RansomHub
RansomHub era una variante di ransomware-as-a-service (RaaS), precedentemente nota come Cyclops e Knight.
The Origin of RansomHub
Emerging in February 2024, the group has encrypted and exfiltrated data from over 210 victims, leveraging high-profile affiliates from other ransomware groups such as LockBit and ALPHV. RansomHub's operation focused on a double extortion model, where affiliates encrypt systems and exfiltrate data, threatening to publish stolen data if ransoms are not paid. The group was known for its professionalism and technical sophistication. RansomHub was last seen in March 2025.
Countries targeted by RansomHub
RansomHub had a global reach, with victims primarily in the United States and Europe, focusing on critical infrastructure and key industries.
The group claimed to avoid targeting the Commonwealth of Independent States (CIS), Cuba, North Korea, and China, likely due to operational safe havens or legal protections.
Industries targeted by RansomHub
RansomHub targets a broad range of industries, with the top sectors being Business Services, Retail, and Manufacturing. Other industries frequently impacted include Educational Services, Government, Finance, Construction, Healthcare, Technology, and Critical Infrastructures. The group's focus on critical sectors highlights its broad operational scope, posing a significant threat to both public and private entities.
Despite the group's efficiency, they claim not to target non-profit organizations.
RansomHub's Victims
Over 844 organizations have fallen victim to RansomHub since its emergence, with a notable focus on public infrastructure, including healthcare systems and government facilities. These attacks disrupted vital services, leading to significant operational downtimes and substantial ransom demands.
RansomHub's Attack Method
RansomHub affiliates gained access through phishing emails, exploiting vulnerabilities, and password spraying. Common vulnerabilities exploited include CVE-2023-3519 (Citrix ADC), CVE-2023-27997 (Fortinet), and CVE-2020-1472 (Netlogon privilege escalation).
Once inside, affiliates escalated privileges using tools like Mimikatz, enabling full control over compromised systems.
They disabled security tools, clear logs, and renamed ransomware executables to blend into system files, evading detection.
Using credential dumping tools and password spraying, affiliates gathered administrative credentials to access high-value systems.
Network reconnaissance was conducted using tools like Nmap and PowerShell to identify valuable targets and plan further exploitation.
Affiliates moved laterally using tools like Remote Desktop Protocol (RDP), PsExec, and AnyDesk, gaining access to additional systems within the network.
Sensitive data was exfiltrated using tools like Rclone and WinSCP, often for double extortion purposes, where the stolen data was used as leverage in ransom negotiations.
The ransomware was executed across the victim’s network, encrypting files using Curve 25519 elliptic-curve encryption.
Data was exfiltrated through encrypted protocols, cloud accounts, or direct transfers to attacker-controlled servers.
RansomHub’s encryption rendered victim systems inoperable, often leading to extensive operational downtime. Affiliates deleted backups and volume shadow copies to prevent recovery efforts, maximizing the pressure on victims to pay the ransom.
RansomHub affiliates gained access through phishing emails, exploiting vulnerabilities, and password spraying. Common vulnerabilities exploited include CVE-2023-3519 (Citrix ADC), CVE-2023-27997 (Fortinet), and CVE-2020-1472 (Netlogon privilege escalation).
Once inside, affiliates escalated privileges using tools like Mimikatz, enabling full control over compromised systems.
They disabled security tools, clear logs, and renamed ransomware executables to blend into system files, evading detection.
Using credential dumping tools and password spraying, affiliates gathered administrative credentials to access high-value systems.
Network reconnaissance was conducted using tools like Nmap and PowerShell to identify valuable targets and plan further exploitation.
Affiliates moved laterally using tools like Remote Desktop Protocol (RDP), PsExec, and AnyDesk, gaining access to additional systems within the network.
Sensitive data was exfiltrated using tools like Rclone and WinSCP, often for double extortion purposes, where the stolen data was used as leverage in ransom negotiations.
The ransomware was executed across the victim’s network, encrypting files using Curve 25519 elliptic-curve encryption.
Data was exfiltrated through encrypted protocols, cloud accounts, or direct transfers to attacker-controlled servers.
RansomHub’s encryption rendered victim systems inoperable, often leading to extensive operational downtime. Affiliates deleted backups and volume shadow copies to prevent recovery efforts, maximizing the pressure on victims to pay the ransom.
TTPs used by RansomHub
Come individuare gli autori delle minacce con Vectra AI
Domande frequenti
What industries does RansomHub primarily target?
RansomHub attacks critical infrastructure sectors such as healthcare, financial services, and government facilities.
What countries are most affected by RansomHub?
The group primarily targets organizations in the United States and Europe, avoiding CIS countries, Cuba, North Korea, and China.
How does RansomHub gain initial access?
Affiliates exploit known vulnerabilities, use phishing attacks, and leverage stolen credentials to infiltrate systems.
What are RansomHub's data exfiltration methods?
They use tools like Rclone and WinSCP to exfiltrate sensitive data over encrypted channels.
How does RansomHub escalate privileges within a network?
Affiliates use tools like Mimikatz to extract credentials and escalate to system-level privileges.
What encryption method does RansomHub use?
RansomHub affiliates use Curve 25519 elliptic-curve encryption to lock victims’ files.
How do RansomHub affiliates avoid detection?
They disable security tools, clear logs, and rename ransomware executables to blend in with legitimate files.
What tools does RansomHub use for lateral movement?
Tools like Remote Desktop Protocol (RDP), AnyDesk, and PsExec are used for moving laterally within compromised networks.
What mitigation strategies can help prevent RansomHub attacks?
Implementing phishing-resistant multi-factor authentication (MFA), patching vulnerabilities, and segmenting networks are key mitigation strategies.
What is the impact of a RansomHub attack?
Victims often experience significant downtime and data loss due to encryption and the deletion of backups, leading to operational paralysis and high ransom demands.