Monday, March 3, 2025
HomeCVE/vulnerabilityRansomhub Attacked 210 Victims Since Feb 2024, CISA Released Advisory For Defenders

Ransomhub Attacked 210 Victims Since Feb 2024, CISA Released Advisory For Defenders

Published on

SIEM as a Service

Follow Us on Google News

The FBI, CISA, MS-ISAC, and HHS have released a joint advisory detailing known RansomHub ransomware indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs). 

RansomHub, a ransomware-as-a-service variant, has been active since February 2024, targeting various critical infrastructure sectors, and affiliates use a double-extortion model, encrypting systems and exfiltrating data. 

Victims receive a ransom note with a unique client ID and are instructed to contact the ransomware group via a Tor browser, which typically provides a deadline for payment before stolen data is published on the RansomHub data leak site.

RansomHub attackers gain initial access to systems through various methods as they exploit unpatched vulnerabilities in internet-facing devices like Citrix ADC, FortiOS, and Apache ActiveMQ for remote code execution. 

Phishing emails and password spraying are used to compromise user accounts. Attackers leverage leaked exploits from sources like ExploitDB and target specific vulnerabilities, including those allowing unauthorized administrator access (CVE-2023-22515) or complete system takeover (CVE-2023-46747). 

By staying updated on these tactics and patching known holes, organizations can significantly improve their security posture. 

The first eight bytes are the size of the encrypted file.

RansomHub affiliates use a variety of techniques to compromise networks, including network scanning, file renaming, and log clearing. 

After gaining initial access, they create user accounts, gather credentials, and escalate privileges to move laterally within the network using various tools and methods and also disable antivirus and EDR products to hinder detection and response.

The ransomware employs a public/private key encryption scheme using Curve 25519 to encrypt user files by targeting specific processes and encrypting files in intermittent chunks, appending a unique encryption key to each file. 

It also deletes volume shadow copies to prevent system recovery, a ransom note is left on the compromised system, and the encrypted files are appended with a random extension.

The last four bytes.

The tools described by CISA are primarily used for remote access, file transfer, and privilege escalation, where BITSAdmin, PSExec, and SMBExec are used for remote code execution and file transfers. 

Cobalt Strike, Mimikatz, and Sliver are tools used for penetration testing and lateral movement.

RClone and WinSCP are used to transfer files to and from cloud storage and remote systems, while CrackMapExec, Kerberoast, and AngryIPScanner are network scanning and exploitation tools. 

The recommended mitigations to enhance cybersecurity posture against RansomHub threats include implementing multi-factor authentication, segmenting networks, monitoring network activity, patching systems regularly, and enforcing strong password policies. 

Organizations should implement secure logging practices, review user accounts, and disable unused ports and macros.

Software manufacturers are urged to embed security into their product architecture and mandate multi-factor authentication to reduce the prevalence of vulnerabilities.

Download FreeIncident Response Plan Templatefor Your Security Team – Free Download

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Threat Actors Exploiting AES Encryption for Stealthy Payload Protection

Cybersecurity researchers have uncovered a surge in the use of Advanced Encryption Standard (AES)...

33.3 Million Cyber Attacks Targeted Mobile Devices in 2024 as Threats Surge

Kaspersky's latest report on mobile malware evolution in 2024 reveals a significant increase in...

Routers Under Attack as Scanning Attacks on IoT and Networks Surge to Record Highs

In a concerning trend, the frequency of scanning attacks targeting Internet of Things (IoT)...

Google Launches Shielded Email to Keep Your Address Hidden from Apps

Google is rolling out a new privacy-focused feature called Shielded Email, designed to prevent apps...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

33.3 Million Cyber Attacks Targeted Mobile Devices in 2024 as Threats Surge

Kaspersky's latest report on mobile malware evolution in 2024 reveals a significant increase in...

Paragon Partition Manager Vulnerabilities Allow Attackers to Escalate Privileges and Trigger DoS Attacks

Security researchers have uncovered five significant vulnerabilities in Paragon Partition Manager's BioNTdrv.sys driver, affecting...

Substack Custom Domain Vulnerability Exposes Thousands to Potential Hijacking

A newly disclosed vulnerability in Substack's custom domain setup could allow malicious actors to...