- 245/2024
- High
RansomHub ransomware is a ransomware-as-a-service variant formerly known as Cyclops and Knight which emerged in 2017, encrypts files on victims’ systems, and demands payment for decryption. In February 2024 threat actors affiliated with the RansomHub ransomware group systematically encrypted and exfiltrated data from at least 210 victims across various sectors, including information technology, government services, healthcare, financial services, and communications critical infrastructure.
The RansomHub group is known for its double-extortion attacks by encrypting files on the victim’s network endpoints and exfiltrating sensitive data to extort victims. The ransom note dropped during encryption does not generally include an initial ransom demand or payment instructions. Instead, the note provides victims with a client ID and instructs them to contact the ransomware group via a unique “.onion” URL.
The Tactics and Techniques of RansomHub Ransomware:
o Initial Access:
- RansomHub compromises internet-facing systems and user endpoints by using phishing emails, and exploitation of known vulnerabilities.
- Password spraying targets accounts compromised through data breaches most of them are from LummaC2stealer.
- The most common entry point is a published RDP service on a public-facing Windows server without multi-factor authentication.
o Discovery:
- The threat actor conducts network scanning with tools such as AngryIPScanner, Nmap, and PowerShell-based living-off-the-land methods.
o Defense Evasion:
- The ransomware group is renaming its executable with legitimate file names, such as Windows.exe, left on the user’s desktop or downloads.
- They disable antivirus products and clear Windows and Linux system logs to avoid any potential incident response or endpoint detection.
- RansomHub ransomware group creates user accounts for persistence, activates disabled accounts, and uses Mimikatz on Windows systems to gather credentials and escalate privileges to SYSTEM.
- They utilize tools to move laterally inside the network including Remote Desktop Protocol (RDP), PsExec, Anydesk, Connectwise, N-Able, Cobalt Strike, Metasploit, or other widely used command-and-control (C2) methods.
o Exfiltration:
- Before encryption, threat actors would archive data that was stored on the systems and upload them on a remote file share
- Data exfiltration has been observed through the usage of tools such as PuTTY, Amazon AWS S3 buckets/tools, HTTP POST requests, WinSCP, Rclone, Cobalt Strike, Metasploit, and other methods.
o Impact:
- RansomHub group has typically leveraged an Elliptic Curve encryption algorithm called Curve 25519 to encrypt user-accessible files on the system which uses a public/private key that is unique to each victim organization.
- Privilege Escalation and Lateral Movement:
Vulnerabilities
- CVE-2023-3519
- CVE-2023-27997
- CVE-2023-46604
- CVE-2023-22515
- CVE-2023-46747
- CVE-2023-48788
- CVE-2017-0144
- CVE-2020-1472
- CVE-2020-0787
Mitigations
- Use an external attack surface management solution to discover any cyber threat exposures of assets, external remote services, and user accounts compromised by initial access trojans.
- Enforce one-time password (OTP) based multi-factor authentication (MFA) for external remote services.
- Conduct regular ransomware readiness assessments to discover gaps in security controls.
- Apply network segmentation by segregating critical systems and networks to limit the spread of ransomware.
- Maintain frequent and secure backups of all critical data.
- Ensure that backups are stored offline and tested regularly to verify their integrity.
- Disable unnecessary and unused services and protocols, restrict access to critical management interfaces, and implement strict firewall rules to limit network exposure.
- Always monitor for significant network spikes to certain external resources, this might indicate a data leak.
- Deploy solutions and develop an incident response plan to promptly and proactively address suspicious activities.
- Search for existing signs of the indicated IOCs in your environment.
- Block IOCs at the organization’s security devices.
- Enable machine learning, active adversary mitigations, and behavioral detection in endpoint security.