Ransomhub

Threat Actor updated 8 hours ago (2024-10-08T17:00:54.662Z)
Download STIX
Preview STIX
RansomHub, a new threat actor in the cybersecurity landscape, emerged in February 2024 following the takedown of the notorious LockBit group. Many former affiliates of LockBit either opted to work independently using freely available ransomware source code such as Phobos, or aligned themselves with other emerging groups like Akira, BlackSuit, RansomHub, and Medusa. The RansomHub group, in particular, has been identified for its sophisticated tactics, bringing with them the playbooks and toolkits from their previous affiliations. The group has been linked to several significant cyber attacks, most notably against Christie and Patelco Credit Union. Christie disclosed a data breach after falling victim to a RansomHub attack, while Patelco's breach was revealed when RansomHub added the credit union to its Tor leak site in August. These incidents highlight the group's aggressive and damaging approach to cybercrime, causing considerable disruption and potential financial loss to the affected organizations. In terms of technical capabilities, RansomHub has demonstrated advanced tactics that challenge traditional security defenses. The group uses an attack chain that increasingly relies on advanced tools such as EDRKillShifter to bypass security measures. Furthermore, the RansomHub binary can delete all existing Volume Shadow Copy Service (VSS) snapshots on a Windows system without prompting for confirmation, making recovery more difficult. Once executed successfully, the RansomHub ransomware proceeds to encrypt files, appending an extension that depends on the file name of the ransom note. This underlines the group's ability to execute sophisticated and destructive ransomware attacks.
Description last updated: 2024-10-08T16:16:10.692Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Qilin is a possible alias for Ransomhub. Qilin is a prominent threat actor known for its malicious cyber activities, including the deployment of ransomware. In recent events, it has been observed that Qilin has partnered with the Octo Tempest group, adding RansomHub and Qilin ransomware to its arsenal. This strategic partnership presents a
2
Octo Tempest is a possible alias for Ransomhub. Octo Tempest, also known as Scattered Spider, is a prominent threat actor in the cybersecurity landscape. This group has rapidly gained notoriety in the ransomware domain by incorporating RansomHub and Qilin ransomware into its arsenal, significantly enhancing its ability to compromise systems and n
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Ransom
RaaS
Malware
Extortion
Windows
Exploit
Encrypt
Cybercrime
Tool
Vulnerability
Iis
Esxi
Phishing
Credentials
Scam
Healthcare
Encryption
Unitedhealth
Data Leak
CISA
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Lockbit Malware is associated with Ransomhub. LockBit is a notorious malware that has been involved in several high-profile ransomware incidents, including attacks on Boeing, London Drugs, Ontario hospitals, and Accenture. The malicious software infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the userUnspecified
6
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Alphv Threat Actor is associated with Ransomhub. AlphV, also known as BlackCat, is a notable threat actor that has been operational since November 2021. This group has pioneered the public leaks business model in the realm of ransomware attacks and has been associated with significant cybercrimes. It is particularly infamous for its attack on MorrUnspecified
9
The Scattered Spider Threat Actor is associated with Ransomhub. Scattered Spider is a financially motivated threat actor known for its sophisticated techniques and broad range of targets, including all major cloud service providers. This group seeks to maintain persistence on targeted networks, often using phishing to obtain login credentials and gain access. ItUnspecified
3
The Medusa Threat Actor is associated with Ransomhub. Medusa, a prominent threat actor in the cybersecurity landscape, has been increasingly active with its ransomware attacks. The group made headlines in November 2023 when it leveraged a zero-day exploit for the Citrix Bleed vulnerability (CVE-2023-4966), leading to numerous compromises alongside otheUnspecified
3
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The CVE-2020-1472 Vulnerability is associated with Ransomhub. CVE-2020-1472, also known as the Zerologon vulnerability, is a critical-severity flaw in Microsoft's Netlogon Remote Protocol. The vulnerability allows attackers to gain administrative access to a Windows domain controller without any authentication, effectively giving them control over a network. TUnspecified
2
The Zerologon Vulnerability is associated with Ransomhub. Zerologon (CVE-2020-1472) is a critical elevation of privilege vulnerability within Microsoft’s Netlogon Remote Protocol. This flaw in software design or implementation allows attackers to bypass authentication mechanisms and alter computer passwords within a domain controller's Active Directory, thUnspecified
2
Source Document References
Information about the Ransomhub Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
InfoSecurity-magazine
9 hours ago
BankInfoSecurity
7 days ago
Securityaffairs
8 days ago
Trend Micro
18 days ago
Checkpoint
22 days ago
Securityaffairs
24 days ago
ESET
25 days ago
DARKReading
a month ago
BankInfoSecurity
a month ago
DARKReading
a month ago
BankInfoSecurity
a month ago
ESET
a month ago
Recorded Future
a month ago
Securityaffairs
a month ago
Checkpoint
a month ago
BankInfoSecurity
a month ago
Malwarebytes
a month ago
BankInfoSecurity
a month ago
InfoSecurity-magazine
a month ago
Securityaffairs
a month ago