According to US government, the RansomHub ransomware group has encrypted and stolen data from at least 210 victims from its launch in February 2024, impacting critical sectors like healthcare, government, and finance. This ransomware-as-a-service (RaaS) variant, also known as Cyclops and Knight, has been gaining popularity and now accounts for a significant share of ransomware activity.
RansomHub, a successor to Cyclops and Knight, has gained attention from high-profile affiliates, including those from well-known operations like LockBit and ALPHV (also known as BlackCat), especially after recent law enforcement actions. Not only do they encrypt data, but they also exfiltrate it, demanding ransom payments via a ‘special’ .onion URL. If victims refuse to pay, their data is published on a leak site for up to 90 days.
The group’s attacks are driven by exploiting known vulnerabilities in popular systems, including Apache ActiveMQ, Atlassian Confluence, Citrix ADC, and Fortinet products. After gaining initial access, RansomHub affiliates use various tools and methods to escalate privileges, move laterally within the network, and avoid detection.
Recent statistics show RansomHub’s activity increasing from 2% of ransomware incidents in Q1 2024 to over 14% in Q3. The group also demonstrates sophisticated techniques such as intermittent encryption and diverse data exfiltration methods using tools like PuTTY and AWS S3.
This RansomHub activity highlights the evolving nature of ransomware attacks, which now often involve complex multi-layered extortion tactics, including threats of DDoS attacks and targeting third parties connected to the victims. The rise of RaaS models continues to fuel the emergence of new ransomware variants and partnerships among cybercriminal groups.
