RansomHub Starting to Make a Name for Themselves
Although RansomHub only emerged earlier this year, it is already regarded as one of the most prolific ransomware groups. The group operates a ransomware-as-a-service (RaaS) model, where a central core develops and maintains the ransomware code and infrastructure, leasing it to other cybercriminals who serves as affiliates.
RansomHub capitalized on the disruption inflicted upon the LockBit gang by law enforcement in February 2024. During an international operation against LockBit, authorities seized several of the group’s websites and decryption tools. Additionally, they taunted affiliates, making it clear that they were under surveillance. Numerous affiliates who previously employed encryptors from the LockBit group have transitioned to competing RaaS gangs. Notably, RansomHub, as reported by Check Point, contributed to a substantial surge in attacks during June, affecting nearly eighty new victims.
RansomHub has actively recruited affiliates from other ransomware-as-a-service operations. For example, it welcomed former ALPHV/BlackCat affiliates after that group scammed its partners.
Researchers posit that RansomHub’s roots can be linked to an older ransomware known as Knight. In February 2024, Knight’s source code was made available for sale on hacking forums, and the two share significant similarities.
Recently, RansomHub claimed responsibility for an attack on the Florida Department of Health asserting that it has leaked 100 GB of data stolen from the organization after ransom negotiations fell through. Other notable attacks attributed to RansomHub include one against the Christie’s auction house. However, one of RansomHub’s most significant victims was Change Healthcare.
During the past three months, RansomHub has been the fourth more prolific ransomware crew is sheer volume of claimed attacks, according to a recent Symantec report. LockBit remained No. 1 in Symantec’s rankings, with a claimed 489 ransomware infections, followed by Play (101), Qilin (92), and RansomHub (61).
RansomHub operates by breaking into a victim’s IT environment, deploys a handful of legitimate tools for remote access, as well as NetScan to collect info about network devices. They then deploy a ransomware payload, which exfiltrates and encrypts infected Windows PCS’ files. If a victim does not pay the ransom, the stolen data is either leaked or sold off. They even threaten to sell the data to their business rivals to encourage the paying of the ransom.
It is crucial that your business has someone monitoring the various types of ransomware and cyberattacks that are happening all over the globe. You must stay vigilant, and you can NOT be too prepared in the war against cyberattacks. If you need help evaluating your security solutions stack or just have questions about best practices, let the expert team at 2W Tech help. Give us a call today.
Read More: