Preamble:

Traffic Light Protocol (TLP) is a system of markings that designates the extent to which recipients may share potentially sensitive information.

Situation:
RansomHub, a ransomware-as-a-service (RaaS) variant, remains at-large targeting at least 210 victims across multiple critical infrastructure sectors, including healthcare and public health organizations, since February 2024.

On August 29, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) along with the FBI, the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Department of Health and Human Services (HHS) released a joint advisory AA24-242A regarding RansomHub as part of their #stopransomware campaign providing tactics, techniques, and procedures (TTPs) as well as indicators of compromise (IOCs) to help organizations take necessary actions to protect against this threat.

Background:
Previously known as Cyclops and Knight, the group utilizes a double-extortion model, encrypting and exfiltrating data and then leaving instructions to contact them through a Tor-based URL (*.onion). The group is known to give the victim ~90 days to pay the ransom before publishing data on the RansomHub Tor site.

The RansomHub affiliates have been observed to gain access to systems via phishing (T1566) and password spraying using accounts compromised through previous data breaches (T1110.003). The group has also been observed exploiting known vulnerabilities, particularly, compromising internet-facing systems.

The group has been observed exploiting products like Citrix ADC NetScaler (CVE-2023-3519), FortiOS (CVE-2023-27997), FortiClientEMS (CVE-2023-48788), Windows 2008/7/8.1 via SMBv1 (CVE-2017-0144), and NetLogon MS-NRPC (CVE-2020-1472), among others.

Furthermore, it is indicated that the group utilizes novel scanning techniques such as nmap or living-off-the-land Powershell commands to perform remote system discovery (T1018), then persists with attack techniques like re-enabling disabled user accounts/creating accounts (T1098) and/or leveraging legitimate remote access software or remote administration tools like PsExec (T1219).

Novel defense evasion techniques such as disabling logging, or hiding malicious executables with unassuming filenames, left in plain sight such as the user’s ~\Desktop or ~\Downloads folders has also been observed (T1036).

The group encrypts data using an ECC algorithm called Curve 25519 which creates a unique key-pair for each organization. In the process, the exploitation will involve disabling key system executables and removing shadow copies.

Indicators of Compromise (IOCs):
The threat actor has been known to leverage a variety of executables including common and known system utilities.
Example TTPs include:
• C:\Users\%USERNAME%\Downloads\Anydesk.exe
• C:\Program Files (x86)\Nmap\nmap.exe
• C:\Users\%USERNAME%\AppData\Local\Programs\Python\Python311\Scripts\crackmapexec.exe
Among others.
Known IPs related to the malicious activity operating between 2023-2024 is provided in the list below:
• 8.211.2[.]97
• 45.95.67[.]41
• 45.134.140[.]69
• 45.135.232[.]2
• 89.23.96[.]203
• 188.34.188[.]7
• 193.106.175[.]107
• 193.124.125[.]78
• 193.233.254[.]21
For a comprehensive list of indicators of compromise, visit:
https://www.cisa.gov/sites/default/files/2024-08/AA24-242A.stix_.xml

For more details on the RansomHUB Ransomware and to see the advisory, visit:
https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-242a

Assessment:
There is a tendency to severely underestimate the sophistication of modern ransomware-as-a-service (RaaS) affiliates like RansomHub. These groups leverage enterprise-grade tools and professional expertise to simplify the deployment of ransomware for their customers providing exceptional support and leveraging a comprehensive portfolio of attack techniques.

The accessibility of RaaS generally increases the potential for widespread and effective campaigns, and the velocity and violence of attack is often misunderstood by target organizations.

To mitigate risks associated with RansomHub, organizations should enhance their security measures with both technical and administrative planning.

Recommendations:
• Network segmentation – Divide large, flat networks into isolated segments. This approach helps limit the overall impact of an attack, hindering lateral movements, and enhances the ability to manage and mitigate potential damage.
• Enforce multifactor authentication (MFA) – Enable MFA policies to significantly reduce the risk of unauthorized access by requiring multiple verification steps that are less susceptible to phishing attacks.
• Enforce Credential Hygiene – Enforce the use of long, strong passwords. Encourage storage of passwords in encrypted formats. Enforce account lockout policies and time-based accesses for administrators.
• Disable command-line and scripting activities and permissions – Restrict execution permissions and limit the potential for attackers to execute harmful commands or scripts.
• Maintain offline backups of data, and regularly maintain backup and restoration – Maintain offline backups of data and that copies are encrypted and stored in a secure location not accessible from the primary network,
• Install updates – Regularly install updates for operating systems, software, and firmware as they become available.
• Validate Security Controls – Routinely test and validate your organization’s security program.
• End-user training – Train users to recognize and report phishing attempts; encourage a security-first mindset amongst your communities. Encourage clean workspaces and data reduction wherever possible

Sources:

With information provided by CloudWave as well as other referenced/linked sources above.