The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

RansomHub

Jun 14, 2024 2:22:45 PM / by The Hivemind

RANSOMHUBRelated Families: Knight
Verticals Targeted: Healthcare, Financial, Auction House, Technology, Government

Executive Summary

RansomHub, a ransomware as a service (RaaS), is an offshoot of Knight and has quickly become one of the most active ransomware families in 2024.

Key Takeaways

  • RansomHub is a ransomware as a service (RaaS) that has quickly become one of the most active ransomware families of 2024.
  • RansomHub was observed targeting multiple entities earlier this year, including a healthcare entity and a major auction house. 
  • Symantec researchers compared RansomHub to Knight ransomware and assess that RansomHub is an updated rebrand of Knight. 
  • To compromise targets, RansomHub has leveraged the Zerologon vulnerability (CVE-2020-1472).

What is RansomHub?

RansomHub is a ransomware as a service (RaaS) that has quickly become one of the most active ransomware families of 2024. RansomHub was observed targeting multiple entities earlier this year, including a healthcare entity and a major auction house. Symantec reported on RansomHub.

Symantec researchers compared RansomHub to Knight ransomware and assess that RansomHub is an updated rebrand of Knight. However, they stated it is unlikely Knight’s original creators are the operators behind RansomHub. The operations for Knight, which was originally known as Cyclops, were shut down in early 2024. Knight’s developers offered Knight source code for sale on underground forums in February 2024. It is possible other threat actors bought Knight source code and updated it to create RansomHub.

Symantec researchers noted both Knight and RansomHub are written in Go, and most variants of both families use Gobfuscate for obfuscation. The two families share significant code overlap as well. RansomHub and Knight have almost identical help menus on the command line, although RansomHub has the added Sleep command. Both families leave similar ransom notes, with some of the wording being copied verbatim. Both ransomware families use a unique technique that allows them to restart an endpoint in safe mode before beginning encryption. Additionally, both families run commands using cmd.exe.

To compromise targets, RansomHub has leveraged the Zerologon vulnerability (CVE-2020-1472). The threat actors behind RansomHub use a variety of dual use tools, including Atera, Splashtop, and NetScan,  prior to deploying the ransomware.

While RansomHub has only been active since February, it has already gained quite the reputation for its compromise of high profile targets. The operators have also reportedly recruited several former ALPHV affiliates, including an individual known as Notchy. Earlier this year, RansomHub claimed responsibility for an attack on Change Healthcare. In late May, the group claimed responsibility for an attack on Christie’s auction house. They have also targeted lesser known entities in the financial, technology, government, and various other verticals. So far, the majority of RansomHub’s targets have been in the US, with several others located in Brazil, Italy, Spain, the UK, and other countries worldwide. 

IOCs

PolySwarm has multiple samples of RansomHub.

 

02e9f0fbb7f3acea4fcf155dc7813e15c1c8d1c77c3ae31252720a9fa7454292

7539bd88d9bb42d280673b573fc0f5783f32db559c564b95ae33d720d9034f5a

 

You can use the following CLI command to search for all RansomHub samples in our portal:

$ polyswarm link list -f RansomHub

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

 

Topics: Threat Bulletin, Ransomware, RansomHub, Knight

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts