RansomHub: A Rising Ransomware Threat in 2024
As the cybersecurity landscape continues to evolve, new threat actors emerge with increasingly sophisticated techniques. RansomHub is one of the most notable ransomware groups to surface in 2024. It is a ransomware-as-a-service (RaaS) entity. It has quickly gained attention for its unique approach. RansomHub is shaping up to be a formidable player in the cybercrime world. It offers affiliates a significant 90% of ransom proceeds. It also deploys advanced techniques. This blog post will give an overview of RansomHub, how it operates, and why businesses should be on high alert.
RansomHub was first spotted in early 2024, introduced via the RAMP cybercriminal forum. The group offers a lucrative RaaS program. This program has attracted several affiliates. Many of these affiliates are believed to have been disgruntled by other ransomware programs like ALPHA. RansomHub’s reputation grew as it announced its first victim-a financial consultancy firm in Brazil-in February 2024. It has since gone on to claim over 45 victims across industries.
What sets RansomHub apart from other ransomware groups is its business model. Unlike traditional RaaS groups, which take a larger cut of the profits, RansomHub affiliates get a 90% share of the ransom upfront. Traditional RaaS groups take a larger cut of the profits. This model is designed to build trust. Trust was needed after past exit scams by other groups eroded confidence in RaaS operations.
RansomHub’s Technical Capabilities
RansomHub uses custom ransomware written in Golan and C++, which targets Windows, Linux, and ESXi systems. This versatility makes it a potent threat. It is capable of attacking a wide variety of targets. These include businesses, healthcare providers, and even critical infrastructure.
One of RansomHub’s hallmark tools is its remote encryption ability. This tool allows the group to encrypt data on multiple systems within a network. They can achieve this without having to deploy malware on every device. This strategy helps them evade detection by security systems, as the malware only resides on a single compromised endpoint.
Moreover, the group has started using EDRKillShifter, a new tool designed to disable Endpoint Detection and Response (EDR) solutions. By employing a Bring Your Own Vulnerable Driver (BYOVD) attack, they exploit outdated or vulnerable drivers. This enables them to bypass security protocols. They gain full control over the targeted systems.
RansomHub’s Attack Vectors
RansomHub primarily gains access to systems by exploiting known vulnerabilities. A notable example is the ZeroLogon vulnerability (CVE-2020-1472). It allows attackers to take control of domain controllers. This gives them widespread access to a network. The group has also been seen using tools like Atera and Splashtop for remote access. These tools increase their ability to map networks. They also help them find critical systems.
Impact and Victimology
RansomHub’s victims span various sectors and countries, including the United States, Brazil, Indonesia, and Vietnam. Although they have yet to target major corporations, the group has already caused disruptions in critical sectors like healthcare .
RansomHub’s average victim is a company with revenues below $100 million. A significant number of their targets hire fewer than 100 staff. This indicates that the group is particularly focused on small and medium-sized businesses (SMBs). These businesses lack the advanced cybersecurity measures needed to defend against such sophisticated threats.
Why Businesses Should Be Concerned
RansomHub’s rapid growth and adaptability make it a critical threat to businesses of all sizes. Their high-speed encryption, cross-platform capabilities, and advanced evasion techniques complicate detection and mitigation efforts. Their affiliate-friendly business model attracts skilled partners. This ensures a steady flow of attacks across various sectors.
Businesses must take proactive steps to defend against RansomHub’s tactics. This includes maintaining up-to-date patch management, ensuring robust network segmentation, and deploying advanced endpoint protection. Regular employee training and penetration testing can also help find vulnerabilities before they can be exploited .
Conclusion
RansomHub shows the latest evolution in ransomware threats. It has a unique business model. It also uses advanced attack techniques. It is poised to become a significant player in the cybercrime landscape. As always, maintaining cyber hygiene and preparing for ransomware attacks is crucial. Organizations should review their cybersecurity strategies and stay vigilant as this new ransomware group continues to grow in prominence.
This introduction to RansomHub is the first part of our blog series on the evolving ransomware threat landscape. In the next post, we will dive deeper into the specific tools and techniques employed by this dangerous group. We will also see how they compare to other well-known ransomware actors.
Call to Action:
• Are you concerned about your organization’s vulnerability to ransomware attacks? Reach out to learn how to enhance your defenses.
• Want to learn more about RansomHub’s techniques? Stay tuned for our next post where we cover their advanced toolset in detail.
• Curious how RansomHub compares to other ransomware groups? We’ll be exploring that in a future post!
