Cybercrime is evolving at a breakneck pace, constantly testing the resilience of security infrastructures. Among the latest emerging threats is the RansomHub group, which has rapidly gained notoriety for its coordinated and sophisticated attacks. Born after the collapse of other notable groups such as Alphv/BlackCat and LockBit, this entity represents a new generation of ransomware operating on the“Ransomware as a Service” (RaaS) model. Thanks to its particularly sophisticated techniques and strategies, RansomHub has rapidly established itself in the ransomware ecosystem.
History and rise to prominence
The group made its first significant appearance in early 2024. As cybersecurity firm Forescout noted in its analysis last May , RansomHub announced its affiliate program on February 2, 2024. Posted on the dark-web forum RAMP (Russian Anonymous Market Place) by a certain “Koley”, the announcement read as follows:
“Welcome to our RANSOMHUB affiliate program.
We’ve taken all the pros and cons of previous affiliate programs and created the next generation of ransomware.
We noticed that the police had seized the accounts of some affiliates or prevented them from continuing their fraudulent activities, causing you to lose your funds. We’ve adopted a new strategy. You can post your wallet in the chat room and send the decryptor after confirming payment. You don’t have to worry about the security of your funds.
Our fixed commission is 10% and you pay us when you receive the money.”
RansomHub, with its message, seeks partners by offering them a fixed payment sharing model. When the ransom is paid, RansomHub’s fixed commission is 10% and the remaining 90% goes to the affiliate. RansomHub has also developed its own panel dedicated to data leakage sites to enable its affiliates to manage negotiations with their victims, enacting its own conditions and rules for each affiliate. This lucrative rate, higher than the most common offers, is likely to attract seasoned affiliates from other ransomware groups, thus increasing RansomHub-related attacks and victims.
Written in Golang and C , and supporting Windows, Linux, ESXi among others, Ransomhub ranks among modern ransomwares. One of its distinguishing features is its payment model, which differs from that of ALPHV and has probably won it the favor of many affiliates disappointed with other programs. Researchers have also found code similarities with the Knight ransomware (formerly known as Cyclops), whose code was sold on the dark web in February 2024.
RansomHub a worthy heir to Alphv/BlackCat and Lockbit?
This rapid expansion was facilitated by the void left by the fall of Alphv/BlackCat and the blow dealt to Lockbit by the international operation Cronos in February 2024. These hard blows to these prominent ransomware groups undoubtedly enabledRansomHub’s meteoric rise.
Another striking element in RansomHub’s rise is the collapse of the Alphv/BlackCat group, presented by some sources as a strategic opportunity to attract former affiliates. In March, Alphv had announced its sudden dissolution following an intervention by the forces of law and order, a claim cast into doubt by several security researchers who saw it more as an “exit scam“. In reality, it soon became apparent that the dissolution was nothing more than a subterfuge. Indeed, the alleged seizures of servers by the FBI were denied by the agencies concerned, suggesting an exit scam orchestrated by Alphv/BlackCat operators. The gang is said to have disappeared with affiliate payments, including $22 million paid out after the attack on Change Healthcare.
RansomHub, with its model of distributing payments directly to affiliates, took advantage of this climate of mistrust to attract these disillusioned players. These circumstances favored RansomHub’s recruitment of experienced talent now freed from their previous commitments. These transfers of affiliates enabled RansomHub not only to expand its territory of action, but also to perfect its methods by drawing inspiration from the previous successes (and failures) of its predecessors.
An effective operating model: RaaS
RansomHub stands out for its adoption of the RaaS (Ransomware-as-a-Service) model, enabling affiliates to use their infrastructure to carry out attacks against a variety of targets. This model offers greater flexibility and efficiency, where each affiliate can customize its attack methods, making the task of defenders considerably more complex.
Part of RansomHub’s meteoric success has been the rapid integration of affiliates from other disbanded groups such asAlphv/BlackCat and LockBit. These affiliates bring not only technical skills but also valuable field experience. On the other hand, this massive transfer poses a double challenge: diversifying targets while maintaining their proven security systems.
A strategic focus: targeting diversified sectors
A particular feature of RansomHub is the diversity of the sectors targeted. Their victims include IT companies, financial institutions, healthcare providers, utilities and manufacturing industries. This diversification makes it difficult to attempt any single categorization, and requires responses tailored to specific contexts.
RansomHub has distinguished itself by its ability to attack critical sectors such as water, emergency services, transportation and finance, with victims ranging from credit unions like Patelco to multinational corporations like oil giant Halliburton, auction house Christie’s and most recently Kawasaki Europe.
This pattern of diversification, coupled with a marked presence in Europe (34% of attacks) and growing expansion in North America, reflects a strategic move to maximize ransomware opportunities while spreading risk. This globalized, multi-sector approach has enabled RansomHub to rapidly establish itself as a key player in the ransomware landscape. With over 250 attacks to its credit,CERT Synetis estimates that RansomHub, given its efficiency and rapid growth, could become a major player in the world of ransomware by 2024.
Attack techniques: effective exploitation of vulnerabilities
RansomHub is particularly inventive when it comes to technical aspects, combining classic social engineering methods such as phishing with more sophisticated techniques. In its latest study, Trend Micro cybersecurity researchers said, “RansomHub typically gains initial access by targeting Internet-facing systems and user endpoints through methods such as phishing emails, exploitation of known vulnerabilities and password-spraying attacks.”
The attack by a group like RansomHub is based on a methodical strategy, represented here by their Cyber Kill Chain. Each phase of the attack is designed to bypass defenses and secure maximum control over compromised systems.
Ransomhub also exploits critical vulnerabilities in widely used software and services, such as Citrix ADC (CVE-2023-3519) and Fortinet FortiOS (CVE-2023-27997). These vulnerabilities allow initial access to targeted systems before tools such as Mimikatz are used to escalate privileges. The use of proof-of-concept exploits makes their attacks even more difficult to prevent and detect.
Their use of pre-existing tools, often diverted from their original purpose, bears witness to this. A striking example is the use of TDSSKiller, a legitimate tool developed by Kaspersky to detect and remove complex rootkits and bootkits. However, RansomHub transforms it into a tool for disabling Endpoint Detection and Response ( EDR) services.
It is precisely this clever manipulation of legitimate solutions that makes detection so difficult. The strategy is to execute TDSSKiller via command-line scripts or batch files, thus masking their true intentions, before launching the LaZagne tool to harvest credentials from various application databases. This process then enables RansomHub to make lateral movements within compromised networks.
Exploiting TDSSKiller
Kaspersky has designed TDSSKiller to scan systems for types of malware that are difficult to detect. However, by bypassing the defenses activated by EDR agents, the RansomHub-modified version performs harmful actions without arousing suspicion. This process includes advanced features such as the deletion of logs created during the extraction of sensitive data, hampering the monitoring and response efforts of cybersecurity teams.
As for LaZagne malware, although easily identifiable under normal circumstances, it gains in stealth when preceded by a successful attack on protection devices via TDSSKiller. LaZagne enables attackers to retrieve login information from various applications, including browsers, e-mail clients and databases, reinforcing their ability to move laterally within the network. In this way, hackers gain a head start by neutralizing protective barriers before proceeding with data theft.
“The EDRKillShifter tool functions as a “loader” executable, serving as a delivery mechanism for a legitimate driver likely to abuse to terminate applications related to antivirus solutions. This type of tool is often referred to as “Bring Your Own Vulnerable Driver ” (BYOVD). The process of executing this loader involves three main steps,” reads the Trend Micro study posted on September 20, 2024.
The main vulnerabilities exploited by RansomHub
RansomHub is known to exploit both known vulnerabilities in widely used software and zero-day vulnerabilities. Here are some of the main vulnerabilities exploited by this group:
- CVE-2023-27350: critical vulnerability in Microsoft Exchange, enabling remote code execution.
- CVE-2022-1388: vulnerability in F5 BIG-IP, allowing remote attackers to execute arbitrary commands.
- CVE-2019-2725: vulnerability in Oracle WebLogic allowing access without authentication to attackers.
- CVE-2020-1472 (Zerologon): critical vulnerability in Microsoft’s Netlogon protocol, allowing attackers to take control of a computer, including domain controllers, and gain elevated privileges without authentication.
- CVE-2023-3519: flaw in Citrix ADC and Gateway, resulting from incorrect input validation, often exploited for remote code execution (RCE).
- CVE-2023-27997: buffer overflow in Fortinet’s SSL VPN client, allowing unauthenticated attackers to execute arbitrary code on vulnerable devices.
- CVE-2023-46604: command injection vulnerability affecting certain systems, notably industrial control systems, allowing remote command execution.
- CVE-2023-22515: authentication bypass vulnerability in Atlassian’s Confluence, allowing unauthorized users to access sensitive data or systems.
- CVE-2023-46747: remote code execution vulnerability in multiple platforms, which can be exploited via insecure network services.
- CVE-2023-48788: vulnerability in certain software applications that could lead to privilege escalation or arbitrary code execution if exploited.
- CVE-2017-0144 (EternalBlue): vulnerability in the Windows SMB protocol, exploited by the WannaCry ransomware, allowing remote code execution via specifically crafted SMB packages.
- CVE-2020-0787: local vulnerability in Windows, enabling elevation of privileges via poor virtual memory management.
RansomHub favors these vulnerabilities, often targeting organizations that delay the installation of critical updates. It is therefore essential to maintain rigorous vulnerability management to protect against not only RansomHub, but all ransomware groups.
Recommended mitigation measures
Security agencies strongly recommend the implementation of proactive measures to mitigate the potential impact of RansomHub attacks. Among these measures, regular patching of known exploitable vulnerabilities and intensified use of two-factor authentication represent essential lines of defense.
It is also advisable not to give in to ransom payments, as they offer no guarantee of complete file restitution and may encourage attackers to target more organizations. Vigilance and continuous adaptation of security strategies remain the best weapons against this evolving threat.
The technological and security environment is constantly evolving, and in this respect, understanding the tactics used by groups like RansomHub becomes essential. Protecting sensitive information requires collective mobilization and constant adaptation of defense protocols in the face of ever more ingenious and determined adversaries.
References and analysis :
RansomHub ransomware-as-a-service (group-ib study)
Threat Profile RansomHub ransomware ( Blackpoint report to download)
RansomHub: The New Kid on the Block to Know (Cyberint)
RansomHub: New Ransomware has Origins in Older Knight (Threat Hunter TeamSymantec)
RansomHub ransomware abuses Kaspersky TDSSKiller to disable EDR software (Bleeping Computer)
How Ransomhub Ransomware Uses EDRKillShifter to Disable EDR and Antivirus Protections (Trend Micro)
RansomHub’s Rise to Power: The New Leader in Ransomware-as-a-Service
