Related Families: Knight
Verticals Targeted: Healthcare, Financial, Auction House, Technology, Government
Executive Summary
RansomHub, a ransomware as a service (RaaS), is an offshoot of Knight and has quickly become one of the most active ransomware families in 2024.
Key Takeaways
- RansomHub is a ransomware as a service (RaaS) that has quickly become one of the most active ransomware families of 2024.
- RansomHub was observed targeting multiple entities earlier this year, including a healthcare entity and a major auction house.
- Symantec researchers compared RansomHub to Knight ransomware and assess that RansomHub is an updated rebrand of Knight.
- To compromise targets, RansomHub has leveraged the Zerologon vulnerability (CVE-2020-1472).
What is RansomHub?
RansomHub is a ransomware as a service (RaaS) that has quickly become one of the most active ransomware families of 2024. RansomHub was observed targeting multiple entities earlier this year, including a healthcare entity and a major auction house. Symantec reported on RansomHub.
Symantec researchers compared RansomHub to Knight ransomware and assess that RansomHub is an updated rebrand of Knight. However, they stated it is unlikely Knight’s original creators are the operators behind RansomHub. The operations for Knight, which was originally known as Cyclops, were shut down in early 2024. Knight’s developers offered Knight source code for sale on underground forums in February 2024. It is possible other threat actors bought Knight source code and updated it to create RansomHub.
Symantec researchers noted both Knight and RansomHub are written in Go, and most variants of both families use Gobfuscate for obfuscation. The two families share significant code overlap as well. RansomHub and Knight have almost identical help menus on the command line, although RansomHub has the added Sleep command. Both families leave similar ransom notes, with some of the wording being copied verbatim. Both ransomware families use a unique technique that allows them to restart an endpoint in safe mode before beginning encryption. Additionally, both families run commands using cmd.exe.
To compromise targets, RansomHub has leveraged the Zerologon vulnerability (CVE-2020-1472). The threat actors behind RansomHub use a variety of dual use tools, including Atera, Splashtop, and NetScan, prior to deploying the ransomware.
While RansomHub has only been active since February, it has already gained quite the reputation for its compromise of high profile targets. The operators have also reportedly recruited several former ALPHV affiliates, including an individual known as Notchy. Earlier this year, RansomHub claimed responsibility for an attack on Change Healthcare. In late May, the group claimed responsibility for an attack on Christie’s auction house. They have also targeted lesser known entities in the financial, technology, government, and various other verticals. So far, the majority of RansomHub’s targets have been in the US, with several others located in Brazil, Italy, Spain, the UK, and other countries worldwide.
IOCs
PolySwarm has multiple samples of RansomHub.
02e9f0fbb7f3acea4fcf155dc7813e15c1c8d1c77c3ae31252720a9fa7454292
7539bd88d9bb42d280673b573fc0f5783f32db559c564b95ae33d720d9034f5a
You can use the following CLI command to search for all RansomHub samples in our portal:
$ polyswarm link list -f RansomHub
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.