RansomHub appears to be rooted in Knight’s code and emerged publicly in early 2024 after Knight’s developers shut down, with possible acquisitions of Knight’s source to launch RansomHub. The groups’ samples share Go-based payloads and heavy obfuscation, and Symantec highlights rapid growth and ties to data-leak sites; hashtags: #RansomHub #Knight
Keypoints
- RansomHub likely derives from Knight’s source code and was offered for sale in February 2024 after Knight’s operator reportedly shut down.
- Both RansomHub and Knight payloads are written in Go and largely obfuscated with Gobfuscate, making differentiation challenging.
- Code overlap between the families is significant, with embedded data-leak site links often distinguishing them.
- The only noted behavioral difference is the addition of a sleep command in RansomHub compared to Knight.
- Initial access in observed RansomHub campaigns used Zerologon (CVE-2020-1472) to gain domain admin privileges.
- Attackers relied on dual-use tools (Atera, Splashtop) for remote access and NetScan to enumerate network devices.
- RansomHub rapidly grew to be a top ransomware operator, claiming attacks such as the Christie’s incident and showing potential affiliate ties.
MITRE Techniques
- [T1068] Exploitation for Privilege Escalation – The attackers gained initial access by exploiting the Zerologon vulnerability (CVE-2020-1472) to gain domain administrator privileges. ‘the attackers gained initial access by exploiting the Zerologon vulnerability (CVE-2020-1472), which can allow an attacker to gain domain administrator privileges and take control of the entire domain.’
- [T1021] Remote Services – Atera and Splashtop were used to facilitate remote access. ‘The attackers used several dual-use tools before deploying the ransomware. Atera and Splashtop were used to facilitate remote access.’
- [T1046] Network Service Scanning – NetScan was used to likely discover and retrieve information about network devices. ‘NetScan was used to likely discover and retrieve information about network devices.’
- [T1059.003] Windows Command Shell – The RansomHub payload leveraged the iisreset.exe and iisrstas.exe command-line tools to stop all Internet Information Services (IIS) services. ‘…command-line tools to stop all Internet Information Services (IIS) services.’
- [T1027] Obfuscated/Compressed Files and Information – Both payloads are written in Go and most variants of each family are obfuscated with Gobfuscate. ‘Both payloads are written in Go and most variants of each family are obfuscated with Gobfuscate.’
Indicators of Compromise
- [SHA-256 Hash] RansomHub – 02e9f0fbb7f3acea4fcf155dc7813e15c1c8d1c77c3ae31252720a9fa7454292, 34e479181419efd0c00266bef0210f267beaa92116e18f33854ca420f65e2087
- [SHA-256 Hash] Knight – 104b22a45e4166a5473c9db924394e1fe681ef374970ed112edd089c4c8b83f2, 2f3d82f7f8bd9ff2f145f9927be1ab16f8d7d61400083930e36b6b9ac5bbe2ad
- [SHA-256 Hash] NetScan – fb9f9734d7966d6bc15cce5150abb63aadd4223924800f0b90dc07a311fb0a7e
- [SHA-256 Hash] Splashtop – f1a6e08a5fd013f96facc4bb0d8dfb6940683f5bdfc161bd3a1de8189dea26d3
- [SHA-256 Hash] Atera – a96a0ba7998a6956c8073b6eff9306398cc03fb9866e4cabf0810a69bb2a43b2
Read more: https://symantec-enterprise-blogs.security.com/threat-intelligence/ransomhub-knight-ransomware