Initial access through unpatched vulnerabilities and phishing attacks to infiltrate networks and launch ransomware campaigns.
Double extortion by encrypting and exfiltrating victims' data to pressure them into paying to avoid data loss and public exposure.
Operating as a Ransomware-as-a-Service (RaaS), RansomHub allows affiliates to use its platform for attacks, broadening its reach and adaptability.
Notable Features
RansomHub incorporates EDRKillShifter into its attack chain to disable endpoint detection and response (EDR) and antivirus protections, enhancing its ability to evade security measures.
The ransomware exploits the Zerologon vulnerability (CVE-2020-1472), allowing attackers to bypass authentication and potentially take control of entire networks if the vulnerability remains unpatched.
RansomHub has been observed attacking various industries and critical infrastructure sectors, including water and wastewater systems, IT, commercial and government facilities, healthcare, agriculture, financial services, manufacturing, transportation, and communications.