Short Summary:
On August 29, 2024, the FBI, CISA, MS-ISAC, and HHS released a Cybersecurity Advisory regarding RansomHub ransomware, detailing its IOCs and TTPs. RansomHub, which operates under a Ransomware-as-a-Service model, has targeted over 210 victims across various critical infrastructure sectors. The advisory aims to enhance defenses against this evolving threat through shared intelligence and assessment templates.
Key Points:
- The Cybersecurity Advisory was released on August 29, 2024, by multiple federal agencies.
- RansomHub ransomware is known for its Ransomware-as-a-Service (RaaS) model and has been active since February 2024.
- Originally known as Cyclops and later Knight, RansomHub has infected systems across all major operating systems.
- It has targeted at least 210 victims in various sectors, including healthcare, government, and critical infrastructure.
- The ransomware employs a double-extortion model, encrypting data and exfiltrating it to extort victims.
- Victims are instructed to contact the ransomware group via a unique .onion URL without an initial ransom demand.
- AttackIQ has released assessment templates to help organizations validate their security against RansomHub’s TTPs.
- The advisory includes detailed tactics and techniques used by RansomHub affiliates, categorized into execution, persistence, defense evasion, credential access, discovery, lateral movement, command and control, exfiltration, and impact.
- Recommendations for detection and mitigation include focusing on specific techniques and reviewing CISA’s guidance for patching and detection.
- AttackIQ offers various services to assist security teams in maintaining a robust security posture.
On August 29, 2024, the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Department of Health and Human Services (HHS) released a Cybersecurity Advisory (CSA) to disseminate known RansomHub ransomware IOCs and TTPs that have been identified through FBI threat response activities and third-party reporting as recently as August 2024.
This joint CSA is a continuation of CISA’s ongoing #StopRansomware effort to arm defenders with the intelligence they need to combat different ransomware variants and ransomware threat actors.
RansomHub, formerly known as Cyclops and Knight, is a ransomware strain operated under the Ransomware-as-a-Service (RaaS) business model that has been active since at least February 2024.
The RansomHub began its history as Cyclops ransomware around May 2023 and gained notoriety for being capable of infecting all major operating systems including Windows, Linux, and macOS. On July 27, 2023, Cyclops operators announced via their web portal the roll-out of version 2.0 in conjunction with the rebranding to Knight Ransomware. Almost 6 months later, in February 2024, Knight was rebranded as RansomHub. Since then, it has positioned itself as an efficient and successful service model while recently attracting high-profile affiliates of other prominent variants such as LockBit and ALPHV.
Since its inception, RansomHub has encrypted and exfiltrated data from at least 210 victims representing the water and wastewater, information technology, government services and facilities, healthcare and public health, emergency services, food and agriculture, financial services, commercial facilities, critical manufacturing, transportation, and communications critical infrastructure sectors.
The affiliates leverage a double-extortion model by encrypting systems and exfiltrating data to extort victims. The ransom note dropped during encryption does not generally include an initial ransom demand or payment instructions. Instead, the note provides victims with a client ID and instructs them to contact the ransomware group via a unique .onion URL. The ransom note typically gives victims between three and 90 days to pay the ransom (depending on the affiliate) before the ransomware group publishes their data on the RansomHub Tor data leak site.
AttackIQ has released a new assessment template that includes the post-compromise Tactics, Techniques and Procedures (TTPs) exhibited by RansomHub during its latest activities to help customers validate their security controls and their ability to defend against sophisticated threats.
Validating your security program performance against these behaviors is vital in reducing risk. By using these new assessment templates in the AttackIQ Security Optimization Platform, security teams will be able to:
- Evaluate security control performance against the behaviors exhibited by a threat that continues to conduct worldwide ransomware activities.
- Assess their security posture against activities focused on both encryption and exfiltration of sensitive information.
- Continuously validate detection and prevention pipelines against a playbook similar to those of many of the groups that are currently focused on ransomware activities.
[CISA AA24-242A] #StopRansomware: RansomHub Ransomware
This assessment template emulates the post-compromise Tactics, Techniques, and Procedures (TTP) exhibited by RansomHub affiliates during their latest activities.
The assessment template is divided into tactics, grouping the techniques and implementations used by affiliates at each stage of their activities.
1. Execution
Consists of techniques that result in adversary-controlled code running on a local or remote system. Techniques that run malicious code are often paired with techniques from all other tactics to achieve broader goals, such as exploring a network or stealing data.
BITS Jobs (T1197): This scenario executes bitsadmin
to create a BITS job and configure it to download a remote payload. Background Intelligent Transfer Service (BITS) is a native mechanism used by legitimate applications to use a system’s idle bandwidth to retrieve files without disrupting other applications.
Windows Management Instrumentation (WMI) (T1047): This scenario executes a Windows Management Instrumentation (WMI) command. WMI is a native Windows administration feature that provides a method for accessing Windows system components.
2. Persistence
Consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access.
Create Account: Local Account (T1136.001): This scenario creates a local account using net user
.
3. Defense Evasion
Consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts.
Indicator Removal: Clear Windows Event Logs (T1070.001): The scenario uses the wevtutil.exe
binary to clear event logs from the system.
Masquerading: Match Legitimate Name or Location (T1036.005): Renames an executable to rundll32.exe
and executes it from the %TEMP%
directory.
4. Credential Access
Consists of techniques for stealing credentials like account names and passwords.
OS Credential Dumping (T1003): This scenario uses an obfuscated version of Mimikatz
to dump passwords and hashes for Windows accounts.
5. Discovery
Consists of techniques that adversaries use to discover information related to the compromised environment.
System Information Discovery (T1082): This scenario executes the GetSystemInfo
Native API call to retrieve information associated to the system.
System Information Discovery (T1082): This scenario executes the GetEnvironmentStrings
Native API call to print all the environmental variables. These variables are often used to fingerprint a system using expected environment variables such as OS, PROCESSOR_ARCHITECTURE, or USERNAME.
System Information Discovery (T1082): This scenario will call the GetComputerNameA
Windows API to enumerate the computer name.
Peripheral Device Discovery (T1120): This scenario retrieves information about the system’s physical disks using the GetLogicalDriveStringsW
API call.
File and Directory Discovery (T1083): This scenario will use the FindFirstFileW
, FindNextFileW
, and the GetFileSizeEx
Windows API calls to enumerate file system.
Process Discovery (T1057): This scenario uses the Windows API to receive a list of running processes by calling CreateToolhelp32Snapshot
and iterating through each process object with Process32FirstW
and Process32NextW
.
Network Service Discovery (T1046): This scenario uses nmap
to identify hosts that may be remotely accessible to the attacker by scanning for ports 139
, 389
, 445
, 636
and 3389
.
Windows Management Instrumentation (WMI) (T1047): This scenario executes the WMI command wmic path Win32_ShadowCopy
to gather shadow copy information.
6. Lateral Movement
Consists of techniques that adversaries use to enter and control remote systems on a network. Following through on their primary objective often requires exploring the network to find their target and subsequently gaining access to it. Reaching their objective often involves pivoting through multiple systems and accounts to gain.
Remote Services: Remote Desktop Protocol (T1021.001): This scenario attempts to move laterally within a network using the Remote Desktop Protocol (RDP) protocol.
7. Command and Control
Consists of techniques that adversaries may use to communicate with systems under their control within a victim network. Adversaries commonly attempt to mimic normal, expected traffic to avoid detection.
Ingress Tool Transfer (T1105): This scenario downloads to memory and saves to disk in two separate scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious payloads.
8. Exfiltration
Consists of techniques that adversaries may use to steal data from your network. Techniques for getting data out of a target network typically include transferring it over their command and control channel or an alternate channel and may also include putting size limits on the transmission.
Exfiltration Over C2 Channel (T1041): This scenario simulates a data exfiltration attack where a pre-generated text file containing Windows system profiling data is sent via an HTTP POST
request to an AttackIQ controlled test server.
9. Impact
Consists of techniques that adversaries use to disrupt availability or compromise integrity by manipulating business and operational processes.
Inhibit System Recovery (T1490): This scenario executes the vssadmin.exe
utility to delete a recent Volume Shadow Copy created by the assessment template.
Inhibit System Recovery (T1490): This scenario executes the wmic.exe
utility to delete a recent Volume Shadow Copy created by the assessment template.
Opportunities to Expand Emulation Capabilities
In addition to the released assessment template, AttackIQ recommends the following existing scenarios to extend the emulation of the capabilities exhibited in this advisory.
- Lateral Movement Through PAExec: This scenario simulates lateral movement within a network using PAExec, an open-source version of PSExec.
- Domain Controller Remote System Discovery via PowerShell Script: This scenario uses PowerShell to identify a list of active domain computers, displaying their names, hostnames, and installed operating systems.
Detection and Mitigation Opportunities
Given the number of different techniques being utilized by this threat, it can be difficult to know which to prioritize for prevention and detection assessment. AttackIQ recommends first focusing on the following techniques emulated in our scenarios before moving on to the remaining techniques.
1. Review CISA’s Patching and Detection Recommendations:
CISA has provided a significant number of recommendations for the best ways to defend yourself from these and similar attacks. AttackIQ strongly recommends reviewing the detection and mitigation recommendations with the goal of adapting them to your environment first to determine if you have any existing impact before reviewing the assessment results.
2. Ingress Tool Transfer (T1105):
Adversaries often rely heavily on downloading additional stages of malware. Endpoint and Network security controls should both be employed to try and detect the delivery of these malicious payloads.
2a. Detection
The following signatures can help identify when native utilities are being used to download malicious payloads.
PowerShell Example:
Process Name == (Cmd.exe OR Powershell.exe)
Command Line CONTAINS ((“IWR” OR “Invoke-WebRequest") AND “DownloadData” AND “Hidden”)
2b. Mitigation
MITRE ATT&CK has the following mitigation recommendations.
3. Inhibit System Recovery (T1490):
Adversaries often delete Volume Shadow Copies to prevent the possibility of restoring files back to their original state. This is a common technique used by ransomware as it prevents the recovery of files once the ransomware encryption routine successfully completes execution.
3a. Detection
Detecting deletion of Volume Shadow Copies is usually the first step that occurs and can be detected by looking at the command line activity
Process Name == (cmd.exe OR powershell.exe)
Command Line CONTAINS (“vssadmin” AND “Delete Shadows”)
Command Line CONTAINS ("WMIC.exe" AND "shadowcopy" AND "delete")
3b. Mitigation
MITRE ATT&CK has the following mitigation recommendations for Inhibit System Recovery
Wrap-up
In summary, this assessment template will evaluate security and incident response processes and support the improvement of your security control posture against an extortive threat. With data generated from continuous testing and the use of these two assessment templates, you can focus your teams on achieving key security outcomes, adjust your security controls, and work to elevate your total security program effectiveness against sophisticated nation-state actors.
AttackIQ offers a comprehensive Breach and Attack Simulation Platform to assist security teams. This includes AttackIQ Flex, a tailored pay-as-you-go service; AttackIQ Ready!, a fully managed service for continuous security optimization; and AttackIQ Enterprise, a co-managed service offering enhanced support. These services ensure your team maintains a robust security posture.
The post Response to CISA Advisory (AA24-242A): #StopRansomware: RansomHub Ransomware appeared first on AttackIQ.