Today > | 7 High | 23 Medium | 2 Low vulnerabilities   -   You can now download lists of IOCs here!

StopRansomware: RansomHub Ransomware

Aug. 30, 2024, 6:08 p.m.

Description

RansomHub is a ransomware-as-a-service variant that has targeted over 210 victims across various critical infrastructure sectors since February 2024. It employs a double-extortion model, encrypting systems and exfiltrating data. The ransom note provides victims with a client ID and instructions to contact the group via a Tor URL. Affiliates typically gain initial access through phishing, exploiting vulnerabilities, and password spraying. They use tools like Mimikatz for credential theft and privilege escalation, and move laterally using RDP, PsExec, and other methods. Data exfiltration varies by affiliate but may involve tools like PuTTY and AWS S3 buckets. The ransomware uses Curve 25519 encryption and implements intermittent encryption. It targets user files and networked shares, leaving a ransom note and deleting volume shadow copies.

Date

Published: Aug. 30, 2024, 5:44 p.m.

Created: Aug. 30, 2024, 5:44 p.m.

Modified: Aug. 30, 2024, 6:08 p.m.

Indicators

89.23.96.203

8.211.2.97

45.95.67.41

193.233.254.21

193.124.125.78

193.106.175.107

45.135.232.2

188.34.188.7

45.134.140.69

brahma2023@onionmail.org

i.ibb.com

40031.co

12301230.co

samuelelena.co

Attack Patterns

Metasploit

RansomHub

Mimikatz

Cobalt Strike - S0154

RansomHub

T1110.003

T1021.001

T1537

T1048.003

T1588.005

T1490

T1018

T1136

T1059.001

T1562.001

T1486

T1070

T1048.002

T1047

T1210

T1046

T1219

T1036

T1098

T1566

T1190

T1068

T1003

CVE-2020-0787

CVE-2017-0144

CVE-2023-3519

CVE-2023-27997

CVE-2023-48788

CVE-2023-46604

CVE-2023-46747

CVE-2023-22515

CVE-2020-1472

Additional Informations

Critical Manufacturing

Commercial Facilities

Food and Agriculture

Emergency Services

Water and Wastewater

Communications

Information Technology

Financial Services

Healthcare

Transportation

Government