Ransomware collective RansomHub has compromised hundreds of critical infrastructure organizations in the US since emerging in early 2024, prompting a new warning from law enforcement groups.
The FBI, CISA, Department of Health and Human Services, as well as the Multi-State Information Sharing and Analysis Center (MS-ISAC), issued a joint advisory providing businesses with guidance on the group’s tactics, techniques, and procedures (TTPs).
RansomHub has encrypted and exfiltrated data from at least 210 organizations since its inception in February 2024, the advisory states.
These victims all operated in sectors comprising critical national infrastructure, including water, IT, government, healthcare, emergency services, food and agriculture, financial services, critical manufacturing, transportation, and communications sectors.
In its Ransomware Review for the first half of 2024, Palo Alto Networks’ Unit 42 stated the group’s activities are largely opportunistic, but it prohibits attacks on entities in Cuba, China, North Korea, and Russia, as well as non-profit organizations.
Recently, a cyber intrusion affecting oil and gas services specialist Halliburton has been linked to the collective. The firm is yet to share further details on the incident, except that it detected unauthorized third party access to some of its systems on 21 August.
The attack was linked to RansomHub by some researchers after an IOC listed by Halliburton in an email to affected customers included what appeared to be a slightly modified version of an encryptor used by the group.
Research from NCC Group identified RansomHub as the dominant force in the digital extortion space last month, attributing 11% of all ransomware attacks in July to the collective.
The group executed 43 attacks from 27 June through the month of July, according to the research, which the NCC Group stated “reflects a continued hold on the threat landscape by the group”.
The joint advisory was intended to disseminate more information about the RansomHub operation, providing further detail on how it executes attacks, including its preferred initial access vectors, extortion strategy, and recently exploited vulnerabilities.
RansomHub is streamlining the extortion process
RansomHub affiliates typically use a standard double extortion model, encrypting and exfiltrating data to extort victims.
One novel aspect to the group’s operations involves its ransom notes, which do not generally include an initial ransom demand or payment instructions, the advisory notes.
“Instead, the note provides victims with a client ID and instructs them to contact the ransomware group via a unique .onion URL (reachable through the Tor browser). The ransom note typically gives victims between three and 90 days to pay the ransom (depending on the affiliate) before the ransomware group publishes their data on the RansomHub Tor data leak site.”
Affiliates compromise internet facing systems and user endpoints using techniques such as phishing emails, exploiting known vulnerabilities (KEVs), and password spraying attacks using previously compromised credentials.
The joint advisory provides a list of disclosed vulnerabilities recently exploited by RansomHub affiliates, including flaws in Citrix ADC, FortiOS, Confluence Data Center and Server, Windows Server 2008, and more.
The group has been observed conducting network scans using tools such AngryIPScanner, Nmap, and PowerShell, noting its use of living off the land techniques to establish persistence on the network.
Similarly, researchers have also observed affiliates attempting to evade cyber defenses by renaming the ransomware executable with legitimate file names such as Windows.exe, as well as wiping system logs in Windows and Linux to inhibit incident response efforts.
Affiliates have also been tracked using legitimate remote monitoring and management (RMM) tools such as AnyDesk, PsExec, ConnectWise, N-Able, Cobalt Strike, and Metasploit to move laterally inside the network and establish command and control in the environment.
The advisory published a series of indicators of compromise (IOCs) for businesses to cross reference when investigating suspicious activity on the network.
The advisory published a series of indicators of compromise (IOCs) for businesses to cross reference when investigating suspicious activity on the network.
Victims are encouraged against paying any ransom demands they receive as it does not guarantee victim files will be recovered and may ‘embolden’ the adversaries to target additional organizations.