RansomHub: New Ransomware with Origins in Older Knight

Description

A rapidly emerging operation called RansomHub has rapidly grown into one of the largest ransomware threats currently active. Analysis reveals RansomHub is likely an updated and rebranded version of the older Knight ransomware, suggesting the developers bought Knight's source code after its developers ceased operations and revamped it. Despite shared origins, the current operators are unlikely the original Knight creators, but rather experienced actors in the cybercriminal underground who successfully attracted former affiliates of defunct groups like Noberus. Key similarities include code overlap, nearly identical help menus, string obfuscation techniques, and ransom note structure, indicating Knight formed the foundation for RansomHub.