Ransomhub Soars from 2% to 14% in Extortion Market

The RansomHub hacker group, known for distributing ransomware since February 2024, has successfully encrypted and stolen data from over 210 victims, as reported by US authorities. The victims hail from various sectors including water supply, information technologies, healthcare, state institutions, emergency services, agriculture, and financial institutions.

Formerly known as Cyclops and Knight, Ransomhub operates as an “extortion as a service” (RAAS) model. The group has quickly garnered attention from prominent partners, some of whom have previously worked with renowned groups like Lockbit and Alphv (also known as Blackcat).

Zerofox reports that RANSOMHUB’s activity is on the rise. In the first quarter of 2024, they accounted for 2% of all attacks, which increased to 5.1% in the second quarter, and surged to 14.2% in the third quarter. Notably, 34% of their attacks target European organizations, far above the threat landscape average.

Ransomhub employs a double extortion tactic where data is stolen first and then victim systems are encrypted. The victims are instructed to contact the hackers through a specific online address to negotiate ransom terms. If the companies refuse to pay, their data may be leaked on a designated website.

Using vulnerabilities in software products like Apache Activemq, Atlassian Confluence, and Citrix ADC, the hackers gain access to their victims. Once inside, they conduct network reconnaissance and scanning with tools like Angryipscanner and NMAP, while also disabling antivirus software to avoid detection.