Terror actors associated with the RansomHub ransomware group have successfully targeted and impacted 210 victims across various essential areas since its inception in February 2024, as per information provided by the U.S. government.
The affected entities come from diverse domains, encompassing water and sewage services, IT, government operations, healthcare, emergency services, agriculture, finances, manufacturing, transportation, and communication infrastructure.
“RansomHub exemplifies a ransomware-as-a-service model—an evolution from its earlier versions known as Cyclops and Knight—that has proven its effectiveness and attractiveness, even drawing in affiliates from prominent strains like LockBit and ALPHV,” as mentioned by government officials in their statement here.
This ransomware-as-a-service (RaaS) version, an offshoot of Cyclops and Knight, has managed to entice affiliates from other well-known strands such as LockBit and ALPHV (also recognized as BlackCat) following recent law enforcement interventions.
In an investigation released recently, ZeroFox highlighted the increasing percentage of RansomHub’s activities compared to all ransomware incidents monitored by the cybersecurity company, marking about 2% in Q1 2024, 5.1% in Q2, and a significant 14.2% in Q3.
“Approximately 34% of RansomHub’s targets have been based in Europe, in contrast to the 25% average across all threats,” as mentioned by the firm in a report.
The group’s modus operandi involves the exploitation of the double extortion method to steal data and encrypt systems for the purpose of extortion, pushing victims to communicate with the operators through a unique .onion URL. Businesses that resist paying the ransom end up with their data publicly disclosed on a leak site for a duration ranging from three to 90 days.
Initial entry into the victims’ systems is often achieved by exploiting known security loopholes in Apache ActiveMQ (CVE-2023-46604), Atlassian Confluence Data Center and Server (CVE-2023-22515), Citrix ADC (CVE-2023-3519), F5 BIG-IP (CVE-2023-46747), Fortinet FortiOS (CVE-2023-27997), and Fortinet FortiClientEMS (CVE-2023-48788) devices, and others.
This phase is followed by affiliates performing reconnaissance and network sweeps using tools like AngryIPScanner, Nmap, and other living-off-the-land (LotL) approaches. RansomHub assaults also include disabling antivirus programs using custom utilities to remain undetected.
Post gaining access, RansomHub affiliates create user accounts for persistence, reinstate disabled accounts, and leverage Mimikatz on Windows machines for credential gathering [T1003] and escalating privileges to SYSTEM as specified in the U.S. government advisory.
“Subsequently, affiliates spread laterally within the network utilizing methods such as Remote Desktop Protocol (RDP), PsExec, AnyDesk, Connectwise, N-Able, Cobalt Strike, Metasploit, or other widely-used command-and-control (C2) methods,” the advisory explained.
An intriguing aspect of RansomHub’s attacks is the intermittent encryption used to accelerate the process, with data exfiltration occurring through tools including PuTTY, Amazon AWS S3 buckets, HTTP POST requests, WinSCP, Rclone, Cobalt Strike, Metasploit, among others.
This development coincides with Palo Alto Networks Unit 42’s analysis of the strategies employed by the ShinyHunters ransomware, referred to as Bling Libra by the researchers, highlighting their transition towards extorting victims rather than selling or revealing stolen information. The threat actor was first uncovered in 2020, as detailed in this report.
“The group obtains legitimate credentials, sourced from public repositories, as an entry point into an organization’s Amazon Web Services (AWS) system,” mentioned security researchers Margaret Zimmermann and Chandni Vaya in a release.
“While the compromised credentials’ permissions restricted the breach’s magnitude, Bling Libra infiltrated the organization’s AWS environment and carried out reconnaissance missions. The threat actors leveraged tools like the Amazon Simple Storage Service (S3) Browser and WinSCP to collect intelligence on S3 bucket configurations, access S3 objects, and delete data.”
This trend follows the evolving landscape of ransomware assaults, progressing beyond mere file encryption to adopting intricate and multi-faceted extortion techniques, even.utilizing triple and quadruple blackmail strategies, in accordance with SOCRadar.
The company mentioned that triple blackmail intensifies the risk by presenting additional forms of disruption aside from encryption and data theft.
This could include launching a DDoS assault on the victim’s systems or making direct threats to the victim’s partners, vendors, or other contacts to cause further operational and reputational harm to those ultimately affected by the blackmail scheme.
In quadruple blackmail, the stakes are raised by reaching out to third-parties who have ties with the victims and extorting them, or by coercing the victims to expose information about third-parties in order to intensify the pressure on them to make payments.
The profitable nature of RaaS business models has propelled a rise in new types of ransomware such as Allarich, Cronus, CyberVolk, Datablack, DeathGrip, Hawk Eye, and Insom. This trend has even prompted Iranian state-sponsored hackers to cooperate with established groups such as NoEscape, RansomHouse, and BlackCat in exchange for a share of the illegal profits.
About Author
