The FBI, CISA, MS-ISAC, and HHS have released a joint advisory detailing known RansomHub ransomware indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs).Â
RansomHub, a ransomware-as-a-service variant, has been active since February 2024, targeting various critical infrastructure sectors, and affiliates use a double-extortion model, encrypting systems and exfiltrating data.
Victims receive a ransom note with a unique client ID and are instructed to contact the ransomware group via a Tor browser, which typically provides a deadline for payment before stolen data is published on the RansomHub data leak site.
RansomHub attackers gain initial access to systems through various methods as they exploit unpatched vulnerabilities in internet-facing devices like Citrix ADC, FortiOS, and Apache ActiveMQ for remote code execution.Â
Phishing emails and password spraying are used to compromise user accounts. Attackers leverage leaked exploits from sources like ExploitDB and target specific vulnerabilities, including those allowing unauthorized administrator access (CVE-2023-22515) or complete system takeover (CVE-2023-46747).
By staying updated on these tactics and patching known holes, organizations can significantly improve their security posture.
RansomHub affiliates use a variety of techniques to compromise networks, including network scanning, file renaming, and log clearing.
After gaining initial access, they create user accounts, gather credentials, and escalate privileges to move laterally within the network using various tools and methods and also disable antivirus and EDR products to hinder detection and response.
The ransomware employs a public/private key encryption scheme using Curve 25519 to encrypt user files by targeting specific processes and encrypting files in intermittent chunks, appending a unique encryption key to each file.
It also deletes volume shadow copies to prevent system recovery, a ransom note is left on the compromised system, and the encrypted files are appended with a random extension.
The tools described by CISA are primarily used for remote access, file transfer, and privilege escalation, where BITSAdmin, PSExec, and SMBExec are used for remote code execution and file transfers.Â
Cobalt Strike, Mimikatz, and Sliver are tools used for penetration testing and lateral movement.
RClone and WinSCP are used to transfer files to and from cloud storage and remote systems, while CrackMapExec, Kerberoast, and AngryIPScanner are network scanning and exploitation tools.
The recommended mitigations to enhance cybersecurity posture against RansomHub threats include implementing multi-factor authentication, segmenting networks, monitoring network activity, patching systems regularly, and enforcing strong password policies.
Organizations should implement secure logging practices, review user accounts, and disable unused ports and macros.
Software manufacturers are urged to embed security into their product architecture and mandate multi-factor authentication to reduce the prevalence of vulnerabilities.
Download FreeIncident Response Plan Template
for Your Security Team – Free Download