216.73.217.22

StopRansomware: RansomHub Ransomware

· Published 30/08/2024 17:44 · Modified 30/08/2024 18:08

Export JSON

Essential information

Published
30/08/2024 17:44
Modified
30/08/2024 18:08
Tags
2024-08-30 CVE-2017-0144 CVE-2020-0787 CVE-2020-1472 CVE-2023-22515 CVE-2023-27997 CVE-2023-3519 CVE-2023-46604 CVE-2023-46747 CVE-2023-48788 cobalt strike critical-infrastructure data exfiltration double-extortion encryption lateral movement metasploit mimikatz privilege-escalation ransomhub ransomware-as-a-service
Related entities
9 vulnerabilities (cve), 14 observables, 1 intrusion sets (apt), 23 techniques (mitre), 4 malware, 11 others

Description

is a variant that has targeted over 210 victims across various critical infrastructure sectors since February 2024. It employs a model, encrypting systems and exfiltrating data. The ransom note provides victims with a client ID and instructions to contact the group via a Tor URL. Affiliates typically gain initial access through phishing, exploiting vulnerabilities, and password spraying. They use tools like for credential theft and privilege escalation, and move laterally using RDP, PsExec, and other methods. varies by affiliate but may involve tools like PuTTY and AWS S3 buckets. The ransomware uses Curve 25519 and implements intermittent . It targets user files and networked shares, leaving a ransom note and deleting volume shadow copies.

Related entities

Vulnerabilities, IOCs, intrusion sets, MITRE techniques and other entities referenced in this report.

Vulnerabilities (CVE) (9)

CVE-2020-0787 KEV

Microsoft Windows BITS is vulnerable to to a privilege elevation vulnerability if it improperly handles symbolic links. An actor can exploit this …

Published
28/01/2022
Modified
21/12/2025
CVE-2017-0144 KEV
8.8 High

The SMBv1 server in multiple Microsoft Windows versions allows remote attackers to execute arbitrary code via crafted packets.

Attack vector
NETWORK
Complexity
LOW
Published
17/03/2017
Modified
22/04/2026
CVE-2023-3519 KEV
9.8 Critical

Citrix NetScaler ADC and NetScaler Gateway contains a code injection vulnerability that allows for unauthenticated remote code execution.

Attack vector
Network
Published
19/07/2023
Modified
27/05/2026
CVE-2023-27997 KEV
9.8 Critical

Fortinet FortiOS and FortiProxy SSL-VPN contain a heap-based buffer overflow vulnerability which can allow an unauthenticated, remote attacker to execute code or …

Attack vector
Network
Published
13/06/2023
Modified
21/12/2025
CVE-2023-48788 KEV
9.8 Critical

Fortinet FortiClient EMS contains a SQL injection vulnerability that allows an unauthenticated attacker to execute commands as SYSTEM via specifically crafted requests.

Attack vector
Network
Published
25/03/2024
Modified
21/12/2025
CVE-2023-46604 KEV
10.0 Critical

Apache ActiveMQ contains a deserialization of untrusted data vulnerability that may allow a remote attacker with network access to a broker to …

Attack vector
Network
Published
02/11/2023
Modified
21/12/2025
CVE-2023-46747 KEV
9.8 Critical

F5 BIG-IP Configuration utility contains an authentication bypass using an alternate path or channel vulnerability due to undisclosed requests that may allow …

Attack vector
Network
Published
31/10/2023
Modified
21/12/2025
CVE-2023-22515 KEV
9.8 Critical

Atlassian Confluence Data Center and Server contains a broken access control vulnerability that allows an attacker to create unauthorized Confluence administrator accounts …

Attack vector
Network
Published
05/10/2023
Modified
21/12/2025
CVE-2020-1472 KEV
5.5 Medium

Microsoft's Netlogon Remote Protocol (MS-NRPC) contains a privilege escalation vulnerability when an attacker establishes a vulnerable Netlogon secure channel connection to a …

Attack vector
Local
Published
03/11/2021
Modified
27/05/2026

Observables (14)

  • 89.23.96.203
  • 8.211.2.97
  • 45.95.67.41
  • 193.233.254.21
  • 193.124.125.78
  • 193.106.175.107
  • 45.135.232.2
  • 188.34.188.7
  • 45.134.140.69
  • i.ibb.com
  • 40031.co
  • 12301230.co
  • samuelelena.co
  • [email protected]

Intrusion sets (APT) (1)

  • RansomHub
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 04:35 · Modified 21/12/2025 04:35

Techniques (MITRE) (23)

  • T1110.003
    T1110.003
  • T1021.001
    Remote Desktop Protocol
  • T1537
    Transfer Data to Cloud Account
  • T1048.003
    Exfiltration Over Unencrypted Non-C2 Protocol
  • T1588.005
    T1588.005
  • T1490
    Inhibit System Recovery
  • T1018
    Remote System Discovery
  • T1136
    Create Account
  • T1059.001
    PowerShell
  • T1562.001
    Disable or Modify Tools
  • T1486
    Data Encrypted for Impact
  • T1070
    Indicator Removal
  • T1048.002
    Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
  • T1047
    Windows Management Instrumentation
  • T1210
    Exploitation of Remote Services
  • T1046
    Network Service Discovery
  • T1219
    Remote Access Tools
  • T1036
    Masquerading
  • T1098
    Account Manipulation
  • T1566
    Phishing
  • T1190
    Exploit Public-Facing Application
  • T1068
    Exploitation for Privilege Escalation
  • T1003
    OS Credential Dumping

Malware (4)

  • Metasploit
    Family
    Published 03/02/2026 08:21 · Modified 03/02/2026 08:21
  • RansomHub
    Family
    Published 07/08/2025 18:57 · Modified 07/08/2025 18:57
  • mimikatz
    Family
    Published 11/05/2026 16:15 · Modified 11/05/2026 16:15
  • Cobalt Strike - S0154
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 20/12/2025 19:39 · Modified 27/05/2026 21:40

Others (11)

  • Critical Manufacturing
  • Commercial Facilities
  • Food and Agriculture
  • Emergency Services
  • Water and Wastewater
  • Communications
  • Information Technology
  • Financial Services
  • Healthcare
  • Transportation
  • Government

External references