The Cybersecurity and Infrastructure Security Agency recently co-authored a joint cybersecurity advisory regarding the RansomHub ransomware group. Since it was first observed in February, RansomHub has become one of the most prolific ransomware threats, claiming at least 210 victims, many of which are organizations in United States critical infrastructure sectors. These sectors include Water and Wastewater, Information Technology,
Government Services and Facilities, Healthcare and Public Health, Emergency Services, Food and Agriculture, Financial Services, Critical Manufacturing, Transportation Systems, and Communications.

RansomHub is a ransomware-as-a-service (RaaS) assessed as a possible rebrand of Knight (Cyclops) ransomware due to similar observed tactics and techniques. However, some speculate whether RansomHub is truly a rebrand, as Knight’s source code was offered for sale on hacking forums in February, just before the initial emergence of RansomHub. The group also recruited former affiliates of LockBit and the now-defunct ALPHV/BlackCat ransomware group. While RansomHub affiliates operate globally, they avoid targeting countries within the Commonwealth of Independent States (CIS), Cuba, North Korea, and China, consistent with the modus operandi of Russian-affiliated ransomware groups. The ransom note typically does not include a ransom demand and, instead, provides victims with a client ID and a unique .onion URL to contact the ransomware group. Depending on the affiliate, victims are given three to 90 days to pay before their data is published on the group’s data leak site.

The advisory lists phishing, various exploited vulnerabilities, and password-spraying attacks as initial access vectors. Additionally, Palo Alto Networks’ Unit 42 analysts observed a chain of events indicating that RansomHub was able to achieve initial access via SocGholish malware delivered through search engine optimization (SEO) poisoning. Microsoft echoed these findings, stating that RansomHub was observed being deployed as part of post-compromise activity by Evil Corp following initial access obtained by TA569 (Mustard Tempest ) via SocGholish (FakeUpdates) infections. TA569 functions as an initial access broker (IAB), selling victim access obtained through successful infections. Scattered Spider (aka Octo Tempest) also incorporated RansomHub and Qilin ransomware payloads in
campaigns in July. Sophos analysts recently observed cybercriminals attempting to deliver RansomHub ransomware while using a new malware dubbed EDRKillShifter. This malware leverages legitimate but vulnerable drivers on Windows machines to disable endpoint
detection and response security software in attacks.

On August 21, Halliburton Oil and Gas was impacted by a cyberattack that caused disruptions and limited access to portions of its business applications. Some researchers assess that the incident may be attributed to RansomHub based on an email sent by the company to affected customers. The email included an indicator of compromise (IOC) that appeared to be a slightly modified version of an encryptor used by the group. However, the company has not shared detailed information about the incident or confirmed this
assessment.

Recommendations

• Implement cybersecurity best practices to reduce risk and increase resiliency to cyber threats.
• Avoid clicking links, responding to, or otherwise acting on unsolicited text messages or emails.
• Keep systems up to date and apply patches after appropriate testing.
• Use strong, unique passwords and enable MFA for all accounts where available, choosing authentication apps or hardware tokens over SMS text-based codes.
• Enforce the principle of least privilege, disable unused ports and services, and use web application firewalls (WAFs).
• Employ a comprehensive data backup plan and ensure operational technology (OT) environments are segmented from information technology (IT) environments.
• Perform scheduled backups regularly, keeping an updated copy offline in a separate and secure location and testing it regularly.
• Ingest IOCs found in the Joint Cybersecurity Advisory into endpoint security solutions and consider leveraging behavior-based detection tools rather than signature-based tools.
• Report cyber incidents to the FBI’s IC3 and the NJCCIC.