A joint cybersecurity advisory in the United States has been issued regarding the ransomware group RansomHub [5], a ransomware-as-a-service operation targeting critical infrastructure organizations in the US.

Description

Since February 2024 [1] [2], RansomHub has compromised at least 210 victims [2] [5], including high-profile organizations like Christie’s Auction House, Rite Aid Pharmacy Chain [1], Patelco [1], and Frontier Communications [1]. The group’s activities are largely opportunistic [2], focusing on sectors such as water [2], IT [2] [5] [6], government [2] [4] [5] [6], healthcare [1] [2] [4] [5] [6], financial services [1] [2] [4] [6], and transportation [1]. RansomHub [1] [2] [3] [4] [5] [6], previously known as Cyclops and Knight [4], employs a double extortion model [4], encrypting and exfiltrating data to extort victims [2]. Affiliates use techniques like phishing emails [2] [6], exploiting known vulnerabilities [2] [6], and password spraying attacks to gain initial access. The group gains initial access through exploiting security vulnerabilities, followed by reconnaissance and network scanning [4]. RansomHub affiliates have been observed using tools like AngryIPScanner, Nmap [2] [4], and PowerShell for network scans [2], as well as legitimate RMM tools for lateral movement [2]. The advisory provides details on the group’s tactics [5], techniques [2] [5], and procedures [5], as well as indicators of compromise for businesses to investigate suspicious activity and steps organizations can take to defend themselves. Victims are advised against paying ransom demands [2], as it does not guarantee file recovery and may encourage further attacks [2]. RansomHub has already targeted at least 210 victims across various critical infrastructure sectors in the United States [6], including water and wastewater [1] [4] [6], IT [2] [5] [6], government services [6], healthcare [1] [2] [4] [5] [6], and financial services [1] [2] [4] [6]. The group’s affiliates use tactics such as phishing emails [6], exploiting known vulnerabilities in technology [4] [6], and password spraying to gain access to victims’ systems [6]. RansomHub has also been linked to exploits obtained from repositories like ExploitDB and GitHub [6].

Conclusion

Organizations should be vigilant against ransomware attacks and take proactive measures to secure their systems. It is crucial to regularly update software, train employees on cybersecurity best practices, and implement strong access controls to prevent unauthorized access. Collaboration between government agencies, cybersecurity experts, and private sector organizations is essential to combat the growing threat of ransomware attacks. By staying informed and implementing robust cybersecurity measures, organizations can better protect themselves from malicious actors like RansomHub.

References

[1] https://heimdalsecurity.com/blog/ransomhub-fbi-advisory/
[2] https://www.itpro.com/security/cyber-crime/everything-you-need-to-know-about-ransomhub-the-new-force-in-the-digital-extortion-industry
[3] https://www.cyberdaily.au/security/11035-ransomhubs-operations-revealed-in-new-cisa-report
[4] https://thehackernews.com/2024/09/ransomhub-ransomware-group-targets-210.html
[5] https://www.infosecurity-magazine.com/news/us-authorities-ransomhub/
[6] https://www.govinfosecurity.com/blogs/ransomhub-hits-powered-by-ex-affiliates-lockbit-blackcat-p-3703