RansomHub is a new Ransomware-as-a-Service (RaaS) that first appeared in early 2024. It has quickly become one of the most prevalent threats observed by MOXFIVE in recent months. RansomHub follows a unique payment method, offering threat actors a 90%commission. This means RansomHub charges the threat actor a 10% fee for any successfully paid ransom, a lower fee compared to similar ransomware services.

Threat actors deploying this ransomware have gained initial access by exploiting unpatched vulnerabilities and using malicious JavaScript files hosted on legitimate websites as droppers for additional post-exploitation toolsets. In RansomHub cases observed by MOXFIVE, there was unusually long dwell time between initial access and ransomware deployment. During this period, they conduct reconnaissance and privilege escalation while employing various tools for exfiltration, encryption, and deleting backups. Below is a breakdown of observed tactics, techniques, and procedures (TTPs), as well as tools used by threat actors deploying RansomHub.

Key Highlights:

• RansomHub does not allow its service to be used for targeting organizations that have already paid ransom demands or non-profit organizations. It also prohibits targeting any of the following countries: Cuba, North Korea, China, and the Commonwealth of Independent States which includes Armenia, Azerbaijan, Belarus, Georgia, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Turkmenistan, Ukraine, and Uzbekistan.
• Threat actors have proven successful at deleting backups and storage during the weeks between initial access and ransomware deployment.
• Encryption tools were deployed within virtualized environments, impacting local and cloud virtual machines on VMWare and Microsoft platforms.
• A post-exploitation framework called Mythic was used for C2 activity, running in memory to avoid detection by security solutions.
• Threat actors leveraged the tool DonPapi to dump user credentials throughout the network environment. An output file was left behind containing over 5,000 records, including user credentials from web browsing history.

June 2024 Targeted Industries: Threat actors deploying RansomHub have been seen targeting a wide range of industries since the release in early 2024. During June, MOXFIVE has observed additional attacks targeting the Finance and Education sectors.

Ransomware Payment Demands: MOXFIVE has observed RansomHub payment demands reaching as high as $10 million. In some cases, the threat actors deploying this ransomware often begin to lower their demands if there are delays in communication. This has proven beneficial for negotiations, as the threat actors start to reduce the price before any formal discussions take place.

Notable Leveraged Exploits:

• CVE-2020-1472– Known as the “Zerologon” vulnerability, this exploit is a privilege elevation vulnerability in Microsoft’s Netlogon. Despite being identified in 2020, there have been reports of threat actors exploiting it to gain initial access before deploying RansomHub.

Data Exfiltration: Threat actors deploying RansomHub have utilized commonly abused tools such as Rclone and FileZilla for data exfiltration. They have also employed Azure Blob Storage as their chosen platform for receiving the stolen data.

• Rclone is an open-source command-line program used to manage files on cloud storage. Threat actors often use this tool to transfer stolen data from compromised systems to remote cloud storage services efficiently and discreetly.
• FileZilla an open-source FTP client that allows users to transfer files between a local system and a remote server. In the context of data exfiltration, threat actors can abuse FileZilla to stealthily transfer stolen data from compromised systems to remote locations.
• Azure Blob Storage is a cloud storage service by Microsoft designed to store large amounts of unstructured data. MOXFIVE has observed threat actors exfiltrating data to Azure Blob Storage, which makes the data easy to access.

If you would like to know more or need assistance with incident response efforts, please contact us at 833-568-6695 or email our team at incident@moxfive.com.