RansomHub, a new ransomware-as-a-service (RaaS) platform, emerged in February 2024, targeting Windows, Linux, and ESXi systems with malware written in Go and C++. Its high 90% commission rate attracts seasoned affiliates, leading to a surge in infections. RansomHub's affiliates have impacted 45 victims across eighteen countries, primarily targeting the IT sector. The ransomware leverages cloud storage backups and misconfigured Amazon S3 instances to extort victims. Insikt Group identified code overlaps with ALPHV and Knight Ransomware, suggesting potential connections. Immediate and long-term security measures are recommended for organizations.

RansomHub Draws in Affiliates with Multi-OS Capability and High Commission Rates

RansomHub is a new ransomware-as-a-service (RaaS) first advertised in early February 2024. First advertised by a user named “koley” on the underground forum Ramp, RansomHub has quickly drawn attention due to its versatile malware written in Go and C++. This ransomware targets Windows, Linux, and ESXi systems, a feature that significantly expands the range of potential victims. Such multi-OS targeting aligns with a broader trend where malware designed to attack various operating systems increased sevenfold between 2022 and 2023.

RansomHub offers affiliates a 90% commission rate, which is on the higher end of the typical 80-90% range seen in the RaaS market. This lucrative rate is likely to attract seasoned affiliates from other platforms, leading to a surge in RansomHub-related infections and victims.

Since its launch, RansomHub has claimed 45 victims across 18 countries, with the IT sector being the most frequently targeted. This pattern suggests that RansomHub’s affiliates are engaging in “big game hunting”, where attackers focus on high-value targets that are more likely to pay substantial ransoms due to the severe financial implications of operational downtime.

In one notable incident, RansomHub affiliates leveraged misconfigured Amazon S3 instances to access backups not only of their primary target but also of other clients using the same backup provider. This tactic allowed them to extort the backup solutions provider by threatening to leak client data, exploiting the trust relationship between providers and their clients. Recently, RansomHub gained attention for selling 4TB of data stolen from Change Healthcare, a US-based healthcare technology company.

Insikt Group’s analysis revealed code overlaps between RansomHub and other ransomware groups, such as ALPHV (BlackCat) and Knight Ransomware. These similarities suggest possible connections or shared resources among these groups. RansomHub’s strategy of using passwords to decrypt embedded configurations makes it challenging for threat researchers to analyze the malware dynamically.

RansomHub’s ESXi version employs a unique tactic by creating a file named /tmp/app.pid to prevent multiple instances from running simultaneously. Modifying this file can halt the ransomware’s operations, presenting a potential mitigation strategy for affected systems.

Mitigations

Insikt Group has created YARA and Sigma rules that can be used to detect the presence or execution of RansomHub ransomware files in your environment. These rules cover ESXi, Linux, and Windows variants. Additionally, analysts can search endpoint logging for command-line invocations used by RansomHub to stop virtual machines (VMs), delete shadow copies, and stop the Internet Information Service (IIS) service.

• powershell.exe -Command PowerShell -Command ""Get-VM | Stop-VM -Force""
• cmd.exe /c iisreset.exe /stop
• powershell.exe -Command PowerShell -Command ""Get-CimInstance Win32_ShadowCopy | Remove-CimInstance""

In addition to the above detections, the following general recommendations should be followed to reduce the risk of ransomware infections effectively

• Network Isolation: Segment your network to limit ransomware's lateral movement.
• SIEM: Implement Security Information and Event Management for centralized logging and detection.
• Endpoint Detection: Use Endpoint Detection and Response (EDR) services with YARA and Sigma rules.
• Least Privilege Access: Implement least privilege access and multi-factor authentication for remote access services.
• Data Backup and Recovery: Regularly back up data and store backups offline or in isolated segments.
• Evaluate Solutions Providers: Collaborate with providers for consistent system audits.
• Patch Management: Keep all applications and operating systems up to date with the latest patches and updates.
• Recorded Future Hunting Packages: Implement YARA and Sigma rules like the ones found in Recorded Future Hunting Packages to identify malware via signature-based detection or Snort rules for endpoint-based detections.

To read the entire analysis, click here to download the report as a PDF.