RANSOMHUB
RansomHub primarily targets large enterprises and critical infrastructure sectors such as telecommunications, healthcare, and financial services by exploiting known vulnerabilities in widely used software products like Apache ActiveMQ, Atlassian Confluence Data Center, Citrix NetScaler ADC, and F5 BIG-IP. The group often initiates attacks through remote code execution (RCE) or privilege escalation vulnerabilities, leveraging critical CVEs with high CVSS scores to gain initial access. Once inside a network, RansomHub employs double extortion tactics, encrypting data while also threatening to leak sensitive information if demands are not met. This approach is distinctive as it combines sophisticated lateral movement and persistence techniques, such as T1570 Lateral Tool Transfer and T1486 Data Encrypted for Impact, to maximize disruption and leverage.
Technically, RansomHub exploits vulnerabilities primarily in network infrastructure and application servers, with a focus on critical CVEs like Apache ActiveMQ's CVE-2023-46604 and Atlassian Confluence's CVE-2023-22515. The use of tools such as Cobalt Strike for lateral movement and data exfiltration indicates a high level of technical sophistication. Defenders should prioritize patch management, especially for critical infrastructure components, and implement strict access controls to mitigate the risk of RCE attacks. Additionally, monitoring for unusual activity related to WMI (T1047) and event log clearing (T1070.001) can help detect early signs of intrusion by this group.
CISA Intelligence #StopRansomware
#StopRansomware: RansomHub Ransomware · 2024-08-29
The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Department of Health and Human Services (HHS) (hereafter referred to as the authoring organizations) are releasing this joint advisory to disseminate known RansomHub ransomware IOCs and TTPs. These have been identified through FBI threat response activities and third-party reporting as recently as August 2024. RansomHub is a ransomware-as-a-service variant—formerly known as Cyclops and Knight—that has established itself as an efficient and successful service model (recently attracting high-profile affiliates from other prominent variants such as LockBit and ALPHV).
Since its inception in February 2024, RansomHub has encrypted and exfiltrated data from at least 210 victims representing the water and wastewater, information technology, government services and facilities, healthcare and public health, emergency services, food and agriculture, financial services, commercial facilities, critical manufacturing, transportation, and communications critical infrastructure sectors.
The affiliates leverage a double-extortion model by encrypting systems and exfiltrating data to extort victims. It should be noted that data exfiltration methods are dependent on the affiliate conducting the network compromise. The ransom note dropped during encryption does not generally include an initial ransom demand or payment instructions. Instead, the note provides victims with a client ID and instructs them to contact the ransomware group via a unique .onion URL (reachable through the Tor browser). The ransom note typically gives victims between three and 90 days to pay the ransom (depending on the affiliate) before the ransomware group publishes their data on the RansomHub Tor data leak site.
Confirmed CVEs (8)
Exploited by this group as confirmed by threat intelligence sources.
Predicted CVEs (92) CORRELATION
How does prediction work?
Predicted CVEs are identified through automated correlation using multiple sources: vendor/product profiles historically targeted by the group (MITRE ATT&CK), attack chain patterns (KEV + TTPs), threat intelligence (MISP, STIX), and AI analysis. These CVEs have not been confirmed as exploited by this specific group, but have a high probability of being targets based on the actor's operational profile.