RansomHub Ransomware Analysis, Simulation, and Mitigation - CISA Alert AA24-242A

On August 29, 2024, The Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory on RansomHub ransomware [1]. RansomHub emerged in February 2024 and quickly gained notoriety as a Ransomware-as-a-Service (RaaS) group targeting critical infrastructure sectors. According to the FBI, RansomHub threat actors have impacted over 200 organizations in the last six months. 

In this blog post, we explained the Tactics, Techniques, and Procedures (TTPs) used by RansomHub ransomware and how organizations can defend themselves against RansomHub ransomware attacks.

RansomHub Ransomware

RansomHub ransomware first appeared in February 2024 as a variant of Cyclops and Knight ransomware. Despite being relatively new, the group has rapidly gained notoriety in the ransomware scene after the FBI's disruption of ALPHV ransomware. Some security researchers speculate that RansomHub is the "spiritual successor" of ALPHV, leveraging former ALPHV affiliates and resources.

RansomHub predominantly targets critical infrastructure sectors such as healthcare, water management, financial services, government services, transportation, communication and emergency services. In their leak site, the group claims to be financially motivated. However, they also do not allow their affiliates to target CIS, Cuba, North Korea and China. 

RansomHub threat actors employ common ransomware tactics such as gaining access via phishing, exploiting known vulnerabilities, and double extortion. After initial access, adversaries disable EDR tools and run reconnaissance in the compromised network. Afterward, they dump credentials or spray passwords to compromise valid accounts for lateral movement. Prior to encryption, RansomHub threat actors exfiltrate the victims' sensitive information and delete shadow volume copies. These actions prevent their victims from recovering their data and pressure them into paying ransom for the decryption key.

RansomHub Ransomware Analysis and MITRE ATT&CK TTPs

Initial Access

T1190 Exploit Public Facing Applications

RansomHub threat actors exploit known and critical vulnerabilities listed below to gain initial access to target organizations. Organizations are advised to patch their vulnerable assets as soon as possible.

T1566 Phishing

RansomHub group uses mass phishing and spear-phishing emails to gain initial access to target networks.

Execution

T1047 Windows Management Instrumentation

Adversaries use Windows Management Instrumentation to disable antivirus products. Additionally, they use the following command to delete volume shadow copies to prevent their victims from recovering their files.

T1059.001 Command and Scripting Interpreter: PowerShell

RansomHub threat actors use PowerShell-based living off-the-land methods to run network scanning. Adversaries also use the following PowerShell command to shut down virtual machines so the encryption process would not be interrupted by active services.

Persistence & Privilege Escalation

T1136 Create Account & T1098 Account Manipulation

Adversaries create new accounts or re-enable disabled accounts to establish persistent access to the compromised network. The re-enabled account may also allow them to escalate their privileges. 

Defense Evasion

T1036 Masquerading

RansomHub operators rename their ransomware payload with seemingly benign names such as Windows.exe, and place them either on the victim's desktop or downloads directory.

T1070 Indicator Removal on Host

Adversaries delete Windows and Linux system logs on the compromised hosts to slow down or prevent incident response efforts.

T1562.001 Impair Defenses: Disable or Modify Tools

RansomHub uses the EDRKillShifter and Bring-your-own-Vulnerable-Driver (BYOVD) techniques to disarm endpoint detection and response (EDR) tools.

Credential Access

T1003 OS Credential Dumping

RansomHub threat actors use Mimikatz on Windows systems to dump credentials.

T1110.003 Brute Force: Password Spraying

RansomHub operators use password spraying to gain initial access to the target systems.

Discovery

T1018 Remote System Discovery & T1046 Network Service Discovery

Adversaries use publicly available tools such as nmap and AngryIPScanner to run reconnaissance in the compromised network for remote system and network services.

Lateral Movement

T1210 Exploitation of Remote Services

RansomHub threat actors exploit the CVE-2017-0144 vulnerability and SMBExec tool to gain unauthorized access to remote systems. Adversaries also use PsExec and Remote Desktop Protocol (RDP) for lateral movement.

Command and Control (C2)

T1219 Remote Access Software

RansomHub operators use known tools such as AnyDesk, Cobalt Strike, Connectwise, N-Able, and Sliver to interact with compromised systems and communicate with their C2 servers.

Exfiltration

T1048 Exfiltration Over Alternative Protocol

Adversaries use PuTTY, WinSCP, and rclone to exfiltrate their victims' sensitive data for double extortion. 

T1537 Transfer Data to Cloud Account

RansomHub operators use misconfigured Amazon S3 instances to access and exfiltrate backups, expanding the scope of extortion.

Impact

T1486 Data Encrypted for Impact 

RansomHub ransomware uses the Curve 25519 and AES algorithms in combination to encrypt their victims' sensitive files. Prior to encryption, adversaries try to kill active processes so that the encryption process would not be interrupted by them.

The ransomware payload follows an intermittent encryption method based on the size of the file. Files smaller than 0x100000 bytes are completely encrypted and appended with 0x3A bytes of data. If the data is larger than 0x100000 bytes, the payload encrypts files in 0x100000 byte chunks and skips every 0x200000 bytes of data in between encrypted chunks.

The encrypted files are appended with a ransom file extension.

T1490 Inhibit System Recovery 

Adversaries use Volume Shadow Service Admin (vssadmin) and Windows Management Instrumentation (WMI) to delete volume shadow copies and prevent their victims from recovering their encrypted files.

TRY EMERGING THREAT SIMULATOR NOW - NO REGISTRATION

How Picus Helps Simulate RansomHub Ransomware Attacks?

We also strongly suggest simulating RansomHub ransomware attacks to test the effectiveness of your security controls against real-life cyber attacks using the Picus Security Validation Platform. You can also test your defenses against hundreds of other ransomware variants, such as Akira, Black Basta, and Phobos, within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for RansomHub ransomware: 

Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address RansomHub ransomware and other ransomware attacks in preventive security controls. Currently, Picus Labs validated the following signatures for RansomHub ransomware:

Start simulating emerging threats today and get actionable mitigation insights with a  14-day free trial of the Picus Security Validation Platform.

References

[1] "#StopRansomware: RansomHub Ransomware," Cybersecurity and Infrastructure Security Agency CISA. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-242a. [Accessed: August 29, 2024]