Stop Ransomware: RansomHub Threat Overview | CISA

MITRE Techniques

• [T1566] Phishing – RansomHub affiliates used mass phishing and spear-phishing emails to obtain initial access. ‘Used mass phishing and spear-phishing emails to obtain initial access.’
• [T1190] Exploit Public-Facing Application – RansomHub affiliates exploited known vulnerabilities to obtain initial access. ‘Exploited known vulnerabilities to obtain initial access.’
• [T1059.001] Command and Scripting Interpreter – RansomHub affiliates used PowerShell and scripts to automate intrusion. ‘Used PowerShell and scripts to automate intrusion.’
• [T1047] Windows Management Instrumentation – RansomHub affiliates abused Windows Management Instrumentation to execute malicious commands. ‘Abused Windows Management Instrumentation to execute malicious commands.’
• [T1136] Create Account – RansomHub affiliates created accounts to maintain access to victim systems. ‘Created accounts to maintain access to victim systems.’
• [T1098] Account Manipulation – RansomHub affiliates manipulated accounts to maintain and elevate access. ‘Manipulated accounts to maintain and elevate access.’
• [T1021.001] Remote Desktop Protocol – RansomHub affiliates logged onto systems using RDP for actions as the logged-on user. ‘Logged onto systems using RDP for actions as the logged-on user.’
• [T1036] Masquerading – RansomHub affiliates hid binaries by renaming executable names. ‘Hid binaries by renaming executable names.’
• [T1070] Indicator Removal on Host – RansomHub affiliates removed logs to inhibit cybersecurity response. ‘Removed logs to inhibit cybersecurity response.’
• [T1562.001] Impair Defenses: Disable or Modify Tools – RansomHub affiliates disabled endpoint detection and response tooling to avoid detection. ‘Disabled endpoint detection and response tooling to avoid detection.’
• [T1003] OS Credential Dumping – RansomHub affiliates used Mimikatz on Windows systems to gather credentials. ‘Used Mimikatz to gather credentials on Windows systems.’
• [T1110.003] Brute Force: Password Spraying – RansomHub affiliates used password spraying to obtain initial access. ‘Used password spraying to obtain initial access.’
• [T1018] Remote System Discovery – RansomHub affiliates attempted to list other systems by IP address or hostname. ‘Attempted to list other systems by IP address or hostname.’
• [T1046] Network Service Discovery – RansomHub affiliates attempted to list services running on remote hosts. ‘Attempted to list services running on remote hosts.’
• [T1210] Exploitation of Remote Services – RansomHub affiliates exploited remote services to gain unauthorized access. ‘Exploited remote services to gain unauthorized access.’
• [T1219] Remote Access Software – RansomHub affiliates used Anydesk for command and control. ‘Used Anydesk for command and control.’
• [T1048.002] Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol – RansomHub affiliates exfiltrated data over an asymmetrically encrypted non-C2 protocol. ‘Stole data by exfiltrating it over an asymmetrically encrypted network protocol.’
• [T1537] Transfer Data to Cloud Account – RansomHub affiliates exfiltrated data by transferring it to a controlled cloud account. ‘Exfiltrated data by transferring the data, including through sharing/syncing and creating backups of cloud environments, to another cloud account they control on the same service.’
• [T1486] Data Encrypted for Impact – RansomHub used encryption for ransomware operations. ‘Used encryption for ransomware operations.’
• [T1490] Inhibit System Recovery – RansomHub deleted volume shadow copies to inhibit recovery. ‘Deleted volume shadow copies to inhibit recovery.’