RansomHub: The Rise of a New Ransomware Threat

Since its emergence in February 2024, RansomHub has quickly become one of the most prominent ransomware groups, surpassing established players like LockBit. This article explores RansomHub’s origins, tactics, and some of its most significant attacks.

RansomHub first appeared on the cybercrime scene in early 2024, announcing itself as a new ransomware-as-a-service (RaaS) affiliate program on the RAMP cybercriminal forum. The group is believed to be an evolved iteration of the Knight ransomware, also known as Cyclops 2.0.

RansomHub operates on a RaaS model, where the core group develops the ransomware and leases it to affiliates who carry out attacks. What sets RansomHub apart is its unique payment structure – affiliates receive 90% of the ransom, paying only 10% to the core group.

More importantly, the money is sent to the affiliate first, addressing trust issues in the ransomware community following recent exit scams by other groups.

RansomHub employs a range of sophisticated tactics:

• Malware Development: The ransomware is written in Golang and C++, supporting Windows, Linux, ESXi, and MIPS architectures.
• Exploitation: Recent attacks have leveraged the ZeroLogon vulnerability (CVE-2020-1472), allowing attackers to take over domain controllers.
• Remote Access: Tools like Atera and Splashtop are used for remote access, while NetScan is employed for network reconnaissance.
• Pre-Encryption Steps: Before deploying ransomware, attackers use command-line tools like iisreset.exe to stop Internet Information Services (IIS).
• Data Exfiltration: RansomHub employs double extortion tactics, stealing data before encryption to increase pressure on victims.
• Affiliate Recruitment: The group actively recruits affiliates, particularly former members of disrupted ransomware operations like ALPHV/BlackCat.

RansomHub has been involved in several high-profile attacks since its inception:

1. Change Healthcare: One of the earliest and most impactful attacks attributed to RansomHub was against Change Healthcare, a major U.S. health payment processing company. On February 21, 2024, RansomHub claimed to have stolen four terabytes of sensitive data, including personal information of U.S. military personnel, medical records, and financial information. This attack followed a previous incident where Change Healthcare had paid a $22 million ransom to the ALPHV/BlackCat group. The RansomHub attack is believed to be related to disgruntled affiliates from the BlackCat group who felt cheated out of their share of the ransom.
2. Christie’s Auction: In April 2024, RansomHub targeted Christie’s, a renowned British auction house. The attack led to the theft of sensitive client information affecting potentially 500,000 clients. Christie’s took immediate measures to secure their network and engaged external cybersecurity experts. The stolen data was later claimed to have been sold on RansomHub’s dark web auction platform, highlighting the group’s aggressive data-theft extortion tactics.
3. UnitedHealth Group: RansomHub’s attack on UnitedHealth-owned prescription processor Change Healthcare caused massive disruption in the U.S. healthcare system for weeks, preventing many pharmacies and hospitals from processing claims and receiving payments. UnitedHealth paid a $22 million ransom to a Russian-speaking cybercrime group behind the attack, underscoring the severe impact and high stakes of RansomHub’s operations.

RansomHub’s growth has been remarkably fast. Between February and April 30, 2024, the group claimed forty-five victims (and counting!) across multiple countries, with the majority (13) in the US, followed by Brazil (6), and the UK, Italy, and Spain (3 each).

By June 2024, RansomHub had become the most prevalent ransomware group, responsible for 21% of published attacks according to ransomware “shame sites”. This rapid ascent is partly attributed to the decline of other major ransomware groups like ALPHV/BlackCat and LockBit3 following law enforcement actions.

RansomHub’s emergence and rise have led to speculation about its connections to other well-known ransomware groups. The timing of ALPHV’s disappearance and RansomHub’s appearance, along with the new affiliate prepayment model, has led many researchers to suspect that RansomHub could be a rebrand of ALPHV.

This suspicion is further supported by the technical similarities between the RansomHub encryptor and the ALPHV encryptor, as well as the use of similar tools and tactics.

RansomHub’s ability to attract affiliates from other ransomware groups, particularly those disgruntled with their previous arrangements, suggests a strategic effort to consolidate talent and resources within the cybercriminal ecosystem. This consolidation has likely contributed to RansomHub’s fast growth and effectiveness in executing high-profile attacks.

RansomHub’s emergence presents a whole range of significant challenges for cybersecurity professionals:

• Evolving Tactics: The group’s use of both established vulnerabilities (like ZeroLogon) and new techniques requires constant updated defense strategies.
• Affiliate Model: The attractive payment structure for affiliates may lead to an increase in overall ransomware attacks.
• Double Extortion: RansomHub’s use of data theft alongside encryption increases the pressure on victims and complicates incident response.
• Rapid Adaptation: The group’s quick rise to prominence demonstrates the ransomware ecosystem’s ability to quickly fill voids left by law enforcement actions against other groups.

BlackFog provides a solution with a focus on preventing data exfiltration with ADX technology. This next generation cybersecurity solution has been designed to help organizations protect themselves from ransomware attacks and extortion 24/7, without the need for human intervention.

Don’t wait for the next ransomware attack wave; take proactive action now and secure your most valuable assets.