RansomHub Ransomware-as-a-Service (RaaS) Group

Phishing and Spear-phishing: They use social engineering techniques, including spear-phishing voice (vishing) with American-accented speakers, to trick individuals into providing credentials or installing malware. [T1566.004]

Exploitation of Known Vulnerabilities: RansomHub aggressively exploits known vulnerabilities in various systems, including: [T1190]

Compromised VPN Accounts: They leverage stolen or compromised VPN credentials. [T1078]

Password Spraying and Brute Force: Attempts to gain access through brute-force attacks and password spraying, particularly targeting domain controllers. [T1110][T1110.003]

PowerShell: Heavily utilizes PowerShell for various tasks, including credential access, remote system discovery, enabling SSH, and downloading/installing remote access tools. [T1059.001]

Python: Employs customized Python scripts, particularly for targeting ESXi servers, transferring the encryptor, and executing it across multiple virtual machines. [T1059.006]

Windows Command Shell: Uses the command shell for various tasks, and the ransomware binary accepts command-line parameters for customization. [T1059.003]

Remote Access Tools: Utilizes legitimate remote access tools like Atera, Splashtop, and AnyDesk for persistence and control. AnyDesk installations are often automated and silently configured. [T1219]

SSH: Configures SSH on ESXi hosts for remote access. [T1021.004]

Lateral Tool Transfer: Utilizes xcopy/copy to transfer binaries and drivers for disabling AV. [T1570]

Ingress Tool Transfer: Uses SFTP to transfer the encryptor. [T1105]

Network Scanning: Uses NetScan to scan the network. [T1046]

Registry Modification: Aggressively removes registry keys related to Windows Defender and other security features. [T1112]

Obfuscated Files or Information: Uses an encrypted configuration file, decrypted at runtime with a 32-byte passphrase. [T1027.013]

Hidden Window: Hides the console window to avoid detection. [T1564.003]

Clear Windows Event Logs: Clears security, system, and application logs using wevtutil and a batch file (LogDel.bat). [T1070.001]

Impair Defenses: Uses SetErrorMode to suppress error messages. [T1562.006]

Windows File and Directory Permissions Modification: Modifies symbolic link behavior. [T1222.001]

Safe Mode Boot: Can reboot the system into Safe Mode with Networking to bypass security software. [T1562.009]

Execution Guardrails: Requires a specific 32-byte passphrase for execution. [T1480]

Boot or Logon Autostart Execution: Adds registry entries to execute on reboot with safeboot. [T1547.001]

OS Credential Dumping: Employs various credential dumping techniques, including: [T1003]

Credentials from Password Stores: Uses PowerShell scripts to interact with CyberArk PAS to extract account information. [T1555.005]

Process Discovery: Identifies and terminates specific processes, particularly AV and security-related processes. [T1057]

System Information Discovery: Enumerates drives and determines drive types. [T1082]

File and Directory Discovery: Searches for files to encrypt, avoiding specific whitelisted files and folders. [T1083]

Account Discovery: Enumerates local accounts. [T1087.001]

Network Share Discovery: Discovers and encrypts shared resources. [T1135]

Data Encrypted for Impact: Encrypts data using ECDH and AES, appending the master public key as a file extension. A random 6-digit alphanumeric file extension is added after encryption. [T1486]

Inhibit System Recovery: Deletes shadow copies using PowerShell to prevent recovery. [T1490]

Service Stop: Stops virtual machines, IIS services, and other services. [T1489]

System Shutdown/Reboot: Reboots systems, particularly when using the -safeboot argument. [T1529]

Critical Infrastructure: They have targeted critical infrastructure sectors, including water and wastewater, IT, government services, healthcare, food and agriculture, financial services, commercial facilities, critical manufacturing, transportation, and communications.

Geographic Distribution: While their attacks are global, a significant number of victims are located in the United States. Other heavily targeted countries include India, Brazil, Mongolia, Colombia, Egypt, and Israel.

Small and Medium-Sized Enterprises (SMEs): A large percentage (67%) of RansomHub victims are SMEs.

Double Extortion: RansomHub consistently employs double extortion, threatening to publish stolen data if the ransom is not paid.

Change Healthcare (Re-extortion): After Change Healthcare was initially attacked by ALPHV/BlackCat, RansomHub later claimed to have stolen data from the company and demanded a second ransom from insurance companies, threatening to leak sensitive medical and financial information.

Christie's Auction House: RansomHub claimed responsibility for an attack on the renowned auction house, resulting in the theft of client data.

Bologna FC: Stolen data including players' medical records, business plans, and financial documents (200GB).

Florida Department of Health: Claimed responsibility for an attack and data leak after the ransom was not paid.

Frontier Communications: A major telecommunications company was targeted.

Halliburton: Experienced widespread disruption in oil and gas operations.

Strong Password Policies and Multi-Factor Authentication (MFA): Enforce strong, unique passwords and implement MFA for all critical accounts, particularly those with remote access capabilities (VPN, RDP).

Security Awareness Training: Regularly train employees on phishing and social engineering techniques. Emphasize the dangers of suspicious emails, links, and attachments. Include training on vishing (voice phishing).

Vulnerability Management and Patching: Prioritize patching known vulnerabilities, especially those actively exploited by ransomware groups (as listed in the TTPs section). Maintain a robust vulnerability assessments program.

Endpoint Detection and Response (EDR): Deploy and maintain EDR solutions to detect and respond to malicious activity on endpoints. Configure EDR to detect and block known RansomHub TTPs.

Network Segmentation: Segment networks to limit lateral movement and contain the impact of a potential breach.

Regular Backups and Disaster Recovery: Implement a robust backup and disaster recovery plan, including offline backups to protect against data encryption and deletion. Test backups regularly.

Least Privilege Principle: Restrict user access to only the resources necessary for their job functions. This limits the potential damage from compromised accounts.

Monitor for Suspicious Activity: Implement security logging and monitoring to detect suspicious PowerShell, Python, and command-line activity. Monitor for unusual network traffic, particularly to known malicious IP addresses and domains.

Web Filtering and DNS Security: Implement web filtering and DNS security to block access to malicious websites and domains.

Incident Response Plan: Develop and regularly test an incident response plan that specifically addresses ransomware attacks.

Secure SSH Access: Disable SSH access to ESXi hosts unless absolutely necessary. If SSH is required, restrict access to specific IP addresses and use strong authentication.

Regularly Patch ESXi Hosts: Keep ESXi hosts up-to-date with the latest security patches.

Monitor for Unusual Activity: Monitor ESXi hosts for unusual activity, such as unauthorized logins, unexpected file transfers, and the execution of unfamiliar scripts. Furthermore, it's crucial to understand indicator of compromise to identify potential threats.

Employ a patch management strategy to stay secure and productive.

Consider a zero trust security model.

Implement security logging and monitoring.

Consider using SOAR for automation.

Ransomware Payments Drop 35% in 2024 as Law Enforcement Disrupts Cybercrime

FunkSec Ransomware

AI-Driven Ransomware FunkSec Targets 85 Victims in December 2024

Ymir Ransomware- A New Breed of Cyber Threat Combines Stealth, Advanced Encryption, and Collaborative Tactics

International Cybercrime Takedown: Four European Hackers Arrested in Phuket Ransomware Operation