RansomHub Ransomware
Cybersecurity analysts have uncovered a new ransomware strain named RansomHub. According to reports, the cybercriminals behind it claim they won't target entities in the Commonwealth of Independent States (CIS) countries, Cuba, North Korea and China. Despite this declaration, they have been actively infecting several prominent organizations within a short span. Among their victims are Change Healthcare, Christie's, and Frontier Communications. Notably, researchers highlight that RansomHub bears a significant resemblance to Knight Ransomware, which is an iteration of the previously identified ransomware called Cyclops.
Table of Contents
The Knight Ransomware Code Was Offered for Sale to All Cybercriminals
The Knight Ransomware, also known as Cyclops 2.0, emerged in May 2023, utilizing double extortion techniques to steal and encrypt victims' data for profit. It's capable of operating on various platforms, including Windows, Linux, macOS, ESXi and Android.
Sold on the RAMP cybercrime forum, attacks with this ransomware often relied on phishing and spear-phishing tactics, using fraudulent attachments for distribution. The Ransomware-as-a-Service (RaaS) operation ceased by late February 2024, with its source code put up for sale. This move raised the possibility of a transfer to a new actor, who may have updated and relaunched it under the name RansomHub.
Significant Overlaps Between RansomHub and the Knight Ransomware
Both ransomware strains are written in Go, and most versions of each family are obfuscated with Gobfuscate. There's a significant degree of code similarity between the two, making it challenging to distinguish them.
Both ransomware families share identical help menus on the command-line interface. However, RansomHub introduces a new 'sleep' option, allowing it to remain inactive for a specified period (in minutes) before executing. Similar sleep commands have been observed in other threats like Chaos/Yashma and the Trigona Ransomware.
The similarities between Knight and RansomHub extend to the obfuscation techniques used for encoding strings, the content of ransom notes left after encrypting files, and their ability to reboot a host into safe mode before encryption begins.
The primary difference lies in the set of commands executed via cmd.exe, although their sequence and execution relative to other operations remain the same.
The RansomHub Ransomware may be Operated by Veteran Cybercriminals
RansomHub attacks have been observed exploiting known security vulnerabilities (such as ZeroLogon) to gain initial access. They drop remote desktop software like Atera and Splashtop before deploying ransomware. In April 2024 alone, nearly 30 confirmed attacks have been linked to this ransomware strain.
Researchers suspect RansomHub is actively seeking affiliates affected by recent shutdowns or exit tactics, like those of LockBit and BlackCat (also known as ALPHV and Noberus). It's believed that a former Noberus affiliate called Notchy might now be collaborating with RansomHub. Additionally, tools previously associated with another Noberus affiliate, Scattered Spider, were used in a recent RansomHub attack.
The swift expansion of RansomHub's operations suggests the group may comprise seasoned operators with experience and connections in the cyber underground.
Ransomware Attacks are on the Rise Again
The RansomHub development comes amidst a rise in ransomware activity in 2023, following a slight decrease in 2022. Interestingly, about a third of the 50 new ransomware families discovered during the year are variations of previously identified ones. This trend suggests a growing prevalence of code recycling, actor overlaps, and rebranding strategies.
These attacks are notable for their use of commercially available and legitimate remote desktop tools rather than relying on Cobalt Strike. The increasing reliance on such legitimate tools likely indicates attackers' efforts to evade detection mechanisms and streamline their operations, reducing the need for developing and maintaining custom tools.
The ransom note that victims of the RansomHub Ransomware will receive reads:
'Hello!
Visit our Blog:
Tor Browser Links:
hxxp://ransomxifxwc5eteopdo****************ifu2emfbecgbqdw6qd.onion/Links for normal browser:
hxxp://ransomxifxwc5eteopdo****************ifu2emfbecgbqdw6qd.onion.ly/>>> Your data is stolen and encrypted.
- If you don't pay the ransom, the data will be published on our TOR darknet sites. Keep in mind that once your data appears on our leak site, it could be bought by your competitors at any second, so don't hesitate for a long time. The sooner you pay the ransom, the sooner your company will be safe.
>>> If you have an external or cloud backup; what happens if you don’t agree with us?- All countries have their own PDPL (Personal Data Protection Law) regulations. In the event that you do not agree with us, information pertaining to your companies and the data of your company’s customers will be published on the internet, and the respective country’s personal data usage authority will be informed. Moreover, confidential data related to your company will be shared with potential competitors through email and social media. You can be sure that you will incur damages far exceeding the amount we are requesting from you should you decide not to agree with us.
>>> Don't go to the police or the FBI for help and don't tell anyone that we attacked you.- Seeking their help will only make the situation worse,They will try to prevent you from negotiating with us, because the negotiations will make them look incompetent,After the incident report is handed over to the government department, you will be fined ,The government uses your fine to reward them.And you will not get anything, and except you and your company, the rest of the people will forget what happened!!!!!
>>> How to contact with us?- Install and run 'Tor Browser' from hxxps://www.torproject.org/download/
- Go to hxxp://h6tejafqdkdltp****************seslv6djgiukiii573xtid.onion/
- Log in using the Client ID: -
>>> WARNINGDO NOT MODIFY ENCRYPTED FILES YOURSELF.
DO NOT USE THIRD PARTY SOFTWARE TO RESTORE YOUR DATA.
YOU MAY DAMAGE YOUR FILES, IT WILL RESULT IN PERMANENT DATA LOSS.'
