Friend
Professional
- Messages
- 2,653
- Reaction score
- 843
- Points
- 113
Since its inception, the group has attacked over two hundred victims.
The ransomware-linked hacker group RansomHub has encrypted and stolen data from more than 210 victims since its inception in February 2024, according to US authorities. Among those affected are organizations from various sectors, including water, information technology, health, government agencies, emergency services, agriculture and financial institutions.
RansomHub operates on a ransomware-as-a-service (RaaS) model and is previously known under the aliases Cyclops and Knight. The group quickly attracted the attention of high-profile partners, including those who had previously collaborated with well-known groups such as LockBit and ALPHV (also known as BlackCat).
According to ZeroFox, the activity of RansomHub is growing rapidly. If in the first quarter of 2024 the group accounted for only 2% of all attacks, in the second quarter - 5.1%, then in the third quarter this figure reached 14.2%. Notably, 34% of attacks by this group target European organizations, well above the average across the threat landscape.
The RansomHub group uses a double-extortion model, where data is first stolen and then the victims systems are encrypted. Victims are instructed to contact the operators of the malware via a unique onion address to discuss the terms of the ransom. If companies refuse to pay, their information will be published on a data breach site.
Hackers gain access to victims systems through vulnerabilities in well-known software products such as Apache ActiveMQ, Atlassian Confluence, Citrix ADC, and others. Once infiltrate, the attackers conduct reconnaissance and network scanning using programs such as AngryIPScanner and Nmap and disable anti-virus software for stealthy infiltration.
In addition, hackers create user accounts to maintain access to the system, as well as use various tools to obtain credentials and escalate privileges. For further movement on the network, methods such as the use of Remote Desktop (RDP), PsExec, AnyDesk and other widely used management tools are used.
The peculiarity of RansomHub attacks is the use of intermittent encryption, which significantly speeds up the process. At the same time, data is stolen using tools such as PuTTY, Amazon AWS S3, WinSCP, and others.
Against the backdrop of the evolution of ransomware attacks, researchers note the transition of hackers to more complex multi-level extortion schemes. Such schemes include not only encryption and data theft, but also threats of DDoS attacks and pressure on victims' business partners to increase the pressure to pay ransom.
The extortion-as-a-service model is becoming increasingly lucrative, contributing to the emergence of new ransomware variants. It attracts even state-owned hacking groups, such as those of Iran, which cooperate with well-known groups, taking a share of the illicit proceeds.
Source
The ransomware-linked hacker group RansomHub has encrypted and stolen data from more than 210 victims since its inception in February 2024, according to US authorities. Among those affected are organizations from various sectors, including water, information technology, health, government agencies, emergency services, agriculture and financial institutions.
RansomHub operates on a ransomware-as-a-service (RaaS) model and is previously known under the aliases Cyclops and Knight. The group quickly attracted the attention of high-profile partners, including those who had previously collaborated with well-known groups such as LockBit and ALPHV (also known as BlackCat).
According to ZeroFox, the activity of RansomHub is growing rapidly. If in the first quarter of 2024 the group accounted for only 2% of all attacks, in the second quarter - 5.1%, then in the third quarter this figure reached 14.2%. Notably, 34% of attacks by this group target European organizations, well above the average across the threat landscape.
The RansomHub group uses a double-extortion model, where data is first stolen and then the victims systems are encrypted. Victims are instructed to contact the operators of the malware via a unique onion address to discuss the terms of the ransom. If companies refuse to pay, their information will be published on a data breach site.
Hackers gain access to victims systems through vulnerabilities in well-known software products such as Apache ActiveMQ, Atlassian Confluence, Citrix ADC, and others. Once infiltrate, the attackers conduct reconnaissance and network scanning using programs such as AngryIPScanner and Nmap and disable anti-virus software for stealthy infiltration.
In addition, hackers create user accounts to maintain access to the system, as well as use various tools to obtain credentials and escalate privileges. For further movement on the network, methods such as the use of Remote Desktop (RDP), PsExec, AnyDesk and other widely used management tools are used.
The peculiarity of RansomHub attacks is the use of intermittent encryption, which significantly speeds up the process. At the same time, data is stolen using tools such as PuTTY, Amazon AWS S3, WinSCP, and others.
Against the backdrop of the evolution of ransomware attacks, researchers note the transition of hackers to more complex multi-level extortion schemes. Such schemes include not only encryption and data theft, but also threats of DDoS attacks and pressure on victims' business partners to increase the pressure to pay ransom.
The extortion-as-a-service model is becoming increasingly lucrative, contributing to the emergence of new ransomware variants. It attracts even state-owned hacking groups, such as those of Iran, which cooperate with well-known groups, taking a share of the illicit proceeds.
Source
