FOCUS MODE
EXTRACT IOC
Threat Research

Emulating the Relentless RansomHub Ransomware

AttackIQ
Emulating the Relentless RansomHub Ransomware
RansomHub is a newly emerged Ransomware-as-a-Service (RaaS) operation targeting organizations globally, implementing a double-extortion model that encrypts and steals sensitive data. The encryptor, encoded in C++ or Go, presents challenges for security analysis due to its password requirement for execution. Potential links to previous ransomware groups like Knight and BlackCat/ALPHV are noted. AttackIQ offers an emulation of RansomHub to help organizations validate their defenses against this sophisticated threat. Affected: organizations worldwide

Keypoints :

  • RansomHub operates as a Ransomware-as-a-Service (RaaS) targeting global organizations.
  • It utilizes a double-extortion model: encrypting data and stealing sensitive information.
  • The encryptor is implemented in C++ or Go and has multiple versions for various systems.
  • Distinct feature: requires a password for execution and file encryption.
  • RansomHub may be a successor to Knight ransomware, related to leaks of Knight’s source code.
  • Links to BlackCat/ALPHV operations suggest possible affiliations with other ransomware groups.
  • AttackIQ has developed an emulation for RansomHub to aid in security validation.
  • Organizations can use AttackIQ’s attack graph to assess their security posture against RansomHub.

MITRE Techniques :

  • Ingress Tool Transfer (T1105): Downloads malicious payloads to memory and disk.
  • Access Token Manipulation (T1134): Lists active access tokens for potential privilege escalation.
  • Boot or Logon Autostart Execution: Registry Run Keys (T1547.001): Sets persistence through Windows registry keys.
  • Modify Registry (T1112): Alters AutoAdminLogon to allow automatic login for an administrative account.
  • Impair Defenses: Disable or Modify Tools (T1562.001): Utilizes fsutil to create symbolic links for malware.
  • System Information Discovery (T1082): Retrieves system information using Windows API calls.
  • Account Discovery: Local Account (T1087.001): Enumerates local accounts on the system.
  • Process Discovery (T1057): Iterates through running processes to gather information.
  • Data Encrypted for Impact (T1486): Executes file encryption routines typical of ransomware.
  • Indicator Removal: Clear Windows Event Logs (T1070.001): Clears event logs using wevtutil.exe.
  • Inhibit System Recovery (T1490): Deletes Volume Shadow Copies to hinder file recovery.

Indicator of Compromise :

  • [Domain] ransomhub.com
  • [Malware Emulation] RansomHub – 2025-01
  • [Command] Get-WmiObject Win32_ShadowCopy
  • [Command] wevtutil.exe
  • [Command] fsutil

Full Story: https://www.attackiq.com/2025/03/06/emulating-ransomhub/

Views: 31

Tags: LINUX, PASSWORD, DARK WEB, IMPACT, RECONNAISSANCE, PERSISTENCE, TOOL, DISCOVERY