Skip to content
Profile Image

Quick Facts

  • Type: Ransomware
  • First Discovered: 10th February 2024
  • Latest Activity: 1st November 2024
  • Languages: Russian

Industries Targeted

  • Business Services
  • Retail
  • Manufacturing
  • Educational Services
  • Government
  • Finance
  • Construction

Geography of Victims

  • United States
  • Brazil
  • Italy
  • UK
  • Spain
  • Australia
  • India

Notable Victims

  • Frontier
  • Christie's Auction House
  • Rite Aid
  • California Credit Union

Modus Operandi

  • Initial access through unpatched vulnerabilities and phishing attacks to infiltrate networks and launch ransomware campaigns.
  • Double extortion by encrypting and exfiltrating victims' data to pressure them into paying to avoid data loss and public exposure.
  • Operating as a Ransomware-as-a-Service (RaaS), RansomHub allows affiliates to use its platform for attacks, broadening its reach and adaptability.

Notable Features

  • RansomHub incorporates EDRKillShifter into its attack chain to disable endpoint detection and response (EDR) and antivirus protections, enhancing its ability to evade security measures.
  • The ransomware exploits the Zerologon vulnerability (CVE-2020-1472), allowing attackers to bypass authentication and potentially take control of entire networks if the vulnerability remains unpatched.
  • RansomHub has been observed attacking various industries and critical infrastructure sectors, including water and wastewater systems, IT, commercial and government facilities, healthcare, agriculture, financial services, manufacturing, transportation, and communications.
Dark Web Informer 2024

Latest