Ransomhub

Threat Actor updated 11 days ago (2024-10-17T12:04:39.318Z)

Download STIX

Preview STIX

RansomHub is a threat actor that emerged as a new group in the cybersecurity landscape in February 2024, following the initial takedown of LockBit. Many former LockBit affiliates seemed to have either started working independently using freely available ransomware source code such as Phobos or aligned themselves with other groups like Akira, BlackSuit, RansomHub, and Medusa, bringing their playbooks and toolkits with them. This group has been particularly active, leading among ransomware groups, and adopting increasingly sophisticated tactics. Notably, RansomHub's attack chain underlines a growing trend in ransomware operations where attackers are relying more heavily on advanced tools like EDRKillShifter to bypass security defenses. The RansomHub binary also has the ability to delete all existing Volume Shadow Copy Service (VSS) snapshots on a Windows system via vssadmin.exe without prompting for any confirmation. Upon successful execution, RansomHub proceeds to encrypt files, appending an extension that depends on the filename of the ransom note. The group has already claimed several victims. Christie disclosed a data breach after a RansomHub attack, indicating the group's capability to infiltrate and compromise significant targets. In August, Patelco Credit Union was added to RansomHub's Tor leak site, suggesting another successful breach by this group, though Patelco did not officially confirm the responsible party. With these actions, RansomHub has established itself as a serious and evolving threat in the cybersecurity domain.

Description last updated: 2024-10-17T11:46:08.152Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Qilin is a possible alias for Ransomhub. Qilin, a threat actor in the cybersecurity landscape, has emerged as a significant player in the ransomware space. The Octo Tempest group recently added Qilin ransomware to its arsenal, enhancing its capabilities and reach. This addition suggests that high-level groups like Qilin may have the capaci	3
Cyclops is a possible alias for Ransomhub. Cyclops, also known as Knight and later rebranded as RansomHub, is a malware that emerged in the threat landscape in May 2023. This malicious software, designed to exploit and damage computer systems, infects systems through suspicious downloads, emails, or websites and can steal personal informatio	3
Octo Tempest is a possible alias for Ransomhub. Octo Tempest, also known as Scattered Spider, is a prominent threat actor in the cybersecurity landscape. This group has rapidly gained notoriety in the ransomware domain by incorporating RansomHub and Qilin ransomware into its arsenal, significantly enhancing its ability to compromise systems and n	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

Ransom

RaaS

Extortion

Malware

Windows

Exploit

Cybercrime

Encrypt

Tool

Vulnerability

Iis

Esxi

Phishing

Credentials

Scam

Healthcare

Encryption

Unitedhealth

CISA

Symantec

Data Leak

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Lockbit Malware is associated with Ransomhub. LockBit is a type of malware, specifically ransomware, that infiltrates systems to exploit and damage them. It typically enters through suspicious downloads, emails, or websites without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or hold data hostage for	Unspecified	6

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Alphv Threat Actor is associated with Ransomhub. AlphV, also known as BlackCat, is a notorious threat actor that has been active since November 2021. This group pioneered the public leaks business model and has been associated with various ransomware families, including Akira, LockBit, Play, and Basta. AlphV gained significant attention for its la	Unspecified	9
The Scattered Spider Threat Actor is associated with Ransomhub. Scattered Spider is a financially motivated threat actor known for its sophisticated techniques and broad range of targets, including all major cloud service providers. This group seeks to maintain persistence on targeted networks, often using phishing to obtain login credentials and gain access. It	Unspecified	3
The Medusa Threat Actor is associated with Ransomhub. Medusa, a prominent threat actor in the cybersecurity landscape, has been increasingly active with its ransomware attacks. The group made headlines in November 2023 when it leveraged a zero-day exploit for the Citrix Bleed vulnerability (CVE-2023-4966), leading to numerous compromises alongside othe	Unspecified	3

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

Alias Description	Association Type	Votes
The Zerologon Vulnerability is associated with Ransomhub. Zerologon, officially known as CVE-2020-1472, is a critical vulnerability within Microsoft's Netlogon Remote Protocol. This flaw allows attackers to bypass authentication mechanisms and alter computer passwords within a domain controller's Active Directory, enabling them to escalate privileges to do	Unspecified	2
The CVE-2020-1472 Vulnerability is associated with Ransomhub. CVE-2020-1472, also known as the "ZeroLogon" vulnerability, is a critical-severity flaw in Microsoft's Netlogon Remote Protocol. This vulnerability, which was patched on August 11, 2020, allows attackers to escalate privileges and gain administrative access to a Windows domain controller without any	Unspecified	2

Source Document References

Information about the Ransomhub Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
BankInfoSecurity	4 days ago	Embargo Ransomware Disables Security Defenses
InfoSecurity-magazine	11 days ago	RansomHub Overtakes LockBit as Most Prolific Ransomware Group
BankInfoSecurity	11 days ago	Change Healthcare Attack Cost Estimate Reaches Nearly $2.9B
BankInfoSecurity	9 days ago	BianLian Ransomware Gang Claims Heist of Pediatric Data
Checkpoint	13 days ago	14th October – Threat Intelligence Report - Check Point Research
InfoSecurity-magazine	19 days ago	31 New Ransomware Groups Join the Ecosystem in 12 Months
BankInfoSecurity	a month ago	LockBit and Evil Corp Targeted In Anti-Ransomware Crackdown
Securityaffairs	a month ago	Patelco Credit Union data breach impacted over 1 million people
Trend Micro	a month ago	How Ransomhub Ransomware Uses EDRKillShifter to Disable EDR and Antivirus Protections
Checkpoint	a month ago	16th September – Threat Intelligence Report - Check Point Research
Securityaffairs	a month ago	Security Affairs newsletter Round 489 by Pierluigi Paganini – INTERNATIONAL EDITION
ESET	a month ago	CosmicBeetle joins the ranks of RansomHub affiliates – Week in security with Tony Anscombe
DARKReading	a month ago	Socially Savvy Scattered Spider Traps Cloud Admins in Web
BankInfoSecurity	a month ago	Breach Roundup: Mexico in Hacker Spotlight
DARKReading	2 months ago	Amateurish 'CosmicBeetle' Ransomware Stings Turkish SMBs
BankInfoSecurity	2 months ago	NoName Apparently Allies With RansomHub Operation
ESET	2 months ago	CosmicBeetle steps up: Probation period at RansomHub
Recorded Future	2 months ago	H1 2024 Malware & Vulnerability Trends Report: Zero-Day Exploits, Infostealers, and Emerging Malware Threats
Securityaffairs	2 months ago	RansomHub ransomware gang relies on TDSKiller to disable EDR
Checkpoint	2 months ago	9th September – Threat Intelligence Report - Check Point Research