StopRansomware: RansomHub Ransomware
Essential information
- Published
- 30/08/2024 17:44
- Modified
- 30/08/2024 18:08
- Tags
- 2024-08-30 CVE-2017-0144 CVE-2020-0787 CVE-2020-1472 CVE-2023-22515 CVE-2023-27997 CVE-2023-3519 CVE-2023-46604 CVE-2023-46747 CVE-2023-48788 cobalt strike critical-infrastructure data exfiltration double-extortion encryption lateral movement metasploit mimikatz privilege-escalation ransomhub ransomware-as-a-service
- Related entities
- 9 vulnerabilities (cve), 14 observables, 1 intrusion sets (apt), 23 techniques (mitre), 4 malware, 11 others
Description
RansomHub is a ransomware-as-a-service variant that has targeted over 210 victims across various critical infrastructure sectors since February 2024. It employs a double-extortion model, encrypting systems and exfiltrating data. The ransom note provides victims with a client ID and instructions to contact the group via a Tor URL. Affiliates typically gain initial access through phishing, exploiting vulnerabilities, and password spraying. They use tools like Mimikatz for credential theft and privilege escalation, and move laterally using RDP, PsExec, and other methods. Data exfiltration varies by affiliate but may involve tools like PuTTY and AWS S3 buckets. The ransomware uses Curve 25519 encryption and implements intermittent encryption. It targets user files and networked shares, leaving a ransom note and deleting volume shadow copies.