The malevolent actors behind RansomHub have updated their variant, and they are using it to target U.S. government entities. Although this variant was recently detected in 2024, it is the finalized product of its predecessors Cyclops and Knight and has encrypted and exfiltrated data from at least 210 victims from critical infrastructure facilities thus far. RansomHub has become one of the most pervasive threats to critical sectors because it leverages a double-extortion model, which is the encryption of data and adds another layer of threatening to leak the data. The ransomware has become so significant that the FBI, CISA, and other governmental agencies have released a joint Cybersecurity Advisory to educate folks on the variant, tactics to avoid, techniques to overcome, and detection methods that have been discovered through FBI investigations. (#StopRansomware: RansomHub Ransomware | CISA)
The hacking group works as a Ransomware-as-a-Service (RaaS), which means that the group creates and maintains the ransomware code and then rents it out to other hackers who, in turn, give them a cut of any ransomware profits. Currently on the Dark Web, RansomHub advertisements are offering a lucrative deal for hackers thinking about purchasing the ransomware tool. The ads’ special deal is that RansomHub would only gain 10% of any profits and a larger payout of 90% commission to the customer, making it the highest paying RaaS group currently known in the RaaS market. To sweeten the deal, customers can collect their own ransom payments and pay RansomHub only if the ransomware attack was successful.
To gain access, the RansomHub hacking group seems to prefer a spear-phishing voice tactic, which manipulates an employee into providing access to systems through a phone call or other forms of voice communications. Once inside of the victim’s system, the ransomware utilizes PsExec, a powerful command-line tool to disable anti-virus-related processes and then reconfigure the remote access tools to map out the entire system, as well as escalate privileges for lateral movement.
The final stage of the attack is the encryption and exfiltration of the victim’s data. RansomHub uses either Elliptic-curve Diffie–Hellman (ECDH) or Advanced Encryption Standard (AES) algorithms for encryption methods, followed by the ransomware’s preferred web-service tool RClone to exfiltrate the stolen data.
The GRIT 2025 Q1 Ransomware & Cyber Threat Report found that ransomware attacks are up 102% from the same quarter of 2024, and ransomware groups are growing, with 70 active groups marking a 56% year-over-year increase. CISA offers an array of mitigation strategies that an Entity can emulate to lessen the potential risk of a RansomHub attack, as well as offers immediate incident response tactics:
Please contact anyone from Utility Services if you would like more information on this topic, or to assist in your ransomware plan development, assessment of current plan, or plan testing.
We use cookies to improve your experience and analyze traffic on our website. By clicking “Accept” you consent to our use of cookies and tracking. Read our Cookie Policy to learn more.
