Cybercriminals Linked to Ransomware Group RansomHub have encrypted and exfiltrated data from at least 210 victims since its creation, occurred in February 2024, according to the U.S. government.
RansomHub and its goals
The victims belong to various sectors, including water and waste waterinformation technology (IT), government services and facilities, healthcare and public health, emergency services, food and agriculture, financial services, commercial facilities, critical manufacturing, transportation and communications infrastructure.
“RansomHub is a variant of ransomware-as-a-service—previously known as Cyclops and Knight—which has established itself as a model of efficient and successful service (recently attracting high profile affiliates from other prominent variants such as LockBit and ALPHV)“, they declared agencies government.
A ransomware-as-a-service (RaaS) variant descended from Cyclops and Knight, The cybercrime operation has attracted high-profile affiliates from other notable variants such as LockBit and ALPHV (also known as BlackCat) following a recent wave of law enforcement actions.
ZeroFox, in an analysis published late last month, said that RansomHub activity, as a proportion of all ransomware activity observed by the cybersecurity vendor, is on the rise, accounting for about 2% of all attacks in Q1 2024, 5.1% in Q2, and 14.2% so far in Q3.
RansomHub Attack Analysis
“Approximately 34% of RansomHub attacks targeted organizations in Europe, compared to 25% in the overall threat landscape.“, has observed the company.
The group is known to use a double extortion model, exfiltrating data and encrypting systems to extort victims, who are then encouraged to contact the operators via a unique .onion URL. Targeted companies that refuse to comply with the ransom demand have their information published on the leak site for three to 90 days.
Initial access to victim environments is facilitated by exploiting known security vulnerabilities in devices such as Apache ActiveMQ (CVE-2023-46604), Atlassian Confluence Data Center and Server (CVE-2023-22515), Citrix ADC (CVE-2023-3519), F5 BIG-IP (CVE-2023-46747), Fortinet FortiOS (CVE-2023-27997) and Fortinet FortiClientEMS (CVE-2023-48788).
This step is followed by affiliates who conduct network reconnaissance and scanning activities using programs like AngryIPScanner, Nmap and other “living-off-the-land” (LotL) methods and RansomHub attacks also involve disabling antivirus software using custom tools to go unnoticed.
How RansomHub “enters”
“After initial access, RansomHub affiliates created user accounts to ensure persistence, re-enabled disabled accounts, and used Mimikatz on Windows systems to harvest credentials. [T1003] and elevate privileges to SYSTEM“, reads the US government notice, continuing as follows: “Affiliates then moved laterally within the network through methods such as Remote Desktop Protocol (RDP), PsExec, AnyDesk, Connectwise, N-Able, Cobalt Strike, Metasploit, or other widely used command and control (C2) methods.“
Another notable aspect of RansomHub attacks is the use of intermittent encryption to speed up the processwith data exfiltration observed through tools such as PuTTY, Amazon AWS S3 buckets, HTTP POST requests, WinSCP, Rclone, Cobalt Strike, Metasploit, and other methods.
The development comes as Palo Alto Networks Unit 42 has exposed the tactics associated with the ShinyHunters ransomware, which it tracks as Bling Libra, highlighting its shift toward extorting victims from its traditional tactic of selling or publishing stolen data. This cybercriminal is emerged for the first time in 2020.
How Cybercriminal Group Tricks Sufferers
“The group acquires legitimate credentials, obtained from public repositories, to gain initial access to an organization’s Amazon Web Services (AWS) environment,” they have affirmed security researchers Margaret Zimmermann and Chandni Vaya.
“Although the permissions associated with the compromised credentials limited the impact of the breach, Bling Libra infiltrated the organization’s AWS environment and conducted reconnaissance operations. The cybercriminal group used tools such as Amazon Simple Storage Service (S3) Browser and WinSCP to gather information about S3 bucket configurations, access S3 objects, and delete data.”
This comes amid a significant evolution in ransomware attacks, who have moved from simple file encryption to employing complex, multi-faceted extortion strategieseven employing triple and quadruple extortion schemes, according to SOCRadar.
“The triple extortion raises the stakes, threatening additional means of destruction beyond encryption and exfiltration“, has said the company, which then added: “This could involve carrying out a DDoS attack against the victim’s systems or‘extending direct threats to the victim’s customers, suppliers, or other associates to cause further operational and reputational damage to those ultimately targeted by the extortion scheme.“
Quadruple extortion further ups the ante by contacting third parties who have business relationships with the victims and extorting them as well, or threatening victims with exposing third-party data to further increase the pressure on a victim to pay.
The profitable nature of RaaS models has fueled a wave of new ransomware variants such as Allarich, Cronus, CyberVolk, Datablack, DeathGrip, Hawk Eye And In short and has also led Iranian cyber criminals to collaborate with groups known as NoEscape, RansomHouse and BlackCat in exchange for a share of the illicit proceeds.
#RansomHub #Ransomware #Attacks #Victims #Industries
