StopRansomware: RansomHub Ransomware
Aug. 30, 2024, 6:08 p.m.
Description
RansomHub is a ransomware-as-a-service variant that has targeted over 210 victims across various critical infrastructure sectors since February 2024. It employs a double-extortion model, encrypting systems and exfiltrating data. The ransom note provides victims with a client ID and instructions to contact the group via a Tor URL. Affiliates typically gain initial access through phishing, exploiting vulnerabilities, and password spraying. They use tools like Mimikatz for credential theft and privilege escalation, and move laterally using RDP, PsExec, and other methods. Data exfiltration varies by affiliate but may involve tools like PuTTY and AWS S3 buckets. The ransomware uses Curve 25519 encryption and implements intermittent encryption. It targets user files and networked shares, leaving a ransom note and deleting volume shadow copies.
Tags
Date
- Created: Aug. 30, 2024, 5:44 p.m.
- Published: Aug. 30, 2024, 5:44 p.m.
- Modified: Aug. 30, 2024, 6:08 p.m.
Indicators
- 89.23.96.203
- 8.211.2.97
- 45.95.67.41
- 193.233.254.21
- 193.124.125.78
- 193.106.175.107
- 45.135.232.2
- 188.34.188.7
- 45.134.140.69
- brahma2023@onionmail.org
- i.ibb.com
- 40031.co
- 12301230.co
- samuelelena.co
Attack Patterns
- Metasploit
- RansomHub
- Mimikatz
- Cobalt Strike - S0154
- RansomHub
- T1110.003
- T1021.001
- T1537
- T1048.003
- T1588.005
- T1490
- T1018
- T1136
- T1059.001
- T1562.001
- T1486
- T1070
- T1048.002
- T1047
- T1210
- T1046
- T1219
- T1036
- T1098
- T1566
- T1190
- T1068
- T1003
Additional Informations
- Critical Manufacturing
- Commercial Facilities
- Food and Agriculture
- Emergency Services
- Water and Wastewater
- Communications
- Information Technology
- Financial Services
- Healthcare
- Transportation
- Government