RansomHub
Essential information
- Confidence
- 100/100
- Is family
- No
- Published
- 17/03/2025 20:03
- Modified
- 18/06/2026 22:35
- Revoked
- No
- Author / Source
- The MITRE Corporation
- Related entities
- 74 attack patterns (mitre), 3 intrusion sets (apt), 14 sectors, 5 countries, 97 indicators, 7 vulnerabilities (cve), 13 reports
Description
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Attack patterns, malware, vulnerabilities, indicators, intrusion sets and other entities linked to this malware.
Attack patterns (MITRE) (74)
-
T1518 usesSoftware Discovery MITRE
-
T1570 usesLateral Tool Transfer MITRE
-
T1036 usesMasquerading MITRE
-
T1003 usesOS Credential Dumping MITRE
-
T1480 usesExecution Guardrails MITRE
-
Safe Mode Boot uses
-
T1203 usesExploitation for Client Execution MITRE
-
T1036.004 usesMasquerade Task or Service MITRE
-
T1505.003 usesWeb Shell MITRE
-
T1571 usesNon-Standard Port MITRE
-
T1110 usesBrute Force MITRE
-
T1095 usesNon-Application Layer Protocol MITRE
Intrusion sets (APT) (3)
-
Water Scylla usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Water Bakunawa usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[Mustard Tempest](https://attack.mitre.org/groups/G1020) is an initial access broker that has operated the [SocGholish](https://attack.mitre.org/software/S1124) distribution network since at least 2017. [Mustard Tempest](https://attack.mitre.org/groups/G1020) has partnered with [Indrik Spider](https://attack.mitre.org/groups/G0119) to provide access…
First seen 01/01/1970 · Last seen 16/11/5138 ·
Sectors (14)
-
Manufacturing targets
-
Media targets
-
Construction targets
-
Business Services targets
-
Hospitality targets
-
Critical Manufacturing targets
-
Consulting targets
-
Education targets
-
Government targets
-
Finance targets
-
Emergency Services targets
-
Agriculture targets
Countries (5)
-
India targets
-
Japan targets
-
Brazil targets
-
Thailand targets
-
Netherlands targets
Indicators (97)
-
stix 100/100· Valid until 04/08/2026 · Source: AlienVault
-
hub.unlimitedcashflowevent.comindicatesstix 100/100 Revoked· Valid until 16/02/2026 · Source: AlienVault -
stix 100/100 Revoked· Valid until 03/03/2026 · Source: AlienVault
-
stix 100/100· Valid until 04/08/2026 · Source: AlienVault
-
stix 100/100· Valid until 04/08/2026 · Source: AlienVault
-
dashboard.nzlifecoaching.comindicatesstix 100/100 Revoked· Valid until 16/02/2026 · Source: AlienVault
Vulnerabilities (CVE) (7)
Citrix NetScaler ADC and NetScaler Gateway contains a code injection vulnerability that allows for unauthenticated remote code execution.
- Attack vector
- Network
- Published
- 19/07/2023
- Modified
- 27/05/2026
The SMBv1 server in multiple Microsoft Windows versions allows remote attackers to execute arbitrary code via crafted packets.
- Attack vector
- NETWORK
- Complexity
- LOW
- Published
- 17/03/2017
- Modified
- 22/04/2026
F5 BIG-IP Configuration utility contains an authentication bypass using an alternate path or channel vulnerability due to undisclosed requests that may allow …
- Attack vector
- Network
- Published
- 31/10/2023
- Modified
- 21/12/2025
Microsoft's Netlogon Remote Protocol (MS-NRPC) contains a privilege escalation vulnerability when an attacker establishes a vulnerable Netlogon secure channel connection to a …
- Attack vector
- Local
- Published
- 03/11/2021
- Modified
- 27/05/2026
Jenkins Command Line Interface (CLI) contains a path traversal vulnerability that allows attackers limited read access to certain files, which can lead …
- Attack vector
- Network
- Published
- 19/08/2024
- Modified
- 21/12/2025
Atlassian Confluence Data Center and Server contains a broken access control vulnerability that allows an attacker to create unauthorized Confluence administrator accounts …
- Attack vector
- Network
- Published
- 05/10/2023
- Modified
- 21/12/2025
Apache ActiveMQ contains a deserialization of untrusted data vulnerability that may allow a remote attacker with network access to a broker to …
- Attack vector
- Network
- Published
- 02/11/2023
- Modified
- 21/12/2025
Reports (13)
-
9 Malwares 56 Observables 1 APT
-
25 MITREs 2 Malwares 9 Observables 1 APT
-
25 MITREs 2 Malwares 1 APT
-
20 MITREs 12 Malwares
-
10 MITREs 2 Malwares 6 Observables 1 APT
-
20 MITREs 6 Malwares
-
15 MITREs 2 Malwares 9 Observables 1 APT
-
12 MITREs 1 Malware 2 Observables 1 APT
-
9 CVEs 23 MITREs 4 Malwares 14 Observables 1 APT
-
8 MITREs 2 Malwares 2 Observables
-
1 CVE 20 MITREs 4 Malwares 14 Observables 1 APT
-
AlienVault Confidence 100 20 MITREs 6 Malwares 2 IOCs 2 Observables 1 APT