Fraud Management & Cybercrime , Ransomware
RansomHub Hits Powered by Ex-Affiliates of LockBit, BlackCat
Feds Count Over 200 Known US Victims of Ransomware Group That Launched in FebruaryRansomware groups may come and go in name, but many of the players remain the same, even if we don't know their real-world identities.
See Also: How to Take the Complexity Out of Cybersecurity
Cue U.S. federal agencies warning organizations to beware a rise in attacks tied to a ransomware group called RansomHub that's being powered by affiliates from down-or-out operations.
Since debuting in February, RansomHub has become "an efficient and successful" practitioner of the ransomware-as-a-service model, in which operators supply crypto-locking malware and affiliates use it to encrypt victims in exchange for keeping the lion's share of any ransom paid, says a joint alert issued Thursday by the U.S. Cybersecurity and Infrastructure Security Agency, the FBI, the Multi-State Information Sharing and Analysis Center - aka MS-ISAC - and the Department of Health and Human Services.
Formerly known as Cyclops and Knight - or at least using malware based on those groups' code - the RansomHub operation has been attracting an influx of affiliates who deserted the BlackCat, aka Alphv, operation, as well as LockBit. As security firm Symantec detailed earlier this year, these and other "veteran operators with experience and contacts in the cyber underground" have helped fuel RansomHub's rapid ascent.
RansomHub hackers leave a ransom note on a victim's crypto-locked systems which "does not generally include an initial ransom demand or payment instructions." Instead, it gives the victim a "client ID" and unique .onion
address for contacting the group to discuss further. "The ransom note typically gives victims between three and 90 days to pay the ransom - depending on the affiliate - before the ransomware group publishes their data on the RansomHub Tor data leak site."
RansomHub's rise "coincided with law enforcement making decryption keys available to keep LockBit at bay," said Raj Samani, chief scientist at cybersecurity firm Rapid7. "It again shows that once you deal with one criminal enterprise, another will inevitably burst open in the ransomware space."
Known victims of the group already number in the hundreds. In just seven months, "RansomHub has encrypted and exfiltrated data from at least 210 victims representing the water and wastewater, IT, government services and facilities, healthcare and public health, emergency services, food and agriculture, financial services, commercial facilities, critical manufacturing, transportation and communications critical infrastructure sectors," the joint alert says.
The alert warns organizations to beware some of the top tactics being used by the group's affiliates to gain initial access to victims' systems, which include using phishing emails; exploiting known vulnerabilities - some dating from 2017 - in Big-IP, Citrix, FortiOS, Java, Confluence and Microsoft technology; and using password spraying, which "targets accounts compromised through data breaches." The group has also been tied to exploits obtained from proof-of-concept attack code posted to such repositories as ExploitDB and GitHub.
The alert includes indicators of compromise tied to the group "obtained from FBI investigations," including IP addresses tied to attacks, some of which have been seen in attacks that date back to 2020 and have historic links to QakBot malware.
Growing List of Victims
Some of RansomHub's recent victims include the Florida Department of Health, pharmacy retail giant Rite Aid, auction house Christie's, Florida-based drug testing medical laboratory American Clinical Solutions and - so the group claims - California's Patelco Credit Union.
Another recent victim may be oil services giant Halliburton, which on Aug. 21 "became aware that an unauthorized third party gained access to certain of its systems," it said in an Aug. 22 regulatory filing (see: Oil Services Giant Halliburton Disrupted by Hack Attack).
"The company's response efforts included proactively taking certain systems offline to help protect them and notifying law enforcement," Halliburton said. "The company's ongoing investigation and response include restoration of its systems and assessment of materiality."
While Halliburton hasn't confirmed if the attack involved ransomware, Bleeping Computer reported that it obtained a copy of a letter the company sent to suppliers, which included IOCs tied to the attack. One of those, it said, referenced "a Windows executable named maintenance.exe
, which BleepingComputer has confirmed to be a RansomHub ransomware encryptor."
Affiliates at Work
The flow of profit-driven affiliates from BlackCat and LockBit to RansomHub isn't unusual, experts say, not least because of the increased attention visited on both groups by authorities.
Law enforcement disrupted BlackCat last December, after which it bounced back and then exit-scammed, apparently to avoid sharing with its affiliate "Notchy" their cut of a $22 million ransom paid by UnitedHealth Group after Notchy hacked its Optum business unit's Change Healthcare organization. Subsequently, Notchy took the stolen data to RansomHub, which began its own shakedown of UHG, threatening to leak the stolen data unless it was paid. Whether or not the company paid a second ransom isn't clear.
Law enforcement disrupted LockBit in February, after which it bounced back. But authorities have continued to target the group using its own tactics, such as belittling its affiliates and naming and shaming the group's leader, "LockBitSupp," who U.S. prosecutors say is Dmitry Yuryevich Khoroshev, based in Voronezh, Russia.
While LockBit has continued to lurch on, security experts say it's hobbled by being so closely tied to Khoroshev and increasingly looks to be on its last legs, not least due to being dogged by bad publicity and the constant threat of further law enforcement action.
While affiliates are behind many ransomware attacks, the focus often falls on the ransomware groups themselves. It's a self-reinforcing pattern that allows affiliates to stay out of the limelight while boosting the street cred of the ransomware brand - and the bigger and badder it is, the more likely scared victims are to pay up (see: The Upside-Down, Topsy-Turvy World of Ransomware).
When groups decline, affiliates - really, just independent contractors - align with someone else. Affiliates may also work with multiple groups at once, selecting a group with crypto-locking malware or a track record of shaking down a particular type of victim, such as hospitals.
Which ransomware groups are most successful? That remains an open question, owing to many victims never disclosing when they're attacked, if they paid a ransom or how much they paid. While groups run data leak blogs, they only list a subset of who didn't pay, rather than a full accounting of the ones that did (see: Ransomware Groups' Data Leak Blogs Lie: Stop Trusting Them).