RansomHub, a nascent yet prolific ransomware-as-a-service (RaaS) operation, has recently come into the limelight due to its rapid rise and significant impacts. Cybersecurity researchers have traced its origins back to the now-defunct Knight ransomware, itself a rebrand of the Cyclops ransomware. RansomHub has a short history and operated mainly as a data theft and extortion group that sells stolen files to the highest bidder.
Knight Ransomware: A Brief History
Knight ransomware, initially identified in May 2023, was a rebranding of the Cyclops ransomware. It utilized double extortion tactics, which involved not only encrypting victims’ data but also threatening to leak stolen information unless a ransom was paid. Knight was versatile, targeting multiple platforms including Windows, Linux, macOS, ESXi, and Android. The ransomware was marketed and sold on the RAMP cybercrime forum, with phishing and spear-phishing campaigns being common methods of distribution. Knight’s operations came to an abrupt halt in February 2024 when its source code was sold on hacker forums, indicating a potential transfer of ownership and an impending rebrand.
The Emergence of RansomHub
RansomHub emerged on the cybercrime scene in February 2024, almost immediately after the sale of Knight’s source code. Security experts from Symantec and Malwarebytes observed extensive similarities between the two ransomware families. Both are written in the Go programming language and use Gobfuscate for obfuscation. The degree of code overlap is significant, making it challenging to distinguish between them. Both ransomware families use identical ransom notes with minor updates in RansomHub and share unique obfuscation techniques where important strings are encoded with unique keys. They also restart endpoints in safe mode before encryption, a tactic to bypass cybersecurity measures.
Operational Tactics
RansomHub, like its predecessor, employs double extortion tactics. It gains initial access by exploiting known security vulnerabilities such as ZeroLogon and then deploys legitimate remote desktop tools like Atera and Splashtop to establish control over the victim’s systems. This method helps the attackers blend in with legitimate network traffic, making detection difficult. RansomHub’s attacks often occur outside of regular work hours, primarily in the early morning, to minimize the chances of immediate detection and response.
Notable Attacks
Since its inception, RansomHub has been linked to several high-profile attacks. In mid-April, the group leaked stolen data from United Health subsidiary Change Healthcare following a collaboration with BlackCat/ALPHV. In late May, the international auction house Christie’s confirmed a cybersecurity breach after RansomHub threatened to leak stolen data. Other significant targets have included Frontier Communications, showcasing the group’s broad targeting strategy across various industries.
Affiliates and Expansion
RansomHub’s rapid rise can be attributed to its ability to attract former affiliates of other ransomware operations such as ALPHV. Notable cybercriminals like Notchy and Scattered Spider have joined RansomHub, bringing their expertise and tools to the operation. This influx of experienced operators has likely contributed to RansomHub’s swift establishment and success in the cybercrime underground.
Ransomware Landscape
The ransomware landscape has seen a resurgence in activity in 2023, following a slight decline in 2022. Many new ransomware families observed are variants or rebrands of previously known ransomware, indicating a trend of code reuse and actor overlaps. Statistics from cybersecurity firms such as Malwarebytes reveal that RansomHub was linked to 26 confirmed attacks in April 2024 alone, placing it among the most active ransomware operations alongside Play, Hunters International, Black Basta, and LockBit.
Conclusion
RansomHub exemplifies the evolving nature of ransomware threats, demonstrating how rebranding and strategic updates can revitalize defunct operations. Its rapid rise and the success of its attacks underscore the persistent threat posed by ransomware groups. Organizations must remain aware and invest in robust cybersecurity services to counteract these sophisticated and ever-evolving threats.