Summary: RansomHub, a new ransomware-as-a-service operation that emerged in February 2024, has compromised over 200 victims across critical U.S. infrastructure sectors, focusing on data-theft-based extortion rather than file encryption. The group has targeted notable organizations, including Patelco, Rite Aid, and Halliburton, while federal agencies warn against paying ransoms as it may lead to further attacks.
Threat Actor: RansomHub | RansomHub
Victim: Halliburton | Halliburton
Key Point :
- RansomHub has breached over 200 victims, including critical sectors like healthcare and telecommunications.
- The ransomware group employs a double-extortion tactic, threatening to leak stolen data if ransoms are not paid.
- Federal agencies advise against paying ransoms, as it does not guarantee file recovery and may encourage further attacks.
- Recommendations for network defenders include patching vulnerabilities, using strong passwords, and implementing multifactor authentication.
- RansomHub has attracted affiliates from other prominent ransomware variants, indicating its growing influence in the cybercrime landscape.
​Since surfacing in February 2024, RansomHub ransomware affiliates have breached over 200 victims from a wide range of critical U.S. infrastructure sectors.
This relatively new ransomware-as-a-service (RaaS) operation extorts victims in exchange for not leaking stolen files and sells the documents to the highest bidder if negotiations fail. The ransomware group focuses on data-theft-based extortion rather than encrypting victims’ files, although they were also identified as potential buyers of Knight ransomware source code.
Since the start of the year, RansomHub has claimed responsibility for breaching American not-for-profit credit union Patelco, the Rite Aid drugstore chain, the Christie’s auction house, U.S. telecom provider Frontier Communications, and oil services giant Halliburton. Frontier Communications later warned over 750,000 customers their personal information was exposed in a data breach.
RansomHub’s data leak site also leaked stolen Change Healthcare data after the BlackCat/ALPHV ransomware operation shut down.
A joint advisory released today by the FBI, CISA, the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Department of Health and Human Services (HHS) also confirms that the threat actors target their victims in double-extortion attacks.
The federal agencies said RansomHub (formerly known as Cyclops and Knight) “has established itself as an efficient and successful service model (recently attracting high-profile affiliates from other prominent variants such as LockBit and ALPHV).”
“Since its inception in February 2024, RansomHub has encrypted and exfiltrated data from at least 210 victims representing the water and wastewater, information technology, government services and facilities, healthcare and public health, emergency services, food and agriculture, financial services, commercial facilities, critical manufacturing, transportation, and communications critical infrastructure sectors,” the advisory adds.
The four authoring agencies advised network defenders to implement the recommendations in today’s advisory to reduce the risk and impact of RansomHub ransomware attacks.
They should focus on patching vulnerabilities already exploited in the wild and use strong passwords and multifactor authentication (MFA) for webmail, VPN, and accounts linked to critical systems. It’s also recommended to keep software updated and conduct vulnerability assessments as a standard part of security protocols.
The four agencies also provide RansomHub indicators of compromise (IOCs) and information on their affiliates’ tactics, techniques, and procedures (TTPs) identified during FBI investigations as recently as August 2024.
“The authoring organizations do not encourage paying a ransom, as payment does not guarantee victim files will be recovered,” the federal agencies added.
“Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities.”
Update: Added Halliburton to the list of previous victims.