Ethical Hacking News
The rise of RansomHub marks a significant turning point in the ransomware landscape, with the threat actors targeting over 600 organizations globally and employing sophisticated tactics to evade detection. As the cybersecurity landscape continues to evolve, it is essential for organizations to prioritize their security posture and implement robust measures to protect against these increasingly complex attacks.
RansomHub is the top ransomware group in 2024, targeting over 600 organizations globally. The group's success is tied to acquiring source code from the now-defunct Knight RaaS gang and leveraging security flaws in Microsoft Active Directory and Netlogon protocol. RansomHub recruits affiliates from LockBit and BlackCat groups as part of a partnership program, creating a robust ecosystem for sharing tools and source codes. The group's tactics include using tunneling tools to maintain persistence and leveraging Phorpiex botnet malware propagated via phishing emails to deliver LockBit ransomware. RansomHub uses Bring Your Own Vulnerable Driver (BYOVD) techniques to disable endpoint protection controls and has been observed delivering LockBit ransomware using Phorpiex. The group's tactics are becoming increasingly sophisticated, pivoting from traditional encryption to data theft and extortion, with stolen data being incentivized with big rewards.
RansomHub has emerged as the top ransomware group in 2024, leaving a trail of destruction and chaos in its wake. According to Group-IB analysts, the threat actors behind RansomHub have successfully targeted over 600 organizations globally, spanning sectors such as healthcare, finance, government, and critical infrastructure.
The rise of RansomHub is closely tied to the acquisition of the source code associated with the now-defunct Knight (formerly Cyclops) ransomware-as-a-service (RaaS) gang from the RAMP cybercrime forum. This strategic move enabled RansomHub to accelerate its operations and expand its reach, ultimately becoming the most active ransomware group in 2024.
One of the key factors contributing to RansomHub's success is its ability to leverage now-patched security flaws in Microsoft Active Directory and the Netlogon protocol to escalate privileges and gain unauthorized access to a victim network's domain controller. This sophisticated tactic allows RansomHub to conduct lateral movement across the network, making it increasingly difficult for victims to contain the attack.
RansomHub has also been observed actively recruiting affiliates from LockBit and BlackCat groups as part of a partnership program. This strategic move enables RansomHub to capitalize on the law enforcement actions targeting its rivals, effectively creating a robust ecosystem that thrives on sharing, reusing, and rebranding tools and source codes.
The group's recruitment posts on underground forums emphasize a stringent verification process for pentesters and skilled intrusion teams, highlighting Lynx's emphasis on operational security and quality control. Affiliates are incentivized with an 80% share of ransom proceeds, reflecting a competitive, recruitment-driven strategy.
An analysis of the ransomware's Windows and Linux versions shows that it closely resembles INC ransomware, indicating that the threat actors likely acquired the latter's source code. The group recently added multiple encryption modes, including 'fast,' 'medium,' 'slow,' and 'entire,' giving affiliates the freedom to adjust the trade-off between speed and depth of file encryption.
The use of tunneling tools to maintain persistence is another key aspect of RansomHub's tactics, allowing attackers to strategically deploy ransomware on critical network devices, including ESXi hosts, Windows hosts, VPN appliances, and network attached storage (NAS) devices. This approach ensures robust and reliable communication channels, making it increasingly difficult for victims to detect the attack.
RansomHub's partnership with other groups has also led to the use of Phorpiex (aka Trik) botnet malware propagated via phishing emails to deliver LockBit ransomware. This technique is unique, as ransomware deployment usually consists of human operators conducting the attack. The exploitation of unpatched VPN appliances (e.g., CVE-2021-20038) has also been observed, allowing attackers to gain access to internal network devices and hosts.
The attacks are characterized by the use of Bring Your Own Vulnerable Driver (BYOVD) techniques to disable endpoint protection controls. After gaining access into the environment and performing reconnaissance, attackers strategically deploy tunneling tools on critical network devices.
In recent weeks, financially motivated attacks have also been observed using Phorpiex to deliver LockBit ransomware. The threat actors relied on Phorpiex to deliver and execute LockBit ransomware, a unique technique that has not been seen in past LockBit ransomware incidents.
The cybersecurity landscape continues to evolve, with threats pivoting from traditional encryption to data theft and extortion. Groups like RansomHub and Akira now incentivize stolen data with big rewards, making these tactics quite lucrative.
As the threat landscape continues to shift, it is essential for organizations to prioritize their security posture, implementing robust measures to protect against sophisticated attacks like those conducted by RansomHub. By staying vigilant and proactive, businesses can reduce the risk of falling victim to this increasingly complex and targeted attack vector.
Related Information:
https://thehackernews.com/2025/02/ransomhub-becomes-2024s-top-ransomware.html
https://en.wikipedia.org/wiki/Lockbit
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-165a
https://nordvpn.com/cybersecurity/threat-center/phorpiex/
https://cybersecuritynews.com/beware-of-trik-loader-botnet/
Published: Fri Feb 14 07:10:46 2025 by llama3.2 3B Q4_K_M
