Threat Research

CISA Advisory Response: Addressing RansomHub Ransomware Threat

AttackIQ

Joint federal agencies released a Cybersecurity Advisory on August 29, 2024 detailing RansomHub ransomware’s IOCs and TTPs, noting its RaaS model and activity across healthcare, government, and critical infrastructure sectors with 210+ victims. AttackIQ’s assessment templates are provided to help defenders validate defenses and patching against RansomHub’s techniques as part of the ongoing StopRansomware effort.
#RansomHub #Cyclops #Knight #RaaS #StopRansomware #FBI #CISA #AttackIQ

Keypoints

  • The CSA was issued on August 29, 2024 by the FBI, CISA, MS-ISAC, and HHS to share known RansomHub IOCs and TTPs identified through threat response activities and third-party reporting.
  • RansomHub operates under a Ransomware-as-a-Service (RaaS) model and has been active since February 2024, evolving from Cyclops and Knight.
  • RansomHub has infected at least 210 victims across sectors including healthcare, government, water/wastewater, IT, and critical infrastructure.
  • The threat uses a double-extortion model: encrypting data and exfiltrating it to pressure victims, with a ransom note that directs contact via a unique .onion URL and typically no upfront ransom demand.
  • AttackIQ released an assessment template emulating RansomHub post-compromise TTPs to help validate security controls against encryption and exfiltration activities.
  • The advisory groups affiliates’ TTPs into categories such as execution, persistence, defense evasion, credential access, discovery, lateral movement, C2, exfiltration, and impact.
  • Recommendations emphasize targeted detection and mitigation aligned with CISA guidance on patching and security monitoring, complemented by AttackIQ services for continuous validation.

MITRE Techniques

  • [T1197] BITS Jobs – Brief description of how it was used. Quote relevant content using bracket (‘…translated quote in English…’)
  • [T1047] Windows Management Instrumentation – Brief description of how it was used. Quote relevant content using bracket (‘…translated quote in English…’)
  • [T1136.001] Create Account: Local Account – Brief description of how it was used. Quote relevant content using bracket (‘…translated quote in English…’)
  • [T1070.001] Clear Windows Event Logs – Brief description of how it was used. Quote relevant content using bracket (‘…translated quote in English…’)
  • [T1036.005] Masquerading: Match Legitimate Name or Location – Brief description of how it was used. Quote relevant content using bracket (‘…translated quote in English…’)
  • [T1003] OS Credential Dumping – Brief description of how it was used. Quote relevant content using bracket (‘…translated quote in English…’)
  • [T1082] System Information Discovery – GetSystemInfo – Brief description of how it was used. Quote relevant content using bracket (‘…translated quote in English…’)
  • [T1082] System Information Discovery – GetEnvironmentStrings – Brief description of how it was used. Quote relevant content using bracket (‘…translated quote in English…’)
  • [T1082] System Information Discovery – GetComputerNameA – Brief description of how it was used. Quote relevant content using bracket (‘…translated quote in English…’)
  • [T1120] Peripheral Device Discovery – Brief description of how it was used. Quote relevant content using bracket (‘…translated quote in English…’)
  • [T1083] File and Directory Discovery – Brief description of how it was used. Quote relevant content using bracket (‘…translated quote in English…’)
  • [T1057] Process Discovery – Brief description of how it was used. Quote relevant content using bracket (‘…translated quote in English…’)
  • [T1046] Network Service Discovery – Brief description of how it was used. Quote relevant content using bracket (‘…translated quote in English…’)
  • [T1047] Windows Management Instrumentation – ShadowCopy discovery – Brief description of how it was used. Quote relevant content using bracket (‘…translated quote in English…’)
  • [T1021.001] Remote Services: Remote Desktop Protocol – Brief description of how it was used. Quote relevant content using bracket (‘…translated quote in English…’)
  • [T1105] Ingress Tool Transfer – Brief description of how it was used. Quote relevant content using bracket (‘…translated quote in English…’)
  • [T1041] Exfiltration Over C2 Channel – Brief description of how it was used. Quote relevant content using bracket (‘…translated quote in English…’)
  • [T1490] Inhibit System Recovery – vssadmin.exe – Brief description of how it was used. Quote relevant content using bracket (‘…translated quote in English…’)
  • [T1490] Inhibit System Recovery – WMIC.exe – Brief description of how it was used. Quote relevant content using bracket (‘…translated quote in English…’)

Indicators of Compromise

  • [URL] Contact and leak sites – unique .onion URL used to contact the group and the RansomHub Tor data leak site (onion service)

Read more: https://www.attackiq.com/2024/09/05/response-to-cisa-advisory-aa24-242a/