RansomHub's Extensive Reach in Threatening Critical Infrastructure with 210 Victims and Counting
RansomHub's Extensive Reach in Threatening Critical Infrastructure with 210 Victims and Counting
Since February 2024, the newly emerged ransomware group RansomHub has posed a critical threat, compromising a wide range of critical infrastructure organizations with the aid of affiliates from renowned ransomware gangs like LockBit and ALPHV/BlackCat. This expansive reach, detailed by the FBI, CISA, MS-ISAC, and HHS, underscores the threat posed by this group. "Since its inception in February 2024, RansomHub has encrypted and exfiltrated data from at least 210 victims representing the water and wastewater, information technology, government services, and facilities, healthcare and public health, emergency services, food and agriculture, financial services, commercial facilities, critical manufacturing, transportation, and communications critical infrastructure sectors," as stated by US government agencies.
RansomHub's initial access strategies involve utilizing phishing, password spraying, and exploiting vulnerabilities with publicly available proofs-of-concept from sources like ExploitDB and GitHub. Notable vulnerabilities such as CVE-2023-3519, a Citrix ADC remote code execution flaw, and CVE-2020-1472, known as the Zerologon vulnerability, are among the vulnerabilities listed. Once access is obtained, RansomHub employs a range of tactics to advance its intrusion. Tools like AngryIPScanner, Nmap, and PowerShell are used for reconnaissance, while persistence is achieved through tactics such as creating or re-enabling user accounts. To evade detection, the actors deploy executables with deceptive names, disable security software, and clear logs on both Windows and Linux systems, employing native binaries like BitsAdmin and PowerShell for operations.
Credentials obtained through tools such as CrackMapExec, kerbrute, and Mimikatz aid lateral movement objectives. Lateral movement is facilitated through various methods such as RDP, PsExec, Anydesk, Cobalt Strike, Metasploit, and others. RansomHub's double extortion tactic involves encrypting data and exfiltrating it, utilizing tools like Rclone, PuTTy, WinSCP, and Amazon AWS S3 buckets, among others. The data is reported to be encrypted using the Curve 25519 algorithm, incorporating techniques like intermittent encryption to avoid detection.
Evidence of the threat posed by RansomHub is their recent cyberattacks against Planned Parenthood and potentially the oil and gas company Halliburton. The tactical defenses and mitigation recommendations offered in the CISA advisory are essential for organizations to follow in an effort to maintain a strong posture against critical threats. Guidance includes vulnerability management, patching, implementing strong passwords, enforcing strong password policies, network segmentation, locking down network communication where necessary, and enforcing least privilege access, among other strategies.