RansomHub, a ransomware group operated by threat actors such as Notchy, RansomHUB Team, SCATTERED SPIDER, and Water Bakunawa, emerged in early 2024, as a formidable player in the cybercrime ecosystem. Operating under the Ransomware-as-a-Service (RaaS) model, RansomHub provides its sophisticated ransomware tools to affiliates, including prominent operators from rival groups such as LockBit and ALPHV. Believed to be a rebranded version of the Knight/Cyclops ransomware, RansomHub employs double extortion tactics, encrypting and exfiltrating data to pressure victims into paying hefty ransoms.  

What sets RansomHub apart is its sophisticated targeting across multiple platforms, including Windows, Linux, ESXi, NAS, and SFTP servers, making it an adaptable and formidable adversary. Since February 2024, the group has claimed more than 200 victims, causing both operational disruption and reputational damage for its victims. Its audacity and efficiency have earned it the title of the most active ransomware operation, cementing its status as a dominant player in the ever-escalating ransomware landscape.  

‍Recent Activity

Bologna FC, an Italian professional football club, has reportedly fallen victim to a ransomware attack orchestrated by the RansomHub cybercrime group. According to the gang's postings on the dark web, the club declined to meet ransom demands despite being granted an extension to negotiate. This refusal led to the attackers publishing the entire stolen data set online.  

To exert additional pressure, the threat actors cited potential penalties under GDPR, implying that the leaked data could result in significant fines for the club. This coercion tactic, often employed in ransomware attacks, aims to exploit regulatory consequences to compel victims into compliance.

Technical Details

Initial access

RansomHub affiliates typically compromise internet facing systems and user endpoints by using methods such as phishing emails, exploitation of known vulnerabilities and password spraying. {utm hyperlinks to the cve’s to be given)

Observed Exploited CVE’s by Ransomhub ransomware to gain initial access:

Execution

Attackers leveraged Windows Management Instrumentation (WMI) to disable antivirus programs, ensuring minimal resistance from security tools during the attack.  

Persistence and Privilege escalation  

RansomHub affiliates take deliberate steps to establish persistence within the network. They create new user accounts, re-enable previously disabled accounts and escalate their privileges to SYSTEM level, ensuring continued control and further access. These actions allow them to maintain a foothold and execute their attack without being easily detected and disrupted.

‍Defense Evasion
Attackers strategically rename the ransomware executable to inconspicuous file names like Windows.exe and leave it in common directories such as the user's desktop or downloads folder, mimicking legitimate files. To further obscure their activities, affiliates systematically clear Windows and Linux system logs, effectively erasing traces of their actions.  

Additionally in some cases, RansomHub-specific utilities were leveraged to disable advanced Endpoint Detection and Response (EDR) solutions, highlighting the group's focus on neutralizing defensive mechanisms before launching their payload.  

Credential Access

RansomHub escalates its attack by using Task Manager to extract credentials from the Local Security Authority Subsystem Service (LSASS) memory. This technique enables the ransomware to obtain sensitive authentication details, facilitating deeper access to the network and increasing the potential for widespread damage. By gaining control over these critical credentials, RansomHub not only amplifies its ability to launch further attacks but also significantly complicates the victim’s efforts to recover and mitigate the breach.

‍Discovery

Ransomhub affiliates conduct network scanning with tools such as AngryIPScanner, Nmap to conduct network scanning. RansomHub intensifies its attack strategy by deploying the NetScan tool, which helps to identify machines across the network and map out various endpoints. This approach enables the group to create a detailed map of the victim’s infrastructure, laying the foundation for more targeted and devastating attacks.  

‍Lateral Movement

Attackers used the Lateral Tool Transfer technique to covertly move malicious tools between systems, avoiding detection while expanding their control. Once on the network, RansomHub exploits SMB (Server Message Block) and Windows Admin Shares to remotely execute commands. These protocols enable attackers to remotely manipulate systems, ensuring continued access and propagation across devices.

Command and Control

RansomHub affiliates may leverage AnyDesk, a legitimate remote desktop support tool, to establish an interactive command-and-control (C2) channel. By using this widely trusted software, they can remotely access, and control compromised systems within the target network, making their activities more difficult to detect.  

Data Exfiltration  

RansomHub affiliates employ various methods for data exfiltration, often depending on the specific affiliate conducting the network compromise. The ransomware binary itself typically lacks an in-built data exfiltration mechanism. Instead, affiliates rely on external tools and techniques to extract sensitive data.  

Observed methods for data exfiltration include:

• PuTTY: A popular SSH and telnet client used for secure data transfer.

• Amazon AWS S3 buckets/tools: Cloud-based storage for large-scale data exfiltration.

• HTTP POST requests: Used to send data over the internet.

• WinSCP and Rclone: File transfer tools commonly used for moving files to remote servers.

• Cobalt Strike and Metasploit: Penetration testing tools that can be leveraged for data exfiltration during network breaches  

Encryption

• Encryption algorithm used: Curve 25519, a form of Elliptic Curve Encryption  

• Targeted files: All the user-accessible files  

• Encryption mechanism: Files are encrypted in chunks of 0x100000 bytes. Small files (below 0x100000 bytes) are fully encrypted.

• File Extensions: A unique extension is appended based on the ransom note’s name.  

The ransomware also targets system recovery efforts by deleting all Volume Shadow Copy Service (VSS) snapshots through the vssadmin.exe tool, preventing file restoration.  ‍

Ransom Note

A ransom note titled "How To Restore Your Files.txt" is left on compromised systems, providing instructions for the victim. The ransom note assigns victims a unique client ID and directs them to communicate with the group through a dedicated .onion URL, accessible via the Tor browser. Victims are typically given a timeframe of three to 90 days (based on the affiliate's preferences) to pay the ransom. If the payment is not made within this period, the group threatens to expose the stolen data on the RansomHub Tor data leak site, further pressuring victims into compliance.

‍Tools leveraged by the Ransomhub affiliates

‍

MITRE ATT&CK Tactics and Techniques

‍

Mitigation

1. Data Protection and Recovery - Implement a recovery plan ensuring multiple copies of sensitive or proprietary data and servers are maintained and stored in secure, physically separate, and segmented locations (e.g., hard drives, storage devices, or cloud solutions).

2. Password Management and Policy - Require all accounts with password logins (e.g., service, admin, and domain admin accounts) to follow NIST standards for password policy management.  

3. Patch Management - Maintain up-to-date operating systems, applications, and firmware. Prioritize patching known exploited vulnerabilities, especially on internet-facing systems.

4. Network Segmentation - Segment networks to restrict lateral movement and control traffic flows between subnetworks. Limit access to sensitive systems and enforce strict traffic policies.

5. Multi-Factor Authentication (MFA) - Require phishing-resistant MFA for administrator accounts. Deploy standard MFA for all services, focusing on critical systems like webmail, VPNs, and privileged accounts.

6. Endpoint and Network Monitoring - Use tools like EDR (Endpoint Detection and Response) to detect abnormal activity and lateral movement. Implement network monitoring solutions to log and report all traffic, including suspicious connections.  

7. Application Control and Privilege Management - Require administrator credentials for software installation. Enforce least privilege policies to minimize unnecessary access rights.

8. Anti-Phishing Measures - Train employees to identify and report phishing attempts. Deploy email filtering solutions to reduce phishing emails.

9. Incident Response Preparation - Develop and test an incident response plan. Ensure clear communication protocols and designated roles for handling cyber incidents.

10. Ransomware-Specific Measures - Block execution of unauthorized files through application whitelisting. Disable unused ports and services to reduce attack vectors.

References Cited:

1. https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-242a
2. https://www.csk.gov.in/alerts/RansomHub_Ransomware.html
3. https://www.trendmicro.com/en_in/research/24/i/how-ransomhub-ransomware-uses-edrkillshifter-to-disable-edr-and-.html
4. https://www.checkpoint.com/cyber-hub/threat-prevention/ransomware/what-is-ransomhub-ransomware/
5. https://www.infosecurity-magazine.com/news/ransomhub-overtakes-lockbit/
6. https://www.tripwire.com/state-of-security/ransomhub-ransomware-what-you-need-know
7. https://www.obrela.com/advisory/ransomhub-increased-ransomware-attacks/
8. https://www.bitdefender.com/en-us/blog/hotforsecurity/bologna-fc-1909-confirms-ransomware-attack-after-sensitive-stolen-data-leaked-online
9. https://www.bleepingcomputer.com/news/security/bologna-fc-confirms-data-breach-after-ransomhub-ransomware-attack/