Description
RansomHub is a ransomware-as-a-service variant that has targeted over 210 victims across various critical infrastructure sectors since February 2024. It employs a double-extortion model, encrypting systems and exfiltrating data. The ransom note provides victims with a client ID and instructions to contact the group via a Tor URL. Affiliates typically gain initial access through phishing, exploiting vulnerabilities, and password spraying. They use tools like Mimikatz for credential theft and privilege escalation, and move laterally using RDP, PsExec, and other methods. Data exfiltration varies by affiliate but may involve tools like PuTTY and AWS S3 buckets. The ransomware uses Curve 25519 encryption and implements intermittent encryption. It targets user files and networked shares, leaving a ransom note and deleting volume shadow copies.
Date
| Published | Created | Modified |
|---|---|---|
| Aug. 30, 2024, 5:44 p.m. | Aug. 30, 2024, 5:44 p.m. | Aug. 30, 2024, 6:08 p.m. |
Indicators
brahma2023@onionmail.org
Attack Patterns
Metasploit
RansomHub
Mimikatz
Cobalt Strike - S0154
RansomHub
T1110.003
T1021.001
T1537
T1048.003
T1588.005
T1490
T1018
T1136
T1059.001
T1562.001
T1486
T1070
T1048.002
T1047
T1210
T1046
T1219
T1036
T1098
T1566
T1190
T1068
T1003
CVE-2020-0787
CVE-2017-0144
CVE-2023-3519
CVE-2023-27997
CVE-2023-48788
CVE-2023-46604
CVE-2023-46747
CVE-2023-22515
CVE-2020-1472
Additional Informations
Critical Manufacturing
Commercial Facilities
Food and Agriculture
Emergency Services
Water and Wastewater
Communications
Information Technology
Financial Services
Healthcare
Transportation
Government