AdvisoriesCISAAA24-242AAugust 29, 2024
August 29, 2024
The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Multi-State Information Sharing and Analysis Center (MS-ISAC), and Department of Health and Human Services (HHS) have jointly released a cybersecurity advisory. This advisory details the indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) associated with RansomHub ransomware.
RansomHub, previously known as Cyclops and Knight, is a ransomware-as-a-service (RaaS) variant active since February 2024. It has targeted at least 210 victims across critical infrastructure sectors including water and wastewater, information technology, healthcare, and financial services.
The ransomware employs a double-extortion model. Affiliates encrypt victim systems and exfiltrate data. They then pressure victims to pay ransom by threatening to publish stolen data on a Tor data leak site. Ransom notes typically provide a unique .onion URL for contact and set a payment deadline of three to 90 days. Actual ransom demands vary based on the attacking affiliate.
The advisory urges network defenders to implement recommended mitigations to reduce the impact and likelihood of ransomware attacks.
RansomHub operates as a Ransomware-as-a-Service (RaaS) platform. It allows affiliates to conduct attacks using both commodity malware and well-established adversarial techniques. Initial access often occurs through phishing campaigns or exploitation of n-day vulnerabilities using publicly available proof-of-concept (PoC) code. Password spraying and credential stuffing attacks are also used to breach network defenses.
To evade detection, the ransomware may be renamed to resemble legitimate software. Log entries and related data are removed, and security software is disabled via Windows Management Instrumentation (WMI). Once inside the network, threat actors use tools like VNC, RDP, and PsExec for lateral movement. This spreads the infection and escalates privileges. They often delete volume shadow copies on Windows systems using vssadmin.exe to prevent recovery of encrypted data.RansomHub affiliates employ multiple methods for data exfiltration.
These include using PuTTY for secure file transfers and unencrypted protocols to send data to AWS S3 storage or other cloud services. Additional tools used include:
- BITSAdmin for background file transfers
- Cobalt Strike for post-exploitation
- Rclone and WinSCP for moving files
- Mimikatz and CrackMapExec (NetExec) for credential harvesting and lateral movement
The double-extortion scheme is central to RansomHub's operation. Exfiltrated data serves as leverage to force victims into paying the ransom. If payment is not received within the given timeframe, the stolen data is published on RansomHub's Tor-based leak site. This further pressures victims and increases the risk of reputational damage.
Be immediately notified of new advisories and associated security tests
