Ransomhub

Threat Actor updated 18 hours ago (2024-11-20T18:13:18.482Z)
Download STIX
Preview STIX
RansomHub, a threat actor in the realm of cybersecurity, has emerged as a significant player within the ransomware landscape. The group is known for its malicious activities, including data breaches and extortion attempts. It has been observed that RansomHub affiliates actively participate in campaigns for different ransomware families, switching between established groups like BlackMatter and newer entities such as themselves. Notably, RansomHub's rapid rise has been marked by it accounting for 19% of ransomware victims in a recent month, indicating a shift towards data extortion over encryption. One of the notable incidents involving RansomHub was the data breach at Christie, which was publicly disclosed by the company. Additionally, Grupo Aeroportuario del Centro Norte, the operator of 13 airports across Mexico, also fell victim to a RansomHub attack. The criminal group published what it claimed to be 3 terabytes of stolen data on its leak site, but the firm stated that it did not pay any extortion money. In another instance, following the implosion of BlackCat, RansomHub offered the same stolen healthcare data for sale, demonstrating its opportunistic nature. RansomHub has also shown its capacity to target and compromise sensitive data, as demonstrated in the case of the Change Health data breach in April 2024. The group threatened to sell the compromised information to the highest bidder, further highlighting its extortionist tactics. Despite the crude and clumsy tools used by this threat actor, as noted by Jakub in an ESET Research Podcast episode, the group has managed to penetrate its targets effectively. As RansomHub continues to evolve, its activities underscore the importance of robust cybersecurity measures for organizations.
Description last updated: 2024-11-15T16:02:55.945Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Qilin is a possible alias for Ransomhub. Qilin, a threat actor known for its malicious activities in the cyberspace, has been on the rise with an increase in victim count by 44% reaching 140 in Q3. This group is part of the Octo Tempest group which recently added RansomHub and Qilin ransomware to its arsenal, enhancing its capabilities to
3
Cyclops is a possible alias for Ransomhub. Cyclops, also known as Knight and later rebranded as RansomHub, is a malware that emerged in the threat landscape in May 2023. This malicious software, designed to exploit and damage computer systems, infects systems through suspicious downloads, emails, or websites and can steal personal informatio
3
Octo Tempest is a possible alias for Ransomhub. Octo Tempest, also known as Scattered Spider, is a prominent threat actor in the cybersecurity landscape. This group has rapidly gained notoriety in the ransomware domain by incorporating RansomHub and Qilin ransomware into its arsenal, significantly enhancing its ability to compromise systems and n
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Ransom
RaaS
Extortion
Windows
Malware
Healthcare
Cybercrime
Encryption
Encrypt
Exploit
Esxi
Tool
Vulnerability
Iis
Phishing
Credentials
Scam
Unitedhealth
Health
Symantec
Data Leak
CISA
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Lockbit Malware is associated with Ransomhub. LockBit is a malicious software, or malware, known for its damaging and exploitative functions. It infiltrates systems via dubious downloads, emails, or websites, often without the user's knowledge, and can steal personal information, disrupt operations, or hold data hostage for ransom. The LockBit Unspecified
6
The Akira Malware is associated with Ransomhub. Akira is a potent ransomware that has been active since 2023, known for its aggressive encryption tactics and swift deployment. This malware, which brings a unique '80s aesthetic to the dark web, has quickly risen in prominence within the cybercrime landscape. It has targeted hundreds of victims gloUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Alphv Threat Actor is associated with Ransomhub. Alphv, also known as BlackCat, is a notable threat actor in the cybersecurity landscape. Originating from Russia, this cybercriminal group has been involved in multiple high-profile ransomware attacks, specifically targeting healthcare providers. They gained significant attention after stealing 5TB Unspecified
10
The Scattered Spider Threat Actor is associated with Ransomhub. Scattered Spider is a notorious threat actor group known for its malicious cyber activities. The group primarily targets enterprise data within Software as a Service (SaaS) applications, including less sophisticated outfits and more well-known systems such as Microsoft cloud environments and on-premUnspecified
3
The Medusa Threat Actor is associated with Ransomhub. Medusa, a threat actor group known for its malicious activities, has been increasingly involved in multiple high-profile cyber attacks. In November 2023, Medusa and other groups like LockBit and ALPHV (BlackCat) exploited a zero-day vulnerability, the Citrix Bleed (CVE-2023-4966), leading to numerouUnspecified
3
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The Zerologon Vulnerability is associated with Ransomhub. Zerologon, officially known as CVE-2020-1472, is a critical vulnerability within Microsoft's Netlogon Remote Protocol. This flaw allows attackers to bypass authentication mechanisms and alter computer passwords within a domain controller's Active Directory, enabling them to escalate privileges to doUnspecified
2
The CVE-2020-1472 Vulnerability is associated with Ransomhub. CVE-2020-1472, also known as the "ZeroLogon" vulnerability, is a critical-severity flaw in Microsoft's Netlogon Remote Protocol. This vulnerability, which was patched on August 11, 2020, allows attackers to escalate privileges and gain administrative access to a Windows domain controller without anyUnspecified
2
Source Document References
Information about the Ransomhub Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
BankInfoSecurity
a month ago
Securelist
6 days ago
BankInfoSecurity
14 days ago
Checkpoint
17 days ago
BankInfoSecurity
17 days ago
Krebs on Security
22 days ago
Checkpoint
23 days ago
ESET
23 days ago
DARKReading
23 days ago
BankInfoSecurity
a month ago
InfoSecurity-magazine
a month ago
BankInfoSecurity
a month ago
BankInfoSecurity
a month ago
Checkpoint
a month ago
InfoSecurity-magazine
a month ago
BankInfoSecurity
2 months ago
Securityaffairs
2 months ago
Trend Micro
2 months ago
Checkpoint
2 months ago
Securityaffairs
2 months ago