Ransomhub

Threat Actor updated 22 days ago (2024-11-29T13:53:15.074Z)
Download STIX
Preview STIX
RansomHub, a threat actor in the realm of cybersecurity, has emerged as a significant player within the ransomware landscape. The group is known for its malicious activities, including data breaches and extortion attempts. It has been observed that RansomHub affiliates actively participate in campaigns for different ransomware families, switching between established groups like BlackMatter and newer entities such as themselves. Notably, RansomHub's rapid rise has been marked by it accounting for 19% of ransomware victims in a recent month, indicating a shift towards data extortion over encryption. One of the notable incidents involving RansomHub was the data breach at Christie, which was publicly disclosed by the company. Additionally, Grupo Aeroportuario del Centro Norte, the operator of 13 airports across Mexico, also fell victim to a RansomHub attack. The criminal group published what it claimed to be 3 terabytes of stolen data on its leak site, but the firm stated that it did not pay any extortion money. In another instance, following the implosion of BlackCat, RansomHub offered the same stolen healthcare data for sale, demonstrating its opportunistic nature. RansomHub has also shown its capacity to target and compromise sensitive data, as demonstrated in the case of the Change Health data breach in April 2024. The group threatened to sell the compromised information to the highest bidder, further highlighting its extortionist tactics. Despite the crude and clumsy tools used by this threat actor, as noted by Jakub in an ESET Research Podcast episode, the group has managed to penetrate its targets effectively. As RansomHub continues to evolve, its activities underscore the importance of robust cybersecurity measures for organizations.
Description last updated: 2024-11-15T16:02:55.945Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Qilin is a possible alias for Ransomhub. Qilin, a threat actor known for its malicious activities in the cyberspace, has been on the rise with an increase in victim count by 44% reaching 140 in Q3. This group is part of the Octo Tempest group which recently added RansomHub and Qilin ransomware to its arsenal, enhancing its capabilities to
3
Cyclops is a possible alias for Ransomhub. Cyclops, also known as Knight and later rebranded as RansomHub, is a malware that emerged in the threat landscape in May 2023. This malicious software, designed to exploit and damage computer systems, infects systems through suspicious downloads, emails, or websites and can steal personal informatio
3
Octo Tempest is a possible alias for Ransomhub. Octo Tempest, also known as Scattered Spider or 0ktapus, is a notable threat actor group in the cybercrime landscape. The group, comprised of five individuals in their early 20s, has been linked to major data extortion campaigns against high-profile targets such as Caesars Entertainment and MGM, oft
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Ransom
RaaS
Windows
Extortion
Encryption
Malware
Healthcare
Exploit
Cybercrime
Encrypt
Esxi
Data Leak
Tool
Vulnerability
Iis
Phishing
Credentials
Scam
Health
Symantec
Unitedhealth
CISA
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Lockbit Malware is associated with Ransomhub. LockBit is a prominent ransomware-as-a-service (RaaS) malware that has been involved in numerous cyberattacks, demonstrating its staying power and adaptability. The malware, which can infiltrate systems through suspicious downloads, emails, or websites, is designed to exploit and damage computers orUnspecified
7
The Akira Malware is associated with Ransomhub. Akira is a potent ransomware that has been active since 2023, known for its aggressive encryption tactics and swift deployment. This malware, which brings a unique '80s aesthetic to the dark web, has quickly risen in prominence within the cybercrime landscape. It has targeted hundreds of victims gloUnspecified
3
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Alphv Threat Actor is associated with Ransomhub. Alphv, also known as BlackCat, is a threat actor group that has been linked to numerous cyberattacks, particularly targeting the healthcare sector. The group made headlines when it stole 5TB of data from Morrison Community Hospital, causing significant disruption and raising concerns about patient pUnspecified
10
The Scattered Spider Threat Actor is associated with Ransomhub. Scattered Spider, also known as Octo Tempest, 0ktapus, and UNC3944, is a notorious threat actor group involved in major data extortion campaigns. This cybercriminal group has been associated with high-profile attacks on organizations like Caesars Entertainment and MGM, often in collaboration with thUnspecified
4
The Medusa Threat Actor is associated with Ransomhub. Medusa, a threat actor group known for its malicious activities, has been increasingly involved in multiple high-profile cyber attacks. In November 2023, Medusa and other groups like LockBit and ALPHV (BlackCat) exploited a zero-day vulnerability, the Citrix Bleed (CVE-2023-4966), leading to numerouUnspecified
3
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The Zerologon Vulnerability is associated with Ransomhub. Zerologon (CVE-2020-1472) is a critical vulnerability within Microsoft's Netlogon Remote Protocol that emerged in 2020. It involves a privilege escalation condition that allows an attacker to establish a vulnerable Netlogon secure channel connection to a domain controller, bypassing authentication mUnspecified
2
The CVE-2020-1472 Vulnerability is associated with Ransomhub. CVE-2020-1472, also known as the "ZeroLogon" vulnerability, is a critical-severity flaw in Microsoft's Netlogon Remote Protocol. This vulnerability, which was patched on August 11, 2020, allows attackers to escalate privileges and gain administrative access to a Windows domain controller without anyUnspecified
2
Source Document References
Information about the Ransomhub Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Flashpoint
8 hours ago
InfoSecurity-magazine
8 hours ago
InfoSecurity-magazine
19 days ago
Checkpoint
19 days ago
DARKReading
20 days ago
Securelist
20 days ago
InfoSecurity-magazine
a month ago
BankInfoSecurity
a month ago
BankInfoSecurity
2 months ago
Securelist
a month ago
BankInfoSecurity
a month ago
Checkpoint
2 months ago
BankInfoSecurity
2 months ago
Krebs on Security
2 months ago
Checkpoint
2 months ago
ESET
2 months ago
DARKReading
2 months ago
BankInfoSecurity
2 months ago
InfoSecurity-magazine
2 months ago
BankInfoSecurity
2 months ago