RansomHub is a cybercriminal group operating a ransomware-as-a-service (RaaS) model that emerged in early 2024. It evolved from cybercriminal groups formerly known as Cyclops and Knight, and has recently attracted high-profile affiliates from other prominent variants such as LockBit and ALPHV.
Here are some key points about the RansomHub cybercriminal group:
- Ransomware Development:
RansomHubโs ransomware strains are developed primarily in Golang and C++. This choice enables compatibility across multiple operating systems, including Windows, Linux, ESXi, and MIPS, making it highly versatile. The malware employs AST manipulation and other obfuscation techniques to evade detection and complicate reverse engineering efforts. - Double Extortion:
RansomHub uses a double-extortion approach, where affiliates encrypt data and exfiltrate sensitive information. Victims face the threat of both operational disruption and public data exposure if they refuse to pay. This tactic pressures victims by threatening to publish data on their .onion leak site, which significantly raises the stakes for those targeted. - Targeted Attacks:
The group prioritizes attacks on critical industries, including healthcare, engineering, and manufacturing, focusing on North American and European organizations. RansomHub is selective with its targets, avoiding non-profit organizations and entities within the Commonwealth of Independent States (CIS), as well as nations like China, Cuba, and North Korea. - Delivery Methods:
RansomHub affiliates gain access by exploiting unpatched vulnerabilities in widely used enterprise software, including Apache ActiveMQ (CVE-2023-46604), Atlassian Confluence Data Center and Server (CVE-2023-22515), Citrix ADC (CVE-2023-3519), F5 BIG-IP (CVE-2023-46747), Fortinet FortiOS (CVE-2023-27997) and Fortinet FortiClientEMS (CVE-2023-48788). They use brute-force tactics, spear-phishing, and exploitation of remote access tools as entry points. - Advanced Techniques:
After establishing a foothold, RansomHub affiliates use tools like Nmap and Angry IP Scanner for network reconnaissance and lateral movement. They bypass detection with โliving-off-the-landโ tactics, custom tools to disable antivirus protections, and persistence methods such as creating new user accounts or using Mimikatz for credential theft. - Affiliate Model:
RansomHubโs RaaS model is structured to offer affiliates 90% of ransom proceeds, a much larger share than most RaaS operations, which typically offer around 60-80%. This financial model is designed to attract skilled affiliates, including those who previously worked with prominent ransomware groups like LockBit and BlackCat. - Ransom Payments:
RansomHub affiliates encourage payments through cryptocurrency to maintain anonymity. If a victim refuses to pay, their data is usually leaked on RansomHubโs data breach site, often escalating in phases over weeks to months. This tactic aims to maximize payment pressure. - Evolution and Updates:
RansomHub has shown a rapid pace of evolution, frequently updating its techniques and tools to counteract security defenses. The group continuously rebuilds its ransomware to evade signature-based detection and has adapted to recent law enforcement actions by expanding operations into previously untargeted sectors. - Global Impact:
Since its emergence, RansomHub has become one of the most active ransomware groups globally, surpassing older groups like LockBit in attack volume by mid-2024. This rise correlates with law enforcement crackdowns on competing groups and RansomHubโs aggressive affiliate recruitment model. Their high-profile attacks on industries essential to infrastructure have had significant impacts on regional economies and increased global awareness of ransomware threats.
RansomHubโs combination of sophisticated malware, strategic double extortion, and aggressive affiliate recruitment has positioned it as a major player in the ransomware landscape, with a fast-growing global footprint.
See more details on: