63/68 Monday, February 17, 2025
Group-IB has revealed that RansomHub has become the most influential ransomware group in 2024, following the takedown of major ransomware gangs such as ALPHV and LockBit by law enforcement operations. RansomHub operates under the Ransomware-as-a-Service (RaaS) model and selectively recruits affiliates from previously dismantled cybercriminal groups. This approach has enabled the group to rapidly expand its attack reach, targeting over 600 organizations worldwide across key industries such as finance, healthcare, government agencies, and critical infrastructure.
Investigations indicate that RansomHub may have acquired the original source code from the Knight ransomware group and modified it to support multiple platforms, including Windows, ESXi, Linux, and FreeBSD. They employ advanced attack techniques such as zero-day exploits, brute-force attacks on VPNs, and the use of tools like PCHunter to evade security defenses. The complexity of RansomHub’s operations is evident in its meticulous attack process, which includes infiltrating networks, assessing critical assets, and exfiltrating data using tools like FileZilla before encrypting files.
One case study by Group-IB highlighted that RansomHub could successfully execute an attack in under 14 hours by exploiting vulnerabilities in Palo Alto firewalls (CVE-2024-3400) and older flaws such as CVE-2021-42278 and CVE-2020-1472 to gain system control. After stealing sensitive data, the ransomware disables backup systems and encrypts all files to demand ransom payments. This incident underscores the urgent need for system administrators to prioritize regular updates and strengthen organizational security measures to mitigate cyber threats effectively.
Source https://hackread.com/ransomhub-king-of-ransomware-600-firms-2024/
