Source URL: https://www.theregister.com/2024/08/30/ransomhub/
Source: The Register
Title: RansomHub hits 210 victims in just 6 months
Feedly Summary: The ransomware gang recruits high-profile affiliates from LockBit and ALPHV
As RansomHub continues to scoop up top talent from the fallen LockBit and ALPHV operations while accruing a smorgasbord of victims, security and law enforcement agencies in the US feel it’s time to issue an official warning about the group that’s gunning for ransomware supremacy.…
AI Summary and Description: Yes
Summary: The text discusses the emergence of the ransomware group RansomHub, which has quickly gained notoriety by targeting a wide range of sectors and accumulating numerous victims since its inception. It highlights the importance of appropriate security measures and the role of organizations like CISA in promoting secure software practices to mitigate ransomware threats.
Detailed Description:
– RansomHub, a newly emerging ransomware group, has gathered a significant number of victims—over 210—since it began operations in February 2023, primarily attracting talent from previous ransomware operations like LockBit and ALPHV.
– The group targets various sectors indiscriminately, including critical infrastructure and emergency services, raising concerns for security and law enforcement agencies.
– A security advisory from CISA, FBI, HHS, and MS-ISAC aims to inform defenders about the tactics, techniques, and procedures (TTPs) used by RansomHub, enabling them to create effective detection rules.
– Key insights from the advisory include:
– RansomHub affiliates are known to exploit recent vulnerabilities, alongside older ones such as CVE-2017-0144 (related to the NSA’s EternalBlue) and ZeroLogon.
– Common tools used by RansomHub include Mimikatz for credential harvesting, Cobalt Strike, and Metasploit for lateral movement and data exfiltration.
– It is important for defenders to remain vigilant and monitor network logs for these tools and techniques, which vary depending on the affiliate.
– Recommended mitigations fall under basic security practices, emphasizing:
– Keeping systems and software updated
– Segmenting networks
– Enforcing strong password policies
– CISA’s Secure By Design initiative is highlighted, advocating for security to be integrated into product architecture and mandating multi-factor authentication (MFA) for privileged users.
– The competition among ransomware groups has intensified, with RansomHub positioned as a leading player, potentially comparable to past heavyweights LockBit and ALPHV.
– Emerging competitors in the ransomware landscape include INC, Play, Akira, and others, all looking to dominate in claims of victims.
– An additional insight from Cisco Talos suggests that BlackByte, another group linked to Conti, is more active than previously indicated, hinting at a broader trend in the evolution of ransomware operations.
This information is crucial for security professionals, providing insight into current threats, the tactics used by ransomware groups, and the importance of robust security practices.