RansomHub hits 210 victims in just 6 months

As RansomHub continues to scoop up top talent from the fallen LockBit and ALPHV operations while accruing a smorgasbord of victims, security and law enforcement agencies in the US feel it's time to issue an official warning about the group that's gunning for ransomware supremacy.

According to the security advisory from CISA, the FBI, the HHS, and the MS-ISAC, RansomHub amassed at least 210 victims since spinning up in February this year.

That's a strong innings by anyone's estimations, let alone a group relatively fresh off the blocks and staffed by a ragtag ensemble of affiliates poached from former leading ransomware operations. 

Looking at the sprawling list of sectors the group has successfully targeted, it seems affiliates will go after anyone, including critical infrastructure and emergency services.

The purpose of this advisory is to disseminate known tactics, techniques, and procedures (TTPs) to inform defenders who can then create detection rules and stop RansomHub attacks before they unfold.

As for how the affiliates tend to break in, they love a good vulnerability exploit. Most of the vulnerabilities the advisory noted as firm favorites for the gang were only a year old. However, bugs such as CVE-2017-0144, the one that underpinned the NSA's EternalBlue exploit, and 2020's ZeroLogon have also been used with some success.

While monitoring network logs, defenders should keep an eye out for the usual suspects: Mimikatz for credential harvesting, and Cobalt Strike and Metasploit for moving around the network, establishing C2 infrastructure, and data exfiltration.

Other tools are used, such as PuTTY and AWS S3 buckets for data exfil, but the advisory has the full list, and these tools and techniques differ substantially depending on the affiliate running the attack, so checking them all out is always going to be a good idea.

A number of mitigations were also included in the advisory. Put simply, many if not all could be placed under the umbrella category of "the basics," such as keeping systems and software up to date, segmenting networks, and enforcing strong password policies, yada yada you know the drill.

And of course, CISA is involved, so it obviously wouldn't miss a chance to plug its latest Secure By Design initiative. It said insecure software is the root cause of many issues the recommended mitigations aimed to, well, mitigate, so ensuring security is embedded into product architecture and mandating MFA – ideally the phishing-resistant kind – for privileged users is imperative.

"CISA urges software manufacturers to take ownership of improving the security outcomes of their customers by applying these and other secure by design tactics," the advisory reads. 

"By using secure by design tactics, software manufacturers can make their product lines secure "out of the box" without requiring customers to spend additional resources making configuration changes, purchasing security software and logs, monitoring, and making routine updates."

Stiff competition

Given that it took four years to finally cripple LockBit, it seems RansomHub may have a disturbingly long run ahead. 

Since spinning up in February as a suspected Knight rebrand, it's routinely hovering around the top spots in the monthly tables that track the number of victims claimed by ransomware operations. 

It's also now the go-to choice of ransomware for sophisticated groups such as Scattered Spider, perhaps offering an insight into how highly regarded it is among cybercriminal elites.

Just eight months ago, RansomHub didn't exist and LockBit and ALPHV had a firm stranglehold on the ransomware market. Sure, there were serious competitors, but none operated on the same scale as the two former juggernauts.

Now, one is hanging on by a thread and the other is no more. But here we have RansomHub vying to take that crown and cement itself as the new LockBit or ALPHV, using their old cronies to do it.

The competition, however, is much fiercer now than it was just a few months ago. The likes of INC, Play, Akira, Qilin, and others are all looking to claim the top spot as their own and all of them are posting similar numbers.

There is, though, one group that should also not be discounted and one that was recently singled out for being far more active than its data leak site suggests it is.

Cisco Talos researchers published a report on BlackByte this week, discovering that only around 20-30 percent of the true number of victims are posted to its leak site. The reason is undetermined.

According to the experts, BlackByte is believed to be an offshoot of Conti, which during its heyday surpassed the success of LockBit and ALPHV.

That said, despite it supposedly being headed up by cybercrime veterans, even taking into account the victims it doesn't publicize, they're nowhere near as active as Conti once was, posting just 41 victims throughout the entirety of 2023 and just three this year. ®