RansomHub Gang Breaches More Than 200 Organisations

Matthew Broersma,
Linkedin
Data displayed on a screen. Hacking, hacker, security, data.

FBI warns RansomHub ransomware gang growing quickly, with affiliates breaching at least 210 organisations since February

Affiliates of the RansomHub ransomware gang have carried out attacks on at least 210 organisations since February, US officials have warned.

They said the group has grown rapidly in part by picking up affiliates from two other ransomware groups that disappeared ealier this year.

RansomHub operates on an infrastructure-as-a-service model, where affiliates use its infrastructure to compromise a target and encrypt its systems, demanding a ransom to provide a decryption key.

As is increasingly common, RansomHub affiliates also exfiltrate data and threaten to release it publicly if the ransom is not paid.

Cyber security and Security password login online concept Hands typing and entering username and password of social media, log in with smartphone to an online bank account, data protection hacker

Fast growth

Different affiliates use various methods for exfiltrating data, said the FBI, Cybersecurity and Infrastructure Security Agency (CISA) and two other agencies in a co-authored advisory.

Affiliates have targeted a wide range of sectors, including water, IT, government, healthcare, emergency services, agriculture, financial services, critical manufacturing, transportation and critical communications infrastructure, the advisory said.

Targets have included credit union Patelco, drugstore chain Rite Aid, auction house Christie’s, telecom provider Frontier Communications and oil services giant Halliburton, which disclosed in an SEC filing that it was compromised on 21 August.

The gang, formerly known as Cyclops and Knight, “has established itself as an efficient and successful service model,” the agencies said.

Disruption

RansomHub’s quick growth is in part due to the disappearance of two major groups earlier this year, they said – LockBit, which was disrupted by an international law enforcement action in February, and AlphV, also known as BlackCat, which shut down in March.

Ransomware infrastructure providers normally receive payment before sending the portion due to the affiliate who carried out the attack, but affiliates must trust the provider to send them their cut.

In March this system took a blow with the disappearance of the gang AlphV, also known as BlackCat, which is believed to have received a $22 million (£17m) payment from dominant US healthcare payments provider Change Healthcare before disappearing without paying its affiliate.

‘Exit scam’

A notice was displayed on the AlphV website claiming the gang was taken down by law enforcement groups including the FBI and the UK’s National Crime Agency, but the NCA said it was not involved in any such action, which along with other factors led security researchers to conclude AlphV’s departure was an “exit scam”.

RansomHub allows affiliates to collect payments themselves, making it all the more attractive to former AlphV affiliates, security experts have said.

The US agencies recommended mitigation measures including patching vulnerabilities that have already been exploited in the wild and use of two-factor authentication.

They advised against paying ransoms as it does not guarantee files will be recovered and “payment may also embolden adversaries to target additional organisations”.