Ransomhub

Threat Actor Profile Updated 7 days ago
Download STIX
Preview STIX
RansomHub, a notable threat actor in the cybersecurity landscape, has been behind several high-profile attacks recently. The group is known for its malicious actions against large organizations, with the intent to compromise their systems and data. RansomHub first came into the spotlight when Christie, a well-known company, disclosed a significant data breach following an attack by the group. This incident highlighted the serious risks posed by RansomHub, as it showcased their ability to infiltrate and disrupt major corporate networks. The operations of RansomHub have expanded and evolved over time, revealing a rebranding from the previously known Knight RaaS (Ransomware-as-a-Service). Notably, the group successfully targeted Frontier Communications, a telecommunications giant, further solidifying their reputation as a serious threat. Additionally, experts discovered a bug in the Linux version of RansomHub's ransomware, suggesting that the group is continually refining its malicious software to exploit vulnerabilities across different platforms. RansomHub's activities took a more aggressive turn when they claimed to possess 4 terabytes of sensitive data stolen from UnitedHealth Group (UHG) and Change Health clients. In both cases, the group attempted to extort these organizations, threatening to leak the stolen data if their demands were not met. These incidents underscore the increasing audacity and potential harm of RansomHub's activities, emphasizing the need for robust cybersecurity measures against such threat actors.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Knight Raas
1
Knight RaaS, also known as Knight ransomware-as-a-service, is a significant threat actor in the cybersecurity landscape. This malicious entity, which could be a single person, a private company, or part of a government entity, is responsible for executing actions with harmful intent. The lack of sta
Alphv Ransomware Group
1
The ALPHV ransomware group, also known as BlackCat, is a threat actor that has been responsible for a series of high-profile cyberattacks on various sectors. The group, which is believed to be connected to Russian organized crime, first gained notoriety when it claimed responsibility for the MGM Res
Alphv Group
1
The ALPHV group, also known as BlackCat, is a threat actor involved in malicious cyber activities. The group notably claimed responsibility for the hack of Clarion, a global manufacturer of audio and video equipment for cars, marking one of their significant attacks. However, 2023 proved to be a cha
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
RaaS
Ransom
Malware
Cybercrime
Iis
Extortion
Healthcare
Esxi
Vulnerability
Unitedhealth
Data Leak
Exploit
Scam
Windows
Scams
Brazil
Health
Encryption
Botnet
Phishing
Breachforums
Apache
Linux
Macos
Google
Apt
Implant
At
Bitcoin
Known Exploi...
Spyware
Credential S...
Vpn
Zero Day
RCE (Remote ...
Wordpress
Payload
Symantec
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
LockbitUnspecified
3
LockBit is a type of malware, specifically ransomware, that infiltrates systems to steal data or disrupt operations, often demanding ransom in return for the release of the compromised data. Notable incidents include the LockBit ransomware gang claiming to have stolen and subsequently leaking data f
TargetcompanyUnspecified
1
TargetCompany, a notorious malware group, has developed a new Linux variant of its ransomware designed to specifically target VMware ESXi environments. The discovery was made by researchers at Trend Micro, who identified the unique features of this variant that enable it to determine whether a targe
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
AlphvUnspecified
7
AlphV, a notorious threat actor in the cybersecurity industry, has been responsible for numerous high-profile ransomware attacks. The group's activities include the theft of 5TB of data from Morrison Community Hospital and hacking Clarion, a global manufacturer of audio and video equipment for cars.
Scattered SpiderUnspecified
3
Scattered Spider is a prominent threat actor group known for its malicious cyber activities. Their modus operandi includes searching SharePoint repositories for information, seeking to maintain persistence on targeted networks, and exfiltrating data for extortion purposes. The group primarily uses p
NoberusUnspecified
1
Noberus, also known as ALPHV or BlackCat, is a significant threat actor in the cybersecurity landscape. The group, which primarily operates a ransomware-as-a-service (RaaS) model, was the second most active ransomware group in April 2023, responsible for 14% of total observed victims. Originating fr
MedusaUnspecified
1
Medusa, a threat actor group, has been identified as a rising menace in the cybersecurity landscape, with its ransomware activities escalating significantly. In November 2023, Medusa and other groups like LockBit and ALPHV (BlackCat) exploited a zero-day vulnerability known as Citrix Bleed (CVE-2023
LightspyUnspecified
1
LightSpy is a sophisticated threat actor known for its espionage campaigns that primarily target South Asia. This group is notorious for deploying the LightSpy spyware, which has been particularly harmful to iOS devices in the region. The malicious software enables unauthorized access and control ov
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CVE-2020-1472Unspecified
1
CVE-2020-1472, also known as the ZeroLogon vulnerability, is a critical-severity privilege escalation flaw in Microsoft's Netlogon Remote Protocol. It was patched by Microsoft on August 11, 2020. This vulnerability allows attackers to gain administrative access to a Windows domain controller without
ZerologonUnspecified
1
Zerologon is a critical vulnerability (CVE-2020-1472) found within Microsoft's Netlogon Remote Protocol, impacting all versions of Windows Server OS from 2008 onwards. This flaw in software design or implementation allows attackers to bypass authentication mechanisms and change computer passwords wi
Source Document References
Information about the Ransomhub Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Securityaffairs
17 hours ago
Rite Aid disclosed data breach following RansomHub attack
Recorded Future
5 days ago
RansomHub Draws in Affiliates with Multi-OS Capability and High Commission Rates | Recorded Future
BankInfoSecurity
6 days ago
Reports: Florida Health Department Dealing With Data Heist
Securityaffairs
7 days ago
Security Affairs Malware Newsletter - Round 1
BankInfoSecurity
13 days ago
Groups Ask HHS for Guidance on Massive Change Breach Reports
Securityaffairs
14 days ago
Security Affairs newsletter Round 478 by Pierluigi Paganini – INTERNATIONAL EDITION
Malwarebytes
20 days ago
Change Healthcare confirms the customer data stolen in ransomware attack | Malwarebytes
Securityaffairs
21 days ago
Security Affairs newsletter Round 477 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs
22 days ago
Experts found a bug in the Linux version of RansomHub ransomware
Recorded Future
24 days ago
RansomHub Draws in Affiliates with Multi-OS Capability and High Commission Rates | Recorded Future
InfoSecurity-magazine
24 days ago
LockBit Most Prominent Ransomware Actor in May 2024
Securityaffairs
a month ago
Security Affairs newsletter Round 476 by Pierluigi Paganini – INTERNATIONAL EDITION
BankInfoSecurity
a month ago
Brazil's Climb Onto the World Stage Sparks Cyber Risks
DARKReading
a month ago
RansomHub Brings Scattered Spider Into Its RaaS Fold
InfoSecurity-magazine
a month ago
Scattered Spider Now Affiliated with RansomHub Following BlackCat Exit
Checkpoint
a month ago
10th June – Threat Intelligence Report - Check Point Research
Securityaffairs
a month ago
Christie’s data breach impacted 45,798 individuals
Securityaffairs
a month ago
Frontier Communications data breach impacted over 750K people
Securityaffairs
a month ago
Security Affairs newsletter Round 475 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs
a month ago
RansomHub operation is a rebranded version of the Knight RaaS