Executive Summary

  • First Identified: 2024
  • Operation Style:
    • Ransomware-as-a-Service (RaaS); affiliates reportedly make 90% of ransom payments.
  • Extortion Method:
    • Double extortion – combining the traditional ransomware extortion method (encryption) with exfiltration of victim’s sensitive data; the group threatens to leak the data via a data leak site if the ransom demand is not paid.
  • Most Frequently Targeted Industries:
    • Technology
  • Most Frequently Targeted Victim HQ Locations:
    • North America
  • Known Associations:
    • Koley
    • Nothcy
    • ALPHV Ransomware
    • Knight Ransomware
    • Scattered Spider

Latest Public Blackpoint Incident Analysis of Ransomhub Ransomware

Description

Ransomhub is a ransomware-as-a-service (RaaS) operation that was first identified in February 2024. The group has been assessed to be related to the Alphv ransomware group, likely due to multiple former Alphv affiliates being observed using the Ransomhub ransomware. Additionally, security researchers with Symantec reported that the Ransomhub and Knight ransomware operations share significant overlap of code. The overlap has been assessed to likely be due to the Knight ransomware source code being sold on cybercriminal forums after the Knight operators halted operations rather than a cooperative relationship between the two operations.

Two former Alphv affiliates, Notchy and Scattered Spider, have been linked to the Ransomhub operation. Scattered Spider was linked by the observation of STONESTOP and POORTRY in a Ransomhub cyberattack. Both STONESTOP and POORTRY have been previously linked to the Scattered Spider threat group. Notchy was likely to Ransomhub when the group posted Change Healthcare on their data leak site after the Alphv group reportedly pulled an exit scam after taking credit for the attack. It is widely believed that the Notchy affiliate took the stolen data to Ransomhub to re-extort the victim.

Ransomhub is written in Golang and C++, according to an advertisement on a dark-web forum. The post also stated the malware is obfuscated using abstract syntax tree (AST) and built daily, the ransomware operators take 10% commission from affiliates in the RaaS model, and the asymmetric algorithm is based on x25519 and the encryption algorithm is adjusted in AES256, ChaCha20, and XChaCha20. The ransomware supports targeting Windows, Linux, ESXi, and devices running on MIPS architectures.

Ransomhub affiliates are offered 90% of ransom payments, with the core group taking a 10% commission. Ransomhub initial access methods likely vary depending on the affiliate deploying the ransomware. It is likely that the affiliates gain access using tried-and-true methods such as social engineering, vulnerability exploitation, valid accounts, and initial access brokers (IABs). Little is known about the inner workings of the Ransomhub operation as the group is new to the landscape. However, the group has proven they are capable and pose a credible threat to organizations and it is likely that additional analysis will be completed over the next 12 months.

Date Published
Aug 26, 2024

By
Blackpoint Cyber

Subscribe to the Blackpoint Blog

Don’t let a lack of awareness leave the organizations you protect vulnerable to sophisticated and elusive attacks. Subscribe now for a weekly roundup of Blackpoint’s empowering articles.

Subscribe Now!