub operators acquired the Knight source code to enhance their own malware operations. Despite these connections, the underlying threat posed by RansomHub remains significant, prompting cybersecurity experts to urge organizations to prioritize patching vulnerable systems to mitigate the risk of attacks.

As RansomHub continues to evolve and expand its reach, the cybersecurity community remains vigilant in identifying and mitigating the threat posed by this aggressive ransomware group. With the group’s growing success and ability to recruit experienced cybercriminals, the need for proactive cybersecurity measures has never been more critical to defend against RansomHub and similar threats in the future.

Source link