Since surfacing in February 2024, RansomHub ransomware associates have breached over 200 victims from a variety of vital U.S. infrastructure sectors.
This comparatively new ransomware-as-a-service (RaaS) operation extorts victims in change for not leaking stolen recordsdata and sells the paperwork to the very best bidder if negotiations fail. The ransomware group focuses on data-theft-based extortion reasonably than encrypting victims’ recordsdata, though they have been additionally recognized as potential patrons of Knight ransomware supply code.
For the reason that begin of the 12 months, RansomHub has claimed duty for breaching American not-for-profit credit score union Patelco, the Ceremony Support drugstore chain, the Christie’s public sale home, and U.S. telecom supplier Frontier Communications. Frontier Communications later warned over 750,000 prospects their private data was uncovered in an information breach.
A joint advisory launched at present by the FBI, CISA, the Multi-State Data Sharing and Evaluation Middle (MS-ISAC), and the Division of Well being and Human Companies (HHS) additionally confirms that the risk actors goal their victims in double-extortion assaults.
The federal businesses mentioned RansomHub (previously often called Cyclops and Knight) “has established itself as an efficient and successful service model (recently attracting high-profile affiliates from other prominent variants such as LockBit and ALPHV).”
“Since its inception in February 2024, RansomHub has encrypted and exfiltrated data from at least 210 victims representing the water and wastewater, information technology, government services and facilities, healthcare and public health, emergency services, food and agriculture, financial services, commercial facilities, critical manufacturing, transportation, and communications critical infrastructure sectors,” the advisory provides.
The 4 authoring businesses suggested community defenders to implement the suggestions in at present’s advisory to cut back the chance and affect of RansomHub ransomware assaults.
They need to give attention to patching vulnerabilities already exploited within the wild and use robust passwords and multifactor authentication (MFA) for webmail, VPN, and accounts linked to vital techniques. It is also advisable to maintain software program up to date and conduct vulnerability assessments as a typical a part of safety protocols.
The 4 businesses additionally present RansomHub indicators of compromise (IOCs) and data on their associates’ ways, methods, and procedures (TTPs) recognized throughout FBI investigations as just lately as August 2024.
“The authoring organizations do not encourage paying a ransom, as payment does not guarantee victim files will be recovered,” the federal businesses added.
“Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities.”
