Feds Sound Alarm About RansomHub Ransomware Group
The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Department of Health and Human Services (HHS) have issued a joint cybersecurity advisory about the RansomHub ransomware group.
RansomHub is a relatively new ransomware-as-a-service (RaaS) group that emerged in February 2024. While the group was not directly involved with the ransomware attack on Change Healthcare, the group allegedly acquired the stolen data and issued a ransomware demand to Change Healthcare to prevent the release of the stolen data. Since February, RansomHub has conducted at least 210 attacks, exfiltrating data and demanding ransom payments to prevent the stolen data from being uploaded to its data leak site. While the group’s primary goal is to exfiltrate sensitive data for extortion purposes, the group possesses ransomware and often encrypts files.
RansomHub has attacked organizations in multiple sectors including water and wastewater, IT, government services and facilities, food and agriculture, financial services, transportation, commercial facilities, critical manufacturing, communications, healthcare and public health, and emergency services. The group was behind the recent attack on Haliburton, and healthcare attacks including on Rite Aid, American Clinical Solutions, the Neurological Spine Institute of Savannah, and the Florida Department of Health.
Initial access is commonly gained to victims networks through the exploitation of known vulnerabilities, including the Citrix ADC (CVE-2023-3519), FortiOS (CVE-2023-27997), Java OpenWire protocol marshaller (CVE-2023-46604), Confluence Data Center and Server (CVE-2023-22515), BIG-IP (CVE-2023-46747), FortiClientEMS (CVE-2023-48788), SMBv1 (CVE-2017-0144), Netlogon (CVE-2020-1472), and Zerologoin (AVE-2020-0787) vulnerabilities, with exploits obtained from public sources such as ExploitDB and GitHub. RansomHub also compromises endpoints through phishing and password-spraying.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
RansomHub has been observed using AngryIPScanner, Nmap, and PowerShell-based living-off-the-land methods with PowerShell to conduct network scanning. The group creates user accounts for persistence including reenabling disabled accounts, MimiKatz is used for collecting credentials and escalating privileges to SYSTEM level, and RDP, PExec, Anydesk, Connectwise, N-Able, Cobalt Strike, and Metasploit are all used for post-compromise activities. When the group encrypts files, intermittent encryption is used for speed, with encrypted files given a random extension.
The authoring agencies have shared Indicators of Compromise (IoCs) to help network defenders detect attacks in progress and recommended mitigations for hardening defenses.
