Alarm Bells Sounded About RansomHub Ransomware Group
The RansomHub ransomware group emerged in February 2024 and has already conducted at least 210 attacks, including several ransomware attacks on healthcare organizations. The group has been poaching affiliates from other ransomware-as-a-service (RaaS) organizations and has rapidly grown into one of the most active ransomware groups. RansomHub tried to extort Change Healthcare after its February ransomware attack by a different ransomware group โ ALPHV/Blackcat โ after obtaining a copy of the data stolen in that attack and was behind a recent attack on the Florida Department of Health, publishing the stolen data when the ransom was not paid.
In light of the growing number of attacks, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Department of Health and Human Services (HHS) issued a joint cybersecurity alert on August 29, 2024, and shared tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), and detection methods associated with the groupโs activities to help network defenders strengthen their security posture, prevent attacks, and detect and mitigate attacks in progress.
RansomHub is a relatively new RaaS group, but only by name. The group is believed to be a rebrand of the ransomware groups Cyclops and Knight and has been increasing attacks in part due to attracting high-profile affiliates from prolific ransomware groups such as LockBit and ALPHV/Blackcat.ย RansomHub affiliates use a variety of methods to gain initial access to networks, then escalate privileges and move laterally to compromise as many servers and endpoints as possible. Data of interest is identified and exfiltrated to be used as leverage to get victims to pay the ransom, and files are encrypted. If payment is not made, the group uploads the stolen data to its data leak site.
Methods used for initial access include phishing emails, password spraying, and the exploitation of known vulnerabilities. The group has targeted several vulnerabilities after obtaining exploit code from public sources, details of which are included in the cybersecurity alert. If any of those software solutions are used, patching the vulnerabilities should be prioritized or workarounds implemented to prevent exploitation.
The cybersecurity alert includes recommended baseline protections against ransomware attacks, and CISA and partners also recommend adopting CISA’s Cross-Sector Cybersecurity Performance Goals, a common set of measures that all critical infrastructure entities should strive to implement as they have been proven to reduce the likelihood and impact of ransomware attacks by groups such as RansomHub. The HHSโ Healthcare and Public Health Sector Cybersecurity Performance Goals align with CISA’s Cross-Sector Cybersecurity Performance Goals and have been tailored for healthcare organizations. They can be found on the HHSโ HPH Cybersecurity Gateway.