Symantec discovered the RansMHub-Maintenance Program, which was identified as an updated version of the Knight program, an evolution of the Cyclops extortionist. Knight, also known as Cyclops 2.0, emerged in May 2023, utilizing double extortion tactics across various platforms such as Windows, Linux, MacOS, ESXI, and Android.
The virus was actively promoted on the RAMP forum, with attacks often spread through phishing. However, Knight’s activities ceased in February 2024 when its source code was put up for sale, hinting at a potential update and rebranding under the Ransomhub name.
Ransomhub, the new variant, has already targeted victims including Change Healthcare, Christie’s, and Frontier Communications. Notably, this virus avoids attacking entities in certain regions.
Both Knight and Ransomhub are written in GO language with hidden options using Gobfuscate. The code similarities between the two families complicate their differentiation, although Ransomhub added a new Sleep option not present in Knight.
Although Ransomhub attacks exploit Zerologon vulnerabilities for initial access, installing remote control tools before demanding ransom, data from Malwarebytes shows a rising number of attacks associated with Ransomhub as of April 2024.
Ransomhub has also attempted to collaborate with other groups like Lockbit and Blackcat, indicating a possible connection with experienced hackers. This development coincides with a surge in ransomware activity, as reported by Mandiant, highlighting a 75% increase in data leakage incidents compared to the previous year.