Tag: ransomhub

10 Attack Reports | 0 Vulnerabilities

Attack reports

SocGholish's Intrusion Techniques Facilitate Distribution of RansomHub Ransomware

SocGholish, a malware-as-a-service framework, is being used to deploy RansomHub ransomware. It compromises legitimate websites, redirecting visitors to fake browser updates that deliver malicious payloads. The highly obfuscated JavaScript loader evades detection and executes various tasks, includin…
backdoor
ransomware
javascript
socgholish
credential theft
ransomhub
compromised websites
2025-03-14
keitaro tds
Published: March 14, 2025
Downloadable IOCs: 0

Finance Report: Who Targets Financial Institutions?

This report provides an overview of key cybercrime and state-sponsored threat actors targeting the financial sector in 2024. It highlights the critical role of Initial Access Brokers in enabling large-scale attacks, the persistent threat of ransomware and extortion groups, and the increasing sophis…
apt
phishing
ransomware
cybercrime
ransomhub
edrkillshifter
rustbucket
goldpickaxe
financial sector
2025-02-20
catb
initial access brokers
jsoutprox
tradertraitor
golddigger
state-sponsored threats
goldkefu
tycoon 2fa
banking trojans
sneaky 2fa
golddiggerplus
Published: February 20, 2025
Downloadable IOCs: 0

Tracking Pyramid C2: Identifying Post-Exploitation Servers in Hunt

Pyramid, an open-source post-exploitation framework in Python, is being used by threat actors for malicious purposes. The tool features a lightweight HTTP/S server for encrypted payload delivery, blending with legitimate Python activity. This analysis examines Pyramid's server, outlines network sig…
python
c2
ransomhub
open-source
more_eggs
post-exploitation
2025-02-13
http server
network signatures
detection
pyramid
Published: February 13, 2025
Downloadable IOCs: 0

RansomHub Affiliate leverages Python-based backdoor

A threat actor utilized a Python-based backdoor to maintain access to compromised endpoints, later deploying RansomHub encryptors across the impacted network. The malware, an updated version of a previously documented backdoor, features obfuscation, deployment via RDP, and unique indicators of comp…
obfuscation
ransomware
socgholish
lateral movement
ransomhub
python backdoor
c2 infrastructure
socks5
2025-01-16
reverse proxy
Published: January 16, 2025
Downloadable IOCs: 6

Analyzing Recent Cyber Attacks in the United States Coinciding with Columbus Day Celebration

The United States has experienced a significant increase in cyber attacks from June to October 2024, with over 800 organizations affected by ransomware across various sectors. Play, RansomHub, Lockbit, Qilin, and Meow have emerged as the most active ransomware groups. Notable incidents include the …
espionage
ransomware
lockbit
hacktivism
ransomhub
qilin
data breach
2024-10-10
rhysida
critical infrastructure
united states
Published: October 10, 2024
Downloadable IOCs: 0

How Ransomhub Ransomware Uses EDRKillShifter to Disable EDR and Antivirus Protections

The RansomHub ransomware, attributed to a group tracked as Water Bakunawa, employs sophisticated anti-EDR techniques to evade security solutions. Its attack chain includes exploiting vulnerabilities like Zerologon, using EDRKillShifter to disable endpoint protection, and employing various evasion s…
ransomhub
edrkillshifter
2024-09-24
Published: September 24, 2024
Downloadable IOCs: 9

New RansomHub attack uses TDSKiller and LaZagne, disables EDR

A recent analysis by the ThreatDown MDR team has uncovered a novel attack method employed by the RansomHub ransomware gang. The attackers are utilizing two tools: TDSSKiller, a legitimate Kaspersky rootkit removal utility, to disable endpoint detection and response (EDR) systems, and LaZagne, a cre…
ransomware
credential harvesting
edr
ransomhub
byovd
2024-09-11
lazagne
tdsskiller
network segmentation
Published: September 11, 2024
Downloadable IOCs: 2

StopRansomware: RansomHub Ransomware

RansomHub is a ransomware-as-a-service variant that has targeted over 210 victims across various critical infrastructure sectors since February 2024. It employs a double-extortion model, encrypting systems and exfiltrating data. The ransom note provides victims with a client ID and instructions to …
privilege-escalation
cobalt strike
encryption
CVE-2020-1472
ransomware-as-a-service
ransomhub
mimikatz
CVE-2023-3519
2024-08-30
metasploit
CVE-2023-22515
CVE-2023-46604
CVE-2017-0144
CVE-2023-48788
double-extortion
CVE-2023-27997
data-exfiltration
CVE-2023-46747
critical-infrastructure
CVE-2020-0787
lateral-movement
Published: August 30, 2024
Linked vulnerabilities : CVE-2020-1472, CVE-2023-46604, CVE-2023-22515, CVE-2020-0787, CVE-2017-0144, CVE-2023-3519, CVE-2023-27997, CVE-2023-48788, CVE-2023-46747
Downloadable IOCs: 14

Ransomware attackers introduce new EDR killer to their arsenal

An analysis by security researchers has uncovered the existence of a new tool called EDRKillShifter, which is used by threat actors to disable endpoint protection software during ransomware attacks. The tool is designed to terminate antivirus and endpoint detection and response (EDR) solutions on t…
ransomware
ransomhub
privilege escalation
2024-08-16
edr evasion
driver exploitation
edrkillshifter
Published: August 16, 2024
Downloadable IOCs: 2

RansomHub: New Ransomware with Origins in Older Knight

A rapidly emerging operation called RansomHub has rapidly grown into one of the largest ransomware threats currently active. Analysis reveals RansomHub is likely an updated and rebranded version of the older Knight ransomware, suggesting the developers bought Knight's source code after its develope…
CVE-2020-1472
2024-06-06
zerologon
ransomware-as-a-service
knight
cyclops blink
snatch
rebranded
affiliates
ransomhub
Published: June 6, 2024
Linked vulnerabilities : CVE-2020-1472
Downloadable IOCs: 14
Click here to see more Attack Reports