Saturday, December 14, 2024
HomeCVE/vulnerabilityRansomhub Attacked 210 Victims Since Feb 2024, CISA Released Advisory For Defenders

Ransomhub Attacked 210 Victims Since Feb 2024, CISA Released Advisory For Defenders

Published on

SIEM as a Service

The FBI, CISA, MS-ISAC, and HHS have released a joint advisory detailing known RansomHub ransomware indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs). 

RansomHub, a ransomware-as-a-service variant, has been active since February 2024, targeting various critical infrastructure sectors, and affiliates use a double-extortion model, encrypting systems and exfiltrating data. 

Victims receive a ransom note with a unique client ID and are instructed to contact the ransomware group via a Tor browser, which typically provides a deadline for payment before stolen data is published on the RansomHub data leak site.

- Advertisement - SIEM as a Service

RansomHub attackers gain initial access to systems through various methods as they exploit unpatched vulnerabilities in internet-facing devices like Citrix ADC, FortiOS, and Apache ActiveMQ for remote code execution. 

Phishing emails and password spraying are used to compromise user accounts. Attackers leverage leaked exploits from sources like ExploitDB and target specific vulnerabilities, including those allowing unauthorized administrator access (CVE-2023-22515) or complete system takeover (CVE-2023-46747). 

By staying updated on these tactics and patching known holes, organizations can significantly improve their security posture. 

The first eight bytes are the size of the encrypted file.

RansomHub affiliates use a variety of techniques to compromise networks, including network scanning, file renaming, and log clearing. 

After gaining initial access, they create user accounts, gather credentials, and escalate privileges to move laterally within the network using various tools and methods and also disable antivirus and EDR products to hinder detection and response.

The ransomware employs a public/private key encryption scheme using Curve 25519 to encrypt user files by targeting specific processes and encrypting files in intermittent chunks, appending a unique encryption key to each file. 

It also deletes volume shadow copies to prevent system recovery, a ransom note is left on the compromised system, and the encrypted files are appended with a random extension.

The last four bytes.

The tools described by CISA are primarily used for remote access, file transfer, and privilege escalation, where BITSAdmin, PSExec, and SMBExec are used for remote code execution and file transfers. 

Cobalt Strike, Mimikatz, and Sliver are tools used for penetration testing and lateral movement.

RClone and WinSCP are used to transfer files to and from cloud storage and remote systems, while CrackMapExec, Kerberoast, and AngryIPScanner are network scanning and exploitation tools. 

The recommended mitigations to enhance cybersecurity posture against RansomHub threats include implementing multi-factor authentication, segmenting networks, monitoring network activity, patching systems regularly, and enforcing strong password policies. 

Organizations should implement secure logging practices, review user accounts, and disable unused ports and macros.

Software manufacturers are urged to embed security into their product architecture and mandate multi-factor authentication to reduce the prevalence of vulnerabilities.

Download FreeIncident Response Plan Templatefor Your Security Team – Free Download

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Nigerian National Extradited to Nebraska for Wire Fraud Charges

United States Attorney Susan Lehr announced the extradition of Abiola Kayode, 37, from Nigeria...

Dell Security Update, Patch for Multiple Critical Vulnerabilities

Dell Technologies has released a security advisory addressing multiple critical vulnerabilities that could expose...

CISA Issues 10 New Advisories on Industrial Control System Vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) has issued ten critical advisories, highlighting vulnerabilities...

FBI Seizes Rydox Marketplace, Arrests Key Administrators

The Federal Bureau of Investigation (FBI) announced the seizure of Rydox, an illicit online...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Dell Security Update, Patch for Multiple Critical Vulnerabilities

Dell Technologies has released a security advisory addressing multiple critical vulnerabilities that could expose...

Malicious ESLint Package Let Attackers Steal Data And Inject Remote Code

Cybercriminals exploited typosquatting to deploy a malicious npm package, `@typescript_eslinter/eslint`, targeting developers seeking the...

GitLab Security Update, Patch for Critical Vulnerabilities

GitLab announced the release of critical security patches for its Community Edition (CE) and...