- 3,002
- 280
- 1,730
In 2024, a new player quickly emerged on the cybercrime scene — the RansomHub group, which has already attacked more than 600 organizations around the world. According to Group-IB research, the RansomHub group filled the ransomware niche after recent breaches of ALPHV and LockBit .
Experts note that RansomHub operates in the ransomware-as-a-service (RaaS) format, actively attracting partners on underground forums such as ****. The main strategy was to lure hackers who previously worked for other groups, which allowed RansomHub to quickly increase the scale of attacks.
Analysis of the malware code showed that the group likely purchased its software from Knight (Cyclops), another well-known cybercriminal organization. The use of ready-made solutions accelerated the deployment of attacks, and the program's multi-platform nature allows it to encrypt systems on Windows, ESXi, Linux, and FreeBSD, expanding the list of potential victims.
RansomHub is highly organized. The group uses both proven hacking techniques — attacks on VPN services and password guessing — and complex methods, including exploitation of zero-day vulnerabilities. The attackers' arsenal includes tools like PCHunter, which allow them to bypass security tools.
The attack tactics include a thorough study of the victim's network and the capture of the most valuable data. Operators penetrate the infrastructure, gain control over critical nodes — file storage, backups, servers — and transfer confidential information to remote servers. To transfer information, the criminals use Filezilla, and then launch the encryption process on compromised hosts.
After completing the attack, RansomHub blackmails the victim, demanding a ransom for decrypting and not publishing the data. Ransomware can stop virtual machines, destroy shadow copies of files, and clear event logs, making it difficult to investigate an incident.
One of the most destructive attacks by RansomHub was an operation carried out in just 14 hours. The criminals used a vulnerability in the Palo Alto firewall (CVE-2024-3400) for initial access, then brute-forced the credentials from the VPN client. The attackers then exploited old flaws in Windows (CVE-2021-42278 and CVE-2020-1472), gaining full control over the network.
Experts emphasize that such effective activity by RansomHub became possible due to untimely updates of operating systems. If a company falls victim to an attack through a vulnerability closed several years ago, then its own negligent attitude to cybersecurity is solely to blame. In this case, it is foolish to shift responsibility to software suppliers.
RansomHub's growing activity is evidence of the continuing evolution of cyber threats. Organizations must strengthen their defenses, regularly update their software, and minimize their attack surface to avoid becoming victims of RansomHub and other ransomware groups.
Experts note that RansomHub operates in the ransomware-as-a-service (RaaS) format, actively attracting partners on underground forums such as ****. The main strategy was to lure hackers who previously worked for other groups, which allowed RansomHub to quickly increase the scale of attacks.
Analysis of the malware code showed that the group likely purchased its software from Knight (Cyclops), another well-known cybercriminal organization. The use of ready-made solutions accelerated the deployment of attacks, and the program's multi-platform nature allows it to encrypt systems on Windows, ESXi, Linux, and FreeBSD, expanding the list of potential victims.
RansomHub is highly organized. The group uses both proven hacking techniques — attacks on VPN services and password guessing — and complex methods, including exploitation of zero-day vulnerabilities. The attackers' arsenal includes tools like PCHunter, which allow them to bypass security tools.
The attack tactics include a thorough study of the victim's network and the capture of the most valuable data. Operators penetrate the infrastructure, gain control over critical nodes — file storage, backups, servers — and transfer confidential information to remote servers. To transfer information, the criminals use Filezilla, and then launch the encryption process on compromised hosts.
After completing the attack, RansomHub blackmails the victim, demanding a ransom for decrypting and not publishing the data. Ransomware can stop virtual machines, destroy shadow copies of files, and clear event logs, making it difficult to investigate an incident.
One of the most destructive attacks by RansomHub was an operation carried out in just 14 hours. The criminals used a vulnerability in the Palo Alto firewall (CVE-2024-3400) for initial access, then brute-forced the credentials from the VPN client. The attackers then exploited old flaws in Windows (CVE-2021-42278 and CVE-2020-1472), gaining full control over the network.
Experts emphasize that such effective activity by RansomHub became possible due to untimely updates of operating systems. If a company falls victim to an attack through a vulnerability closed several years ago, then its own negligent attitude to cybersecurity is solely to blame. In this case, it is foolish to shift responsibility to software suppliers.
RansomHub's growing activity is evidence of the continuing evolution of cyber threats. Organizations must strengthen their defenses, regularly update their software, and minimize their attack surface to avoid becoming victims of RansomHub and other ransomware groups.