In February 2024, a new ransomware platform called RansomHub emerged in the cybercrime landscape, offering extortion services based on the Ransomware as a Service (RAAS) model. The platform targets Windows, Linux, and ESXI systems, utilizing malicious code written in Go and C++. A detailed report from the Insikt Group highlights the key characteristics of RansomHub, its ties to previously known ransomware like Knight, and precautions against this threat.
RansomHub quickly gained traction and now ranks fourth in the number of reported attacks within the last three months. Its lucrative 90% commission entices skilled affiliates, resulting in a significant surge in infections.
Since its inception, RansomHub has targeted 45 victims across 18 countries, primarily impacting the IT sector. This suggests a strategy of “Big Game Hunting,” where cybercriminals select organizations likely to pay hefty ransoms to avoid substantial financial losses due to downtime.
Notably, RansomHub employs tactics like targeting misconfigured Amazon S3 instances to access backup files not only from the primary victim but also from other customers using the same backups. In these attacks, threat actors blackmail backup solution providers, threatening the exposure of customer data.
Insikt Group’s investigation into RansomHub reveals possible connections with other ransomware groups like Alphv (Blackcat) and Knight Ransomware. The similarities hint at shared resources or affiliations among these groups.
Knight’s operations under the RAAS model ceased in late February 2024 when its source code was made available for sale. This development led to speculation that the virus could have transitioned to new ownership, resulting in updates and rebranding as RansomHub.
The RansomHub virus, which had its initial victim in the same month, has been linked to recent attacks on organizations like Change Healthcare, Christie’s, and Frontier Communications. Interestingly, the latest version of the malware excludes targets in CIS countries, Cuba, North Korea, and China.
RansomHub’s encryption for Linux and Windows is coded in Go, while the ESXI version is in C++. The introduction of an ESXI variant enables attackers to expand their pool of potential targets, focusing on the growing number of enterprises utilizing virtualized environments.
Insikt Group’s research further highlights vulnerabilities in the RansomHub ESXI version, such as the creation of a file “/tmp/app.pid