© 2024 CoolTechZone - Latest tech news,
product reviews, and analyses.

CISA: ‘RansomHub has targeted hundreds of companies so far’


Since its inception in February 2024, RansomHub has encrypted and exfiltrated confidential data from at least 210 victims.

RansomHub is a so-called Ransomware-as-a-service or RaaS provider, meaning affiliates can use hacking tools and infrastructure that were developed by skilled hackers in exchange for a piece of the pie, which is roughly 15 to 20 percent of all illicit revenues.

The affiliates’ job is to spread the ransomware amongst potential victims. They use various known tactics, techniques and procedures (TTPs), and Indicators of Compromise (IOCs) to achieve that.

RansomHub affiliates typically gain initial access to their victims’ corporate network by using methods like phishing campaigns, exploitation of known vulnerabilities in services like Citrix ADC, FortiOS and Confluence Data Center, and password spraying.

Following initial access, RansomHub affiliates create user accounts for persistence access, gathering login credentials, and escalate privileges for lateral movement. Then the data exfiltration begins, for which the affiliates use all sorts of mechanisms and tools, including Cobalt Strike, Metasploit and Rclone.

Lastly, RansomHub affiliates encrypt systems and exfiltrated data to extort victims. Victims typically have 90 days to pay the ransom before the ransomware operation threatens to publish their data.

At least 210 companies have fallen victim to RansomHub since it first appeared in February 2024, representing the water and wastewater, information technology, government services and facilities, healthcare and public health, emergency services, food and agriculture, financial services, commercial facilities, critical manufacturing, transportation, and communications critical infrastructure sectors.

The Cybersecurity and Infrastructure Security Agency (CISA), the FBI, the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Department of Health and Human Services (HHS) have released a joint advisory describing RansomHub’s TTPs and IOCs in more detail.

They also provide organizations mitigation measures on how to improve their security, including a reliable password and email policy, recovery plan, update policy, network segmentation, network monitoring activities, multi-factor authentication (MFA), and training staff members how to recognize digital threats.


Leave a Reply

Your email address will not be published. Required fields are marked