Blog Details

  • Home
  • Blog
  • RansomHub Ransomware Group Linked to 210 Attacks Since February 2024
RansomHub Ransomware Group Linked to 210 Attacks Since February 2024

RansomHub Ransomware Group Linked to 210 Attacks Since February 2024

Since its launch in February 2024, the RansomHub ransomware group has encrypted and stolen data from over 210 victims, according to a statement from the U.S. government. These victims represent a wide range of sectors, including water and wastewater, information technology, government services, healthcare, emergency services, food and agriculture, financial services, critical manufacturing, transportation, and communications infrastructure.

"RansomHub is a ransomware-as-a-service (RaaS) variant—previously known as Cyclops and Knight—that has quickly become an effective and successful model. It has recently attracted affiliates from other major ransomware variants like LockBit and ALPHV," the government agencies reported.

As a descendant of Cyclops and Knight, this RaaS operation has lured high-profile affiliates, especially following recent law enforcement crackdowns. ZeroFox, in an analysis published last month, observed a steady increase in RansomHub’s activities, noting it accounted for 2% of all ransomware incidents in Q1 2024, increasing to 5.1% in Q2, and reaching 14.2% in Q3.

"About 34% of RansomHub attacks have targeted organizations in Europe, compared to 25% of attacks across the broader threat landscape," the report highlighted.

RansomHub employs a double extortion model, where it not only encrypts victim systems but also exfiltrates sensitive data. Victims are directed to communicate through a specific .onion website. If they refuse to pay the ransom, their data is often published on the group's leak site, where it may remain visible for three to 90 days.

The group's initial access to victim networks is typically gained by exploiting known vulnerabilities in widely-used software, including Apache ActiveMQ (CVE-2023-46604), Atlassian Confluence (CVE-2023-22515), Citrix ADC (CVE-2023-3519), F5 BIG-IP (CVE-2023-46747), and various Fortinet products.

After gaining access, RansomHub affiliates conduct reconnaissance and network scanning using tools such as AngryIPScanner and Nmap. They also utilize living-off-the-land (LotL) techniques to blend in with regular network traffic. The group is known to disable antivirus protections using custom tools to avoid detection.

"Once inside, RansomHub affiliates create new user accounts to maintain access, reactivate disabled accounts, and use tools like Mimikatz to steal credentials and escalate their privileges to SYSTEM level," stated the U.S. government advisory.

"Affiliates then move laterally through the network using methods such as Remote Desktop Protocol (RDP), PsExec, AnyDesk, Connectwise, N-Able, and other command-and-control (C2) strategies like Cobalt Strike and Metasploit."

Another characteristic of RansomHub attacks is the use of intermittent encryption, which speeds up the encryption process. Data exfiltration is carried out using tools like PuTTY, AWS S3 buckets, HTTP POST requests, WinSCP, Rclone, and Cobalt Strike.

The rise of RansomHub is part of a broader trend in ransomware operations, as highlighted by a report from Palo Alto Networks' Unit 42 on the ShinyHunters group, also known as Bling Libra. ShinyHunters has recently shifted its tactics to focus on extortion rather than just selling or releasing stolen data.

"The group uses legitimate credentials obtained from public sources to access an organization’s Amazon Web Services (AWS) environment," noted security researchers Margaret Zimmermann and Chandni Vaya. "Despite limited permissions, Bling Libra managed to infiltrate AWS environments, conducting reconnaissance and accessing data using tools like the Amazon S3 Browser and WinSCP."

This shift in tactics reflects a broader evolution in ransomware strategies, moving beyond simple file encryption to complex, multi-layered extortion schemes. Some groups are even employing triple and quadruple extortion techniques, according to SOCRadar.

"Triple extortion involves threats beyond data encryption and exfiltration, such as launching DDoS attacks against victim systems or threatening to harm their clients and partners," SOCRadar explained.

Quadruple extortion goes further, targeting third parties connected to the victims, pressuring them for payments, or threatening to release their data to force the initial victim to comply.

The profitability of RaaS models has led to a proliferation of new ransomware variants, including Allarich, Cronus, CyberVolk, Datablack, DeathGrip, Hawk Eye, and Insom. It has also drawn nation-state actors into collaborations with established ransomware groups like NoEscape, RansomHouse, and BlackCat, offering them a share of the illicit earnings.

© 2016 - 2025 Red Secure Tech Ltd. Registered in England and Wales under Company Number: 15581067