Ransomhub

Threat Actor updated 5 months ago (2024-11-29T13:53:15.074Z)
Download STIX
Preview STIX
RansomHub, a threat actor in the realm of cybersecurity, has emerged as a significant player within the ransomware landscape. The group is known for its malicious activities, including data breaches and extortion attempts. It has been observed that RansomHub affiliates actively participate in campaigns for different ransomware families, switching between established groups like BlackMatter and newer entities such as themselves. Notably, RansomHub's rapid rise has been marked by it accounting for 19% of ransomware victims in a recent month, indicating a shift towards data extortion over encryption. One of the notable incidents involving RansomHub was the data breach at Christie, which was publicly disclosed by the company. Additionally, Grupo Aeroportuario del Centro Norte, the operator of 13 airports across Mexico, also fell victim to a RansomHub attack. The criminal group published what it claimed to be 3 terabytes of stolen data on its leak site, but the firm stated that it did not pay any extortion money. In another instance, following the implosion of BlackCat, RansomHub offered the same stolen healthcare data for sale, demonstrating its opportunistic nature. RansomHub has also shown its capacity to target and compromise sensitive data, as demonstrated in the case of the Change Health data breach in April 2024. The group threatened to sell the compromised information to the highest bidder, further highlighting its extortionist tactics. Despite the crude and clumsy tools used by this threat actor, as noted by Jakub in an ESET Research Podcast episode, the group has managed to penetrate its targets effectively. As RansomHub continues to evolve, its activities underscore the importance of robust cybersecurity measures for organizations.
Description last updated: 2024-11-15T16:02:55.945Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Qilin is a possible alias for Ransomhub. Qilin, a threat actor known for its malicious activities in the cyberspace, has been on the rise with an increase in victim count by 44% reaching 140 in Q3. This group is part of the Octo Tempest group which recently added RansomHub and Qilin ransomware to its arsenal, enhancing its capabilities to
4
Cyclops is a possible alias for Ransomhub. Cyclops, also known as Knight and later rebranded as RansomHub, is a malware that emerged in the threat landscape in May 2023. This malicious software, designed to exploit and damage computer systems, infects systems through suspicious downloads, emails, or websites and can steal personal informatio
3
Octo Tempest is a possible alias for Ransomhub. Octo Tempest, also known as Scattered Spider or 0ktapus, is a notable threat actor group in the cybercrime landscape. The group, comprised of five individuals in their early 20s, has been linked to major data extortion campaigns against high-profile targets such as Caesars Entertainment and MGM, oft
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Ransom
RaaS
Malware
Windows
Encrypt
Encryption
Extortion
Exploit
Data Leak
Tool
Healthcare
Cybercrime
Vulnerability
Phishing
Credentials
Scam
Iis
Backdoor
Esxi
Symantec
Unitedhealth
Health
Source
Payload
Exploits
CISA
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Lockbit Malware is associated with Ransomhub. LockBit is a prominent ransomware-as-a-service (RaaS) malware that has been involved in numerous cyberattacks, demonstrating its staying power and adaptability. The malware, which can infiltrate systems through suspicious downloads, emails, or websites, is designed to exploit and damage computers orUnspecified
7
The Akira Malware is associated with Ransomhub. Akira is a potent ransomware that has been active since 2023, known for its aggressive encryption tactics and swift deployment. This malware, which brings a unique '80s aesthetic to the dark web, has quickly risen in prominence within the cybercrime landscape. It has targeted hundreds of victims gloUnspecified
6
The Socgholish Malware is associated with Ransomhub. SocGholish is a malicious software (malware) that has been significantly prevalent in cyber threats over recent years. In 2022, it was observed being used in conjunction with the Parrot TDS to deliver the FakeUpdates downloader to unsuspecting visitors on compromised websites. By late 2022, MicrosofUnspecified
2
The Fakeupdates Malware is associated with Ransomhub. FakeUpdates, a malicious software (malware), has become increasingly prevalent in recent years. It infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user, and can disrupt operations, steal personal information, or hold data hostage for ransom. In 2022, aUnspecified
2
The Clop Malware is associated with Ransomhub. Clop, a malicious software (malware), is linked to a Russian-speaking cybercriminal group also known as Cl0p. It is designed to exploit and damage computer systems by stealing personal information, disrupting operations, or holding data hostage for ransom. In May 2023, the Clop group began exploitinUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Alphv Threat Actor is associated with Ransomhub. Alphv, also known as BlackCat, is a threat actor group that has been linked to numerous cyberattacks, particularly targeting the healthcare sector. The group made headlines when it stole 5TB of data from Morrison Community Hospital, causing significant disruption and raising concerns about patient pUnspecified
11
The Medusa Threat Actor is associated with Ransomhub. Medusa, a threat actor group known for its malicious activities, has been increasingly involved in multiple high-profile cyber attacks. In November 2023, Medusa and other groups like LockBit and ALPHV (BlackCat) exploited a zero-day vulnerability, the Citrix Bleed (CVE-2023-4966), leading to numerouUnspecified
5
The Scattered Spider Threat Actor is associated with Ransomhub. Scattered Spider, also known as Octo Tempest, 0ktapus, and UNC3944, is a notorious threat actor group involved in major data extortion campaigns. This cybercriminal group has been associated with high-profile attacks on organizations like Caesars Entertainment and MGM, often in collaboration with thUnspecified
4
The BianLian Threat Actor is associated with Ransomhub. BianLian is a threat actor that has been active in cybercrime, leveraging various techniques for malicious intent. Prior to January 2024, the group used an encryptor (encryptor.exe) that modified all encrypted files to have the .bianlian extension and created a ransom note in each affected directoryUnspecified
2
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The CVE-2020-1472 Vulnerability is associated with Ransomhub. CVE-2020-1472, also known as the "ZeroLogon" vulnerability, is a critical-severity flaw in Microsoft's Netlogon Remote Protocol. This vulnerability, which was patched on August 11, 2020, allows attackers to escalate privileges and gain administrative access to a Windows domain controller without anyUnspecified
2
The Zerologon Vulnerability is associated with Ransomhub. Zerologon (CVE-2020-1472) is a critical vulnerability within Microsoft's Netlogon Remote Protocol that emerged in 2020. It involves a privilege escalation condition that allows an attacker to establish a vulnerable Netlogon secure channel connection to a domain controller, bypassing authentication mUnspecified
2
Source Document References
Information about the Ransomhub Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
ESET
11 days ago
ESET
11 days ago
InfoSecurity-magazine
12 days ago
Flashpoint
13 days ago
Securityaffairs
22 days ago
Checkpoint
a month ago
Securityaffairs
a month ago
Securityaffairs
a month ago
Flashpoint
a month ago
Trend Micro
a month ago
InfoSecurity-magazine
a month ago
Securityaffairs
a month ago
Checkpoint
2 months ago
InfoSecurity-magazine
2 months ago
Checkpoint
2 months ago
DARKReading
2 months ago
Malwarebytes
2 months ago
InfoSecurity-magazine
4 months ago
Flashpoint
4 months ago
InfoSecurity-magazine
4 months ago