RANSOMHUB

RANSOMWARE

RansomHub primarily targets large enterprises and critical infrastructure sectors such as telecommunications, healthcare, and financial services by exploiting known vulnerabilities in widely used software products like Apache ActiveMQ, Atlassian Confluence Data Center, Citrix NetScaler ADC, and F5 BIG-IP. The group often initiates attacks through remote code execution (RCE) or privilege escalation vulnerabilities, leveraging critical CVEs with high CVSS scores to gain initial access. Once inside a network, RansomHub employs double extortion tactics, encrypting data while also threatening to leak sensitive information if demands are not met. This approach is distinctive as it combines sophisticated lateral movement and persistence techniques, such as T1570 Lateral Tool Transfer and T1486 Data Encrypted for Impact, to maximize disruption and leverage.

Technically, RansomHub exploits vulnerabilities primarily in network infrastructure and application servers, with a focus on critical CVEs like Apache ActiveMQ's CVE-2023-46604 and Atlassian Confluence's CVE-2023-22515. The use of tools such as Cobalt Strike for lateral movement and data exfiltration indicates a high level of technical sophistication. Defenders should prioritize patch management, especially for critical infrastructure components, and implement strict access controls to mitigate the risk of RCE attacks. Additionally, monitoring for unusual activity related to WMI (T1047) and event log clearing (T1070.001) can help detect early signs of intrusion by this group.

CISA Intelligence #StopRansomware

#StopRansomware: RansomHub Ransomware · 2024-08-29

The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Department of Health and Human Services (HHS) (hereafter referred to as the authoring organizations) are releasing this joint advisory to disseminate known RansomHub ransomware IOCs and TTPs. These have been identified through FBI threat response activities and third-party reporting as recently as August 2024. RansomHub is a ransomware-as-a-service variant—formerly known as Cyclops and Knight—that has established itself as an efficient and successful service model (recently attracting high-profile affiliates from other prominent variants such as LockBit and ALPHV).

Since its inception in February 2024, RansomHub has encrypted and exfiltrated data from at least 210 victims representing the water and wastewater, information technology, government services and facilities, healthcare and public health, emergency services, food and agriculture, financial services, commercial facilities, critical manufacturing, transportation, and communications critical infrastructure sectors.

The affiliates leverage a double-extortion model by encrypting systems and exfiltrating data to extort victims. It should be noted that data exfiltration methods are dependent on the affiliate conducting the network compromise. The ransom note dropped during encryption does not generally include an initial ransom demand or payment instructions. Instead, the note provides victims with a client ID and instructs them to contact the ransomware group via a unique .onion URL (reachable through the Tor browser). The ransom note typically gives victims between three and 90 days to pay the ransom (depending on the affiliate) before the ransomware group publishes their data on the RansomHub Tor data leak site.

Confirmed CVEs (8)

Exploited by this group as confirmed by threat intelligence sources.

CVE-2023-27997 CRITICAL Fortinet FortiOS-6K7K 9.8 CVE-2023-48788 CRITICAL Fortinet FortiClientEMS 9.8 CVE-2023-46747 CRITICAL F5 BIG-IP 9.8 CVE-2023-22515 CRITICAL Atlassian Confluence Data Center 9.8 CVE-2023-3519 CRITICAL Citrix NetScaler ADC 9.8 CVE-2023-46604 CRITICAL Apache Software Foundation Apache ActiveMQ 9.8 CVE-2020-0787 HIGH Microsoft Windows 7.8 CVE-2020-1472 MEDIUM Microsoft Windows Server version 2004 5.5

Predicted CVEs (92) CORRELATION

How does prediction work?

Predicted CVEs are identified through automated correlation using multiple sources: vendor/product profiles historically targeted by the group (MITRE ATT&CK), attack chain patterns (KEV + TTPs), threat intelligence (MISP, STIX), and AI analysis. These CVEs have not been confirmed as exploited by this specific group, but have a high probability of being targets based on the actor's operational profile.

CVE-2024-3400 CRITICAL Palo Alto Networks PAN-OS predicted 10.0 CVE-2020-0796 CRITICAL Microsoft Windows 10 Version 1903 for 32-bit Systems predicted 10.0 CVE-2025-20337 CRITICAL Cisco Identity Services Engine Software low 10.0 CVE-2020-0796 CRITICAL Microsoft Windows 10 Version 1903 for 32-bit Systems predicted 10.0 CVE-2020-1350 CRITICAL Microsoft Windows Server predicted 10.0 CVE-2020-2021 CRITICAL Palo Alto Networks PAN-OS predicted 10.0 CVE-2024-0012 CRITICAL Palo Alto Networks Cloud NGFW predicted 9.8 CVE-2021-38647 CRITICAL Microsoft Open Management Infrastructure predicted 9.8 CVE-2021-31166 CRITICAL Microsoft Windows 10 Version 2004 predicted 9.8 CVE-2024-21762 CRITICAL Fortinet FortiProxy predicted 9.8 CVE-2024-49035 CRITICAL Microsoft Partner Center predicted 9.8 CVE-2025-32756 CRITICAL Fortinet FortiNDR predicted 9.8 CVE-2025-64446 CRITICAL Fortinet FortiWeb predicted 9.8 CVE-2025-25257 CRITICAL Fortinet FortiWeb predicted 9.8 CVE-2025-24989 CRITICAL Microsoft Power Pages predicted 9.8 CVE-2025-59718 CRITICAL Fortinet FortiSwitchManager predicted 9.8 CVE-2023-29357 CRITICAL Microsoft SharePoint Server 2019 predicted 9.8 CVE-2026-24858 CRITICAL Fortinet FortiOS predicted 9.8 CVE-2023-23397 CRITICAL Microsoft Office LTSC 2021 predicted 9.8 CVE-2024-43468 CRITICAL Microsoft Configuration Manager predicted 9.8 CVE-2024-21413 CRITICAL Microsoft Office 2019 predicted 9.8 CVE-2024-21410 CRITICAL Microsoft Exchange Server 2016 Cumulative Update 23 predicted 9.8 CVE-2024-47575 CRITICAL Fortinet FortiManager predicted 9.8 CVE-2024-23113 CRITICAL Fortinet FortiSwitchManager predicted 9.8 CVE-2025-53770 CRITICAL Microsoft SharePoint Enterprise Server 2016 predicted 9.8 CVE-2025-59287 CRITICAL Microsoft Windows Server 2012 predicted 9.8 CVE-2026-20963 CRITICAL Microsoft SharePoint Enterprise Server 2016 predicted 9.8 CVE-2020-0646 CRITICAL Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 predicted 9.8 CVE-2023-22527 CRITICAL Atlassian Confluence Data Center low 9.8 CVE-2024-0012 CRITICAL Palo Alto Networks Cloud NGFW low 9.8 CVE-2024-36401 CRITICAL geoserver low 9.8 CVE-2024-40711 CRITICAL Veeam Backup and Recovery low 9.8 CVE-2024-40766 CRITICAL SonicWall SonicOS low 9.8 CVE-2024-4577 CRITICAL PHP Group PHP low 9.8 CVE-2024-50603 CRITICAL Aviatrix Controller low 9.8 CVE-2025-22457 CRITICAL Ivanti Connect Secure low 9.8 CVE-2025-31324 CRITICAL SAP_SE SAP NetWeaver (Visual Composer development server) low 9.8 CVE-2025-3248 CRITICAL langflow-ai langflow low 9.8 CVE-2025-53770 CRITICAL Microsoft SharePoint Enterprise Server 2016 low 9.8 CVE-2023-46604 CRITICAL Apache Software Foundation Apache ActiveMQ predicted 9.8 CVE-2025-22457 CRITICAL Ivanti Connect Secure predicted 9.8 CVE-2023-29357 CRITICAL Microsoft SharePoint Server 2019 predicted 9.8 CVE-2023-3519 CRITICAL Citrix NetScaler ADC predicted 9.8 CVE-2020-12812 CRITICAL Fortinet FortiOS predicted 9.8 CVE-2024-21762 CRITICAL Fortinet FortiProxy predicted 9.8 CVE-2022-42475 CRITICAL Fortinet FortiProxy predicted 9.8 CVE-2023-46747 CRITICAL F5 BIG-IP predicted 9.8 CVE-2023-27997 CRITICAL Fortinet FortiOS-6K7K predicted 9.8 CVE-2021-38647 CRITICAL Microsoft Open Management Infrastructure predicted 9.8 CVE-2025-31324 CRITICAL SAP_SE SAP NetWeaver (Visual Composer development server) predicted 9.8 CVE-2025-53770 CRITICAL Microsoft SharePoint Enterprise Server 2016 predicted 9.8 CVE-2022-26501 CRITICAL Veeam Backup & Replication predicted 9.8 CVE-2024-40711 CRITICAL Veeam Backup and Recovery predicted 9.8 CVE-2023-48788 CRITICAL Fortinet FortiClientEMS predicted 9.8 CVE-2024-53704 CRITICAL SonicWall SonicOS predicted 9.8 CVE-2024-40766 CRITICAL SonicWall SonicOS predicted 9.8 CVE-2023-22527 CRITICAL Atlassian Confluence Data Center predicted 9.8 CVE-2023-22515 CRITICAL Atlassian Confluence Data Center predicted 9.8 CVE-2023-22518 CRITICAL Atlassian Confluence Data Center predicted 9.8 CVE-2024-4577 CRITICAL PHP Group PHP predicted 9.8 CVE-2026-21643 CRITICAL Fortinet FortiClientEMS predicted 9.8 CVE-2025-3248 CRITICAL langflow-ai langflow predicted 9.8 CVE-2021-34473 CRITICAL Microsoft Exchange Server 2013 Cumulative Update 23 predicted 9.1 CVE-2021-26855 CRITICAL Microsoft Exchange Server 2016 Cumulative Update 19 predicted 9.1 CVE-2026-35616 CRITICAL Fortinet FortiClientEMS predicted 9.1 CVE-2025-0282 CRITICAL Ivanti Connect Secure predicted 9.0 CVE-2020-1040 CRITICAL Microsoft Windows Server predicted 9.0 CVE-2021-34527 HIGH Microsoft Windows 10 Version 1809 predicted 8.8 CVE-2023-21529 HIGH Microsoft Exchange Server 2019 Cumulative Update 12 predicted 8.8 CVE-2025-49704 HIGH Microsoft SharePoint Enterprise Server 2016 predicted 8.8 CVE-2025-49704 HIGH Microsoft SharePoint Enterprise Server 2016 predicted 8.8 CVE-2022-41040 HIGH Microsoft Exchange Server 2013 Cumulative Update 23 predicted 8.8 CVE-2020-0688 HIGH Microsoft Exchange Server 2013 predicted 8.8 CVE-2022-41080 HIGH Microsoft Exchange Server 2016 Cumulative Update 23 predicted 8.8 CVE-2025-4428 HIGH Ivanti Endpoint Manager Mobile low 8.8 CVE-2022-41080 HIGH Microsoft Exchange Server 2016 Cumulative Update 23 predicted 8.8 CVE-2021-42321 HIGH Microsoft Exchange Server 2016 Cumulative Update 21 predicted 8.8 CVE-2022-26500 HIGH Veeam Backup & Replication predicted 8.8 CVE-2021-42321 HIGH Microsoft Exchange Server 2016 Cumulative Update 21 predicted 8.8 CVE-2024-21412 HIGH Microsoft Windows 11 version 21H2 predicted 8.1 CVE-2024-21412 HIGH Microsoft Windows 11 version 21H2 predicted 8.1 CVE-2022-41082 HIGH Microsoft Exchange Server 2013 Cumulative Update 23 predicted 8.0 CVE-2022-41082 HIGH Microsoft Exchange Server 2013 Cumulative Update 23 predicted 8.0 CVE-2023-28252 HIGH Microsoft Windows 10 Version 1809 predicted 7.8 CVE-2020-0787 HIGH Microsoft Windows predicted 7.8 CVE-2022-30190 HIGH Microsoft Windows 10 Version 1809 predicted 7.8 CVE-2021-1675 HIGH Microsoft Windows 10 Version 1809 predicted 7.8 CVE-2024-26169 HIGH Microsoft Windows 10 Version 1809 predicted 7.8 CVE-2023-4966 HIGH Citrix NetScaler ADC predicted 7.5 CVE-2021-42287 HIGH Microsoft Windows Server 2019 predicted 7.5 CVE-2023-27532 HIGH Veeam Backup & Replication predicted 7.5 CVE-2025-4427 HIGH Ivanti Endpoint Manager Mobile low 7.5

ATT&CK Techniques (83)

T1078 Valid Accounts Initial Access T1078.003 Valid Accounts: Local Accounts Initial Access T1190 Exploit Public-Facing Application Initial Access T1566.001 Phishing: Spearphishing Attachment Initial Access T1566.004 Phishing: Spearphishing Voice Initial Access T1047 Windows Management Instrumentation Execution T1059 Command and Scripting Interpreter Execution T1059.001 Command and Scripting Interpreter: PowerShell Execution T1059.003 Command and Scripting Interpreter: Windows Command Shell Execution T1059.006 Command and Scripting Interpreter: Python Execution T1203 Exploitation for Client Execution Execution T1098 Account Manipulation Persistence T1133 External Remote Services Persistence T1136 Create Account Persistence T1136.001 Create Account: Local Account Persistence T1136.002 Create Account: Domain Account Persistence T1547 Boot or Logon Autostart Execution Persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder Persistence T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL Persistence T1068 Exploitation for Privilege Escalation Privilege Escalation T1548.002 Abuse Elevation Control Mechanism: Bypass UAC Privilege Escalation T1027 Obfuscated Files or Information Defense Evasion T1027.009 Obfuscated Files or Information: Embedded Payloads Defense Evasion T1027.013 Obfuscated Files or Information: Encrypted/Encoded File Defense Evasion T1036 Masquerading Defense Evasion T1055.012 Process Injection: Process Hollowing Defense Evasion T1070 Indicator Removal Defense Evasion T1070.001 Indicator Removal: Clear Windows Event Logs Defense Evasion T1112 Modify Registry Defense Evasion T1134 Access Token Manipulation Defense Evasion T1134.001 Access Token Manipulation: Token Impersonation/Theft Defense Evasion T1222.001 File and Directory Permissions Modification: Windows Permissions Defense Evasion T1480 Execution Guardrails Defense Evasion T1484.001 Domain or Tenant Policy Modification: Group Policy Modification Defense Evasion T1562 Impair Defenses: Disable or Modify Tools Defense Evasion T1562.001 Impair Defenses: Disable or Modify Tools Defense Evasion T1564 Hidden Artifacts Defense Evasion T1564.003 Hidden Artifacts: Hidden Window Defense Evasion T1620 Reflective DLL Injection Defense Evasion T1003 OS Credential Dumping Credential Access T1003.001 OS Credential Dumping: LSASS Memory Credential Access T1003.003 OS Credential Dumping: NTDS Credential Access T1003.008 OS Credential Dumping: /etc/passwd and /etc/shadow Credential Access T1110 Brute Force Credential Access T1110.003 Brute Force: Password Spraying Credential Access T1555.005 Credentials from Password Stores: Password Managers Credential Access T1007 System Service Discovery Discovery T1016.001 Internet Connection Discovery Discovery T1018 Remote System Discovery Discovery T1033 System Owner/User Discovery Discovery T1046 Network Service Discovery Discovery T1057 Process Discovery Discovery T1082 System Information Discovery Discovery T1083 File and Directory Discovery Discovery T1087 Account Discovery Discovery T1087.001 Account Discovery: Local Account Discovery T1087.002 Account Discovery: Domain Account Discovery T1120 Peripheral Device Discovery Discovery T1135 Network Share Discovery Discovery T1482 Domain Trust Discovery Discovery T1021 Remote Services Lateral Movement T1021.001 Remote Services: Remote Desktop Protocol Lateral Movement T1021.002 Remote Services: SMB/Windows Admin Shares Lateral Movement T1021.004 Remote Services: SSH Lateral Movement T1210 Exploitation of Remote Services Lateral Movement T1570 Lateral Tool Transfer Lateral Movement T1005 Data from Local System Collection T1048 Exfiltration Over Alternative Protocol Exfiltration T1048.002 Exfiltration Over Alternative Protocol: Asymmetric Encrypted Non-C2 Protocol Exfiltration T1048.003 Exfiltration Over Alternative Protocol: Unencrypted Non-C2 Protocol Exfiltration T1537 Transfer Data to Cloud Account Exfiltration T1567 Exfiltration Over Web Service Exfiltration T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage Exfiltration T1071.001 Application Layer Protocol: Web Protocols Command and Control T1102.002 Web Service: Bidirectional Communication Command and Control T1219 Remote Access Tools Command and Control T1486 Data Encrypted for Impact Impact T1489 Service Stop Impact T1490 Inhibit System Recovery Impact T1529 System Shutdown/Reboot Impact T1531 Account Access Removal Impact T1561.001 Disk Wipe: Disk Content Wipe Impact T1586 Compromise Accounts Resource Development