The US government has issued a warning after identifying over 210 victims of the RansomHub ransomware group, a sophisticated ransomware-as-a-service (RaaS) operation. The group has been active since February 2024, targeting a wide range of sectors critical to national security and public welfare.
RansomHub, previously known as Cyclops and Knight, is believed to be collaborating with affiliates from other prominent ransomware groups such as LockBit and ALPHV.
The 210 confirmed victims span numerous sectors, including water and wastewater, information technology, government services, healthcare, emergency services, food and agriculture, financial services, commercial facilities, critical manufacturing, transportation, and communications infrastructure.
RansomHub affiliates employ a double-extortion strategy, wherein they not only encrypt systems but also exfiltrate sensitive data. The group’s ransom notes do not typically include initial ransom demands or payment instructions. Instead, victims receive a client ID and are directed to communicate with the group through a unique .onion URL on the Tor network.
The group allows a variable timeframe for ransom payments, ranging from three to 90 days, depending on the affiliate. If the ransom is not paid, the stolen data is published on RansomHub’s Tor-based data leak site.
RansomHub affiliates have been observed using various attack vectors to compromise their targets. Common methods include phishing emails, exploiting known vulnerabilities, and password spraying. Some of the notable vulnerabilities exploited by RansomHub include:
-
CVE-2023-3519 (Citrix ADC Remote Code Execution)
-
CVE-2023-27997 (FortiOS Heap-Based Buffer Overflow)
-
CVE-2023-46604 (Apache ActiveMQ Remote Code Execution)
-
CVE-2023-22515 (Atlassian Confluence Unauthorized Admin Account Creation)
-
CVE-2023-46747 (BIG-IP Remote Code Execution)
-
CVE-2023-48788 (Fortinet FortiClientEMS SQL Injection)
-
CVE-2017-0144 (Microsoft Windows SMB Remote Code Execution)
-
CVE-2020-1472 (Netlogon Privilege Escalation)
-
CVE-2020-0787 (Windows Privilege Escalation)
RansomHub affiliates have been observed using the above-mentioned vulnerabilities to gain initial access and establish persistence within targeted networks.
Once inside a network, RansomHub affiliates typically use a combination of network scanning tools like AngryIPScanner and Nmap, along with PowerShell-based techniques, to explore and map the compromised environment. For persistence, they create new user accounts or reenable disabled ones, while tools like Mimikatz are used to gather credentials and escalate privileges.
For lateral movement, the attackers have been known to use Remote Desktop Protocol (RDP), PsExec, AnyDesk, and other remote administration tools. Command-and-control (C2) frameworks like Cobalt Strike and Metasploit are also employed.
Data exfiltration is typically conducted through tools such as PuTTY, Amazon S3, WinSCP, and Rclone, depending on the affiliate and the specifics of the compromise.
RansomHub uses an Elliptic Curve Encryption algorithm, Curve 25519, to encrypt user-accessible files, making data recovery without the decryption key difficult.
