What's RansomHub?

Despite first appearing earlier this year, RansomHub is already considered one of the most prolific ransomware groups in existence.

It operates a ransomware-as-a-service (RaaS) operation, meaning that a central core of the group creates and maintains the ransomware code and infrastructure, and rents it out to other cybercriminals who act as affiliates.

How has RansomHub become such a big deal so quickly?

RansomHub undoubtedly benefited from the disruption caused to the LockBit gang by law enforcement in February 2024. An international operation against LockBit not only saw the seizure of some of the group's websites and decryption tools, but also trolled affiliates that they were being watched.

Many affiliates who had previously used encryptors from the LockBit group have switched to rival RaaS gangs. Amongst these has been RansomHub, which Check Point reports was responsible for "a significant rise" in attacks in June, with nearly 80 new victims.

So, making life harder for LockBit didn't get rid of the ransomware problem...

...it just drove it elsewhere, yes.

But RansomHub has also actively recruited affiliates from other ransomware-as-a-service operations. For instance, it took under its wing former ALPHV/BlackCat affiliates after that group scammed its partners.

So I'm guessing that RansomHub works the same as other ransomware?

Pretty much. Attackers break into your organisation, exfiltrate sensitive data, and then encrypt your systems. One day you come into the office and you find an electronic ransom note demanding that you pay a ransom note for both a decryption tool to recover your garbled files, and to stop the gang publishing the files on the dark web.

Researchers believe that RansomHub's origins can be traced back to an older ransomware called Knight. Knight's source code was offered for sale on hacking forums in February 2024 - and they have numerous similarities.

You're suggesting that ransomware groups are lazy...

Aren't all programmers? If someone else has already written code that does the job proficiently, there's often little sense in reinventing the wheel. Knight itself was based upon an earlier ransomware called Cyclops.

Do we know where the RansomHub gang is based?

As with all these groups, it's tricky to be definitive. However, there are some clues in statements the group has made online.

On its website, in its "About" section, RansomHub says that it does not allow attacks on "CIS, Cuba, North Korea, and China." Therefore, it wouldn't be terribly surprising if we discovered that the RansomHub group was predominantly based in a country that was friendly to Russia or, indeed, Russia itself.

Well, there's a surprise. Why would they want to prevent attacks against their own country and its allies?

Because cybercriminals will find life a lot more stressful if their local law enforcement officers are prepared to turn a blind eye if only businesses in enemy nations are being hacked.

So, who has RansomHub claimed to have attacked?

Most recently, it said it had been behind an attack against the Florida Department of Health, claiming it had published 100 GB worth of data stolen from the organisation after failing to secure a ransom payment. Other high-profile attacks linked to RansomHub include one on the Christie's auction house.

One of RansomHub's most notable victims,, however, was Change Healthcare.

Hang on, I thought Change Healthcare was hit by the ALPHV/BlackCat group?

Well remembered. ALPHV/BlackCat did launch a ransomware attack on Change Healthcare in February this year, severely disrupting the ability of pharmacies to fulfill orders from patients who wished to pay for their medical prescriptions through their insurance.

But Change Healthcare's headaches didn't end there. In April, RansomHub also began posting sensitive medical and financial information apparently taken from the health technology provider, and threatening to publish it unless ransoms were paid by insurance companies.

These guys seem serious about doing everything they can to make cash...

Nobody should be surprised. In its online manifesto, RansomHub says:

Our team members are from different countries and we are not interested in anything else, we are only interested in dollars.

So, what action should my company take to protect against RansomHub?

The most important thing to do is to ensure that you have hardened defences in place before a ransomware attack takes place, limiting any potential impact on your business.

In addition, it would be wise to follow our recommendations on how to protect your organisation from other ransomware.

Tips include:

• Making secure offsite backups.
• Running up-to-date security solutions and ensuring that your computers are protected with the latest security patches against vulnerabilities.
• Restrict an attacker's ability to spread laterally through your organisation via network segmentation.
• Using hard-to-crack unique passwords to protect sensitive data and accounts, as well as enabling multi-factor authentication.
• Encrypting sensitive data wherever possible.
• Reducing the attack surface by disabling functionality that your company does not need.
• Educating and informing staff about the risks and methods used by cybercriminals to launch attacks and steal data.

Stay safe, and don't allow your organisation to be the next victim to fall victim to RansomHub.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of Tripwire.