RansomHub is a ransomware-as-a-service variant that has targeted over 210 victims across various critical infrastructure sectors since February 2024. It employs a double-extortion model, encrypting systems and exfiltrating data. The ransom note provides victims with a client ID and instructions to contact the group via a Tor URL. Affiliates typically gain initial access through phishing, exploiting vulnerabilities, and password spraying. They use tools like Mimikatz for credential theft and privilege escalation, and move laterally using RDP, PsExec, and other methods. Data exfiltration varies by affiliate but may involve tools like PuTTY and AWS S3 buckets. The ransomware uses Curve 25519 encryption and implements intermittent encryption. It targets user files and networked shares, leaving a ransom note and deleting volume shadow copies. Author: AlienVault
Related Tags:
cve-2023-3519
lateral-movement
cve-2020-0787
critical-infrastructure
cve-2023-46747
data-exfiltration
cve-2023-27997
double-extortion
cve-2023-48788
Associated Indicators:
samuelelena.co
40031.co