A recent analysis has uncovered a new ransomware variant known as RansomHub, which is believed to be a rebranded and updated version of Knight ransomware, itself a successor to the Cyclops strain. This evolution in ransomware is indicative of the persistent threat landscape that cybersecurity professionals face today.
Knight ransomware, often referred to as Cyclops 2.0, first emerged in May 2023, employing sophisticated double extortion tactics to both steal and encrypt sensitive data for monetary gain. The malware has been shown to operate across various platforms, including Windows, Linux, macOS, ESXi, and Android, making it a versatile threat. Its distribution has primarily relied on phishing and spear-phishing campaigns that utilize malicious email attachments, illustrating the attackers’ ongoing reliance on social engineering techniques.
As of February 2024, the original Knight ransomware-as-a-service (RaaS) operation was reportedly shut down when its source code was leaked for sale. This incident raised concerns about the potential for the ransomware to change hands within the cybercriminal underworld. RansomHub made its first public attack shortly thereafter and has since been linked to a series of high-profile breaches, targeting entities such as Change Healthcare and Christie’s. Notably, RansomHub has committed to avoiding attacks on organizations within the Commonwealth of Independent States (CIS), as well as countries like Cuba, North Korea, and China.
Recent reports indicate that RansomHub has been actively recruiting affiliates impacted by the shutdown of other ransomware groups, including LockBit and BlackCat. The rapid establishment of RansomHub’s operations suggests that its members may be seasoned operators familiar with the cybercriminal ecosystem. Noteworthy is the involvement of former affiliates from these groups, signifying a fluidity in the ransomware landscape that can jeopardize the security of many organizations.
Symantec’s research indicates significant code overlap between RansomHub and Knight, complicating the differentiation between the two. Both ransomware strains use similar obfuscation methods and share identical command-line help menus, with RansomHub introducing additional features such as a “sleep” command to delay execution. RansomHub has also exploited known vulnerabilities like ZeroLogon to gain initial access, and has subsequently deployed remote desktop software—Atera and Splashtop—prior to executing its encryption routines.
The deployment of RansomHub is marked by a notable uptick in ransomware incidents in early 2024, with 26 confirmed attacks attributed to this variant within just one month. Data indicates that 76% of these ransomware deployments occurred outside standard business hours, further highlighting the evolving tactics employed by threat actors. These trends suggest that attackers are increasingly using legitimate remote desktop tools to facilitate their intrusions, as opposed to custom-built options, thereby undermining detection and response efforts.
To better understand the strategies employed in these attacks, it is pertinent to reference the MITRE ATT&CK framework. The tactics utilized likely include initial access through compromised credentials, privilege escalation via exploitation of known security flaws, and persistence through the installation of malware that maintains access even after system reboots.
As ransomware continues to evolve, the cyber threat landscape remains ever-changing. Organizations are urged to stay updated with robust cybersecurity measures and adopt proactive threat detection capabilities to mitigate the risks posed by such sophisticated ransomware attacks.
