Heimdal
article featured image

Contents:

RansomHub ransomware affiliates have reportedly breached over 200 victims from a wide range of critical U.S. infrastructure sectors.

This ransomware-as-a-service (RaaS) operation reached this milestone quickly, being first spotted in February 2024. The ransomware group specializes in data-theft-based extortion rather than encrypting victims’ files. It extorts its victims in exchange for not leaking stolen files and sells the documents to the highest bidder if negotiations fail.

RansomHub has been claiming responsibility for breaches at Christie’s Auction House, Rite Aid Pharmacy Chain, American not-for-profit credit union Patelco, and U.S. telecom operator Frontier Communications since the beginning of the year. Afterward, Frontier Communications notified more than 750,000 consumers that a data breach had exposed their data.

The FBI, CISA, the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Department of Health and Human Services (HHS) released a joint advisory and confirmed that the threat actors target their victims in double-extortion attacks.

Formerly known as Cyclops and Knight, the federal agencies claimed that RansomHub “has established itself as an efficient and successful service model (recently attracting high-profile affiliates from other prominent variants such as LockBit and ALPHV).”

Since its inception in February 2024, RansomHub has encrypted and exfiltrated data from at least 210 victims representing the water and wastewater, information technology, government services and facilities, healthcare and public health, emergency services, food and agriculture, financial services, commercial facilities, critical manufacturing, transportation, and communications critical infrastructure sectors.

Joint Advisory (Source)

A Detailed Advisory Was Released: Indicators of Compromise, TTPs, And More Covered

The agencies provided a deep analysis of the ransomware group in the released joint advisory, including indicators of compromise and information on the group’s and its affiliates’ tactics, techniques, and procedures (TTP).

Network defenders are advised to implement the agencies’ recommendations.

Aside from using strong passwords and multifactor authentication (MFA) for webmail, VPN, and accounts connected to critical systems, they should concentrate on patching vulnerabilities that have already been exploited in the wild.

A banner with a notification icon and the text: "Create your own patching procedure! Fully customize your experience and the way you’re patching in your company with our top-tier Patch & Asset Management solution" on a light blue background.

 

Regular vulnerability assessments and software updates should also be part of security protocols.

The federal agencies added that they do not encourage paying a ransom, as payment does not guarantee victim files will be recovered, and may encourage other threat actors to engage in the distribution of ransomware, and/or fund illicit activities.

If you liked this piece, you can find more on the blog. Follow us on LinkedInTwitterFacebook, and YouTube for more cybersecurity news and topics.

Author Profile

Cristian Neagu

CONTENT EDITOR

linkedin icon

Cristian is a Content Editor & Creator at Heimdal®, where he developed a deep understanding of the digital threat landscape. His style resonates with both technical and non-technical readers, proof being in his skill of communicating cybersecurity norms effectively, in an easy-to-understand manner.

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE