Ransomhub

Threat Actor updated 2 days ago (2024-09-05T23:17:44.238Z)

Download STIX

Preview STIX

RansomHub, a threat actor group, has emerged as a significant cyber threat since its inception in February. The group employs a double-extortion strategy, which involves both encrypting IT systems and exfiltrating data to extort victims. RansomHub is known for its unique approach to ransom demands, providing victims with a client ID and instructing them to contact the group via a unique .onion URL, accessible through the Tor browser. Victims are typically given between three and 90 days to pay the ransom before their data is published on the RansomHub Tor data leak site. Since its establishment, RansomHub has reportedly encrypted and exfiltrated data from at least 210 victims across various sectors, including healthcare, public health, financial services, and government. One of the high-profile victims of RansomHub's attacks is Christie, who disclosed a data breach following an attack by the group. Other notable victims include several entities in the health sector, demonstrating RansomHub's propensity to target critical infrastructure. In a particularly concerning incident, Planned Parenthood of Montana reported a hack and a threat by RansomHub to leak 93 gigabytes of data allegedly stolen from the organization. Although RansomHub claimed the size of the data set to be 93 GB, it should be noted that ransomware groups have been known to exaggerate, lie, and mislead about the extent of their breaches. In response to RansomHub's escalating activities, a joint alert was issued by the FBI, CISA, the Department of Health and Human Services, and the Multi-State Information Sharing and Analysis Center. The ThreatDown Ransomware Review of August 2024 also identified RansomHub as the gang responsible for the largest number of known attacks in July. These alerts and reviews underscore the growing concern within the cybersecurity community about RansomHub's activities and the need for organizations to adopt robust security measures to counter this threat.

Description last updated: 2024-09-05T23:15:57.321Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Octo Tempest	2	Octo Tempest, a known threat actor in the cybersecurity landscape, has recently added RansomHub and Qilin ransomware to its arsenal of cyber weapons. This expansion of their capabilities marks a significant escalation in their potential for harm and demonstrates a clear evolution towards more sophis
Qilin	2	The Qilin ransomware group, a malicious threat actor in the cybersecurity landscape, has been active since at least 2022 and gained significant attention in June 2024 for attacking Synnovis, a UK governmental service provider for healthcare. The group was later associated with Octo Tempest, which ad

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

Ransom

RaaS

Malware

Windows

Cybercrime

Extortion

Exploit

Scam

Healthcare

Iis

Esxi

Encrypt

Phishing

Data Leak

Encryption

Vulnerability

Credentials

CISA

Unitedhealth

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

ID	Type	Votes	Profile Description
Lockbit	Unspecified	5	LockBit is a malicious software, or malware, that has been notably active and damaging in the cyber world. Known for its ability to infiltrate systems often without detection, it can steal personal information, disrupt operations, and even hold data hostage for ransom. In the first half of 2024, Loc

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

ID	Type	Votes	Profile Description
Alphv	Unspecified	8	Alphv is a threat actor group known for its malicious activities in the cyber world. They have been particularly active in deploying ransomware attacks, with one of their most significant actions being the theft of 5TB of data from Morrison Community Hospital. This act not only disrupted hospital op
Scattered Spider	Unspecified	3	Scattered Spider is a threat actor group known for its malicious cyber activities. The group's operations involve searching SharePoint repositories for sensitive information, maintaining persistence on targeted networks, and exfiltrating data for extortion purposes. They primarily gain access to vic
Medusa	Unspecified	2	Medusa, a malicious threat actor known for its ransomware attacks, has been increasingly active and dangerous. This group was responsible for a significant rise in data leaks and multi-extortion activities throughout 2023. Medusa, along with other ransomware groups like LockBit and ALPHV (BlackCat),

Source Document References

Information about the Ransomhub Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
BankInfoSecurity	2 days ago	RansomHub Claims Theft of Montana Planned Parenthood Data
Malwarebytes	2 days ago	Planned Parenthood partly offline after ransomware attack \| Malwarebytes
BankInfoSecurity	4 days ago	Halliburton Says Hackers Stole Data
InfoSecurity-magazine	4 days ago	Active Ransomware Groups Surge by 56% in 2024
Securityaffairs	4 days ago	U.S. oil giant Halliburton disclosed a data breach
InfoSecurity-magazine	5 days ago	US Authorities Issue RansomHub Ransomware Alert
Checkpoint	5 days ago	2nd September – Threat Intelligence Report - Check Point Research
Securityaffairs	6 days ago	Security Affairs newsletter Round 487 by Pierluigi Paganini – INTERNATIONAL EDITION
BankInfoSecurity	8 days ago	RansomHub Hits Powered by Ex-Affiliates of LockBit, BlackCat
InfoSecurity-magazine	8 days ago	Published Vulnerabilities Surge by 43%
CISA	8 days ago	CISA and Partners Release Advisory on RansomHub Ransomware \| CISA
CISA	9 days ago	#StopRansomware: RansomHub Ransomware \| CISA
BankInfoSecurity	9 days ago	Florida Department of Health Informs RansomHub Hack Victims
BankInfoSecurity	19 days ago	Florida-Based Drug Testing Lab Says 300,000 Affected in Hack
BankInfoSecurity	19 days ago	The Upside-Down, Topsy-Turvy World of Ransomware
Checkpoint	20 days ago	19th August – Threat Intelligence Report - Check Point Research
Securityaffairs	21 days ago	Security Affairs newsletter Round 485 by Pierluigi Paganini – INTERNATIONAL EDITION
DARKReading	22 days ago	RansomHub Rolls Out Brand-New, EDR-Killing BYOVD Binary
Securityaffairs	23 days ago	A group linked to RansomHub operation employs EDR-killing tool EDRKillShifter
Securityaffairs	a month ago	SECURITY AFFAIRS MALWARE NEWSLETTER – ROUND 6