The emergence of RansomHub in 2024 marks a significant evolution in ransomware threats, impacting over 600 organizations following recent disruptions faced by established groups ALPHV and LockBit, as reported by Group-IB.
Group-IB’s latest analysis, exclusively presented to Hackread.com, sheds light on the alarming ascent of ransomware-as-a-service models, with RansomHub identified as a particularly active player in this landscape. Launched in early 2024, RansomHub has swiftly cemented its role as a formidable entity, taking advantage of the vacuum left by other major players in the arena.
The investigation indicates that RansomHub has implemented a strategic approach, promoting its affiliate program on underground platforms such as RAMP. This initiative actively recruits affiliates formerly associated with dismantled ransomware groups, thereby enhancing its operational capabilities and amplifying its reach at an unprecedented rate.
Evidence suggests that RansomHub may have sourced its ransomware and web application code from the Knight group, also known as Cyclops, highlighting the interconnected dynamics that characterize the cybercrime ecosystem. By utilizing pre-existing technologies, RansomHub has accelerated both its development timelines and deployment processes, quickly evolving into a significant cybersecurity threat. The ransomware it employs is designed for cross-platform compatibility, targeting various operating systems, including Windows, ESXi, Linux, and FreeBSD, which broadens its potential victim base.
The sophistication of RansomHub’s operations is evident through the advanced techniques they deploy. This includes exploiting zero-day vulnerabilities and utilizing sophisticated tools such as PCHunter to bypass endpoint protection measures. Their agility is further demonstrated by their ability to swiftly weaponize newly discovered vulnerabilities, frequently outpacing security measures taken by organizations. In addition, they employ conventional attack tactics, leveraging brute-force methods against VPN services when necessary.
After gaining initial access and exploiting vulnerabilities, RansomHub establishes a foothold within the compromised network, systematically conducting internal reconnaissance to identify and target critical assets such as Network-Attached Storage (NAS) systems and backup infrastructures. Data exfiltration remains a primary objective, with tools like Filezilla facilitating the transfer of sensitive data to external command and control servers.
Typically, a RansomHub attack culminates in data encryption and extortion. They neutralize backup services before deploying ransomware, rendering critical data inaccessible and effectively incapacitating their victims. The ransomware boasts robust capabilities, including the ability to terminate virtual machines, remove shadow copies, and erase system event logs, maximizing the disruption and enhancing the likelihood of ransom collection.
“RansomHub has targeted over 600 organizations globally, spanning sectors such as healthcare, finance, government, and critical infrastructure, firmly establishing it as the most active ransomware group in 2024.”
Group-IB
Group-IB detailed a targeted attack by RansomHub, which unfolded over a brief span of 14 hours. The attackers began by exploiting a vulnerability in a Palo Alto firewall (CVE-2024-3400) followed by a brute-force effort to compromise VPN credentials. They subsequently gained access to the domain controller by exploiting vulnerabilities such as CVE-2021-42278 (sAMAccount Spoofing) and CVE-2020-1472 (ZeroLogon). This led to lateral movement within the network, enabling access to NAS servers and shared resources, while data exfiltration was carried out using Filezilla.
This incident underscores a crucial lesson about the importance of patch management against known vulnerabilities. Martin Jartelius, CISO at Outpost24, expressed that while zero-day exploits may complicate victim-blaming, targeting an organization with a vulnerability that has been patched for over four years indicates a clear neglect of security protocols. He stressed that the attack lifecycle initiates with the initial access phase, highlighting the need for organizations to fortify their external defenses and provide staff training to diminish breach risks. Departing from best practices, such as allowing unpatched systems to exist or maintaining intentionally vulnerable configurations, poses severe security risks.
