Since its source code was made available for purchase in late February 2024, the ransomware-as-a-service (RaaS) operation has been shut down. This raises the probability that it was acquired by another actor who then chose to modernize and relaunch it under the RansomHub name. After posting its first victim that same month, RansomHub has been connected to other ransomware attacks in the past few weeks, including those that affected Change Healthcare, Christie's, and Frontier Communications. It has moreover promised not to attack China, North Korea, Cuba, or any of the Commonwealth of Independent States (CIS) nations.

Go is used to write both payloads, and Gobfuscate is used to obscure the majority of variations within each family. The researchers said that it is exceedingly challenging to distinguish between the two families due to the substantial amount of code overlap between them. The command-line help menus for the two families of ransomware are the same, but RansomHub has added a new "sleep" option that causes the malware to go inactive for a predetermined amount of time (in minutes) before executing. Similar sleep directives have also been found in the ransomware families Trigona and Chaos/Yashma.

Knight and RansomHub are similar in that they both employ the same obfuscation method to encrypt strings, drop ransom notes after encrypting data, and restart a host in safe mode before encrypting it. Although the instructions are called in the same order and manner concerning other operations, the primary distinction is the set of commands that are executed via cmd.exe.

Before ransomware is deployed, remote desktop programs like Atera and Splashtop are dropped and first access is gained through the use of known security holes, such as ZeroLogon, in RansomHub attacks. The ransomware family trails Play, Hunters International, Black Basta, and LockBit in the number of confirmed assaults it has been connected to in April 2024 alone.

In a study released this week, Google-owned Mandiant disclosed that RansomHub is reaching out to affiliates who have been affected by recent closures or exit schemes, like those of LockBit and BlackCat (formerly known as ALPHV and Noberus). Notchy, a previous affiliate of Noberus, is allegedly currently employed by RansomHub. Furthermore, a recent RansomHub attack made use of technologies that were previously connected to Scattered Spider, another Noberus affiliate. Given how quickly RansomHub has grown its clientele, the organization may be made up of seasoned operators with ties to the underground cyberculture.

This development coincides with a slight decline in ransomware activity in 2022 which was followed by a rise in 2023. Additionally, of the 50 new families observed in 2023, about one-third were found to be variations of previously identified ransomware families, indicating the growing prevalence of actor overlaps, rebranding, and code reuse. Within 48 hours after the attacker gained access, ransomware was used in nearly one-third of the cases. A significant proportion of ransomware deployments—76 percent—occurred outside of regular business hours, primarily in the early morning.

Another distinguishing feature of these attacks is that they do not rely on Cobalt Strike, but rather use genuine and commercial remote desktop programs to support the intrusion activities. Attackers may be attempting to hide their activities from detection systems and minimize the time and resources needed to create and maintain unique tools, as seen by the observed increased dependence on authorized tools.

Impact

• Financial Loss
• Sensitive Data Theft
• File Encryption

Indicators of Compromise

MD5

• 3034b61a52ddc30eabdb96f49334453b
• a1dd2dff2859b22bcf6a3a4d868a2dbc
• 0cd4b7a48220b565eb7bd59f172ea278
• 392880023da7df0f504056be9e58d141
• 09e382be8dc54551cbfc60557d5a70b0
• cfb2286b45544fdb23569f59c02e3d58
• 19209b41db4a3d67e2c2c1962d91bd25
• 8c8916d8ea8c44e383d55e919a9f989f
• bd1efe953875f35cc8b787c0980e8a75
• 19ebefbb1e4cb0fc5ce21b954f52e1bc
• eaa6160cf4ed6b7d8d68eeb42c0362d5
• ba8763fc59d73b28b070cb6eb393aa83

SHA-256

• 02e9f0fbb7f3acea4fcf155dc7813e15c1c8d1c77c3ae31252720a9fa7454292
• 34e479181419efd0c00266bef0210f267beaa92116e18f33854ca420f65e2087
• 7539bd88d9bb42d280673b573fc0f5783f32db559c564b95ae33d720d9034f5a
• 8f59b4f0f53031c555ef7b2738d3a94ed73568504e6c07aa1f3fa3f1fd786de7
• ea9f0bd64a3ef44fe80ce1a25c387b562a6b87c4d202f24953c3d9204386cf00
• 104b22a45e4166a5473c9db924394e1fe681ef374970ed112edd089c4c8b83f2
• 2f3d82f7f8bd9ff2f145f9927be1ab16f8d7d61400083930e36b6b9ac5bbe2ad
• 36e5be9ed3ec960b40b5a9b07ba8e15d4d24ca6cd51607df21ac08cda55a5a8e
• 595cd80f8c84bc443eff619add01b86b8839097621cdd148f30e7e2214f2c8cb
• 7114288232e469ff368418005049cf9653fe5c1cdcfcd63d668c558b0a3470f2
• e654ef69635ab6a2c569b3f8059b06aee4bce937afb275ad4ec77c0e4a712f23
• fb9f9734d7966d6bc15cce5150abb63aadd4223924800f0b90dc07a311fb0a7e

SHA-1

• eec3a55b1599eee16a47954e1bb230ec99db5f96
• bd886d47719d0881fcd7001713169215996f530f
• a7ca950c6dadd02ab8fafdba8f984266fc2f9b7c
• 06156f7e42dc18f36c64855edb8adbb892cac0c0
• b312a5003d6919d5985630dbd655d306a318ce13
• 82793d93d987abb357809f069420d17a25a59f26
• 261535c91df592071adb5cdbf255566c9ce019dc
• ada3a90f022fbdaee50245ecdaab6e5756d18d0d
• 63c31bcda20194821d142a0ed131eb32649aa32e
• 5f27d44bfdd918e17605cdef3883c8070325cdfb
• b67b17b8930c872da4347be931fb9b27c624f0cb
• ee682488fe843d8bb826854d23b2cea73fad4969

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Regularly change passwords for all accounts and use strong, unique passwords for sensitive accounts.
• Implement multi-factor authentication (MFA) on all accounts to add an extra layer of security to login processes.
• Consider the use of phishing-resistant authenticators to further enhance security. These types of authenticators are designed to resist phishing attempts and provide additional protection against social engineering attacks.
• Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
• Organizations need to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.
• Never trust or open links and attachments received from unknown sources/senders.