Ransomhub: Analyzing The Ttps Of One Of The Most Notorious Ransomware Variants Of 2024
Thumbnail
RansomHub, a ransomware-as-a-service variant, poses a significant threat to critical sectors like healthcare, transportation, and water systems. It employs a double-extortion model by encrypting data and demanding ransoms after exfiltration. The article details its tactics, techniques, and procedures (TTPs), outlining vulnerabilities and offering mitigation strategies. Affected: healthcare, transportation, water systems

Keypoints :

  • RansomHub is a ransomware-as-a-service variant formerly known as Cyclops and Knight.
  • Utilizes a double-extortion model to target critical sectors.
  • Involves a structured attack chain consisting of initial access, execution, persistence, discovery, lateral movement, credential access, exfiltration, and impact.
  • Initial access achieved through phishing, exploiting vulnerabilities, and password spraying.
  • Employs tools like Mimikatz for credential dumping and uses malicious scripts to disable security measures.
  • Remote access tools and network scanners are utilized for lateral movement.
  • Data exfiltration often occurs through cloud services using tools like Rclone.
  • Files are encrypted using the Curve 25519 algorithm, and Volume Shadow Copies are deleted to inhibit recovery.
  • Recommendations include patch management, enhanced endpoint protection, network segmentation, and security awareness training.

MITRE Techniques :

  • Initial Access: Phishing: Spearphishing Link (T1566.002) – Crafting phishing emails to lure victims.
  • Initial Access: Exploit Public-Facing Application (T1190) – Exploiting known vulnerabilities (CVE-2023-3519, CVE-2023-27997, etc.).
  • Execution & Defense Evasion: Disabling Security Tools (T1562.001) – Disabling EDR and antivirus tools using scripts.
  • Credential Access: Exploitation of LSASS (T1003) – Using Mimikatz to dump LSASS memory for credentials.
  • Lateral Movement: Remote Desktop Protocol (RDP) (T1021.001) – Repurposing legitimate tools like PsExec.
  • Data Exfiltration: Exfiltration Over Alternative Protocols (T1048.002) – Exfiltrating data using unencrypted channels.
  • Impact: File Encryption Using Curve 25519 (T1486) – Encrypting files with a unique key for each victim.
  • Impact: Inhibit System Recovery (T1490) – Deleting Volume Shadow Copies to prevent recovery.

Indicator of Compromise :

  • URL: http://malicious[. ]com/path (hypothetical example)
  • Domain: malicious[. ]com (hypothetical example)
  • IP Address: 192.168.1.1 (hypothetical example)
  • Email: attacker@example[. ]com (hypothetical example)
  • SHA-256: 64 hexadecimal characters (hypothetical example)


Full Story: https://www.picussecurity.com/resource/blog/ransomhub