Dive Brief:
- The Cybersecurity and Infrastructure Security Agency and FBI are warning network defenders about a growing threat from RansomHub, a prolific ransomware group that has attacked more than 210 organizations since launching in February 2024. The Department of Health and Human Services and MS-ISAC joined CISA and the FBI in authoring the advisory.
- RansomHub is among the most active threat groups in the world this year, researchers said. It accounted for 43 attacks during the month of July, up from 27 the prior month, according to NCC Group.
- The group and its affiliates have been linked to some of the biggest ransomware attacks of 2024, including the Change Healthcare attack and the attack on Frontier Communications, which compromised the data of at least 751,000 people.
Dive Insight:
The group, which formerly operated under the names Cyclops and then Knight, has also engaged with prominent affiliates including those formerly linked to AlphV and LockBit, according to the advisory and security researchers.
“RansomHub operates a ransomware-as-a-service model (RaaS), which will contribute to the higher numbers we observe, with wider affiliates also employing the ransomware strain to conduct attacks,” Matt Hull, global head for strategic threat intelligence at NCC Group, said via email.
“Likewise, previous LockBit affiliates are suggested to have switched over to the RansomHub RaaS model, as well as other groups, thus further contributing to their dominant presence in the threat landscape.”
Research from Sophos has linked RansomHub to a tool called Poortry that can neutralize EDR, which is used to protect endpoint users.
RansomHub and its affiliates have exploited a number of critical vulnerabilities, including CVE-2023-3519 in Citrix NetScaler and CVE-2023-46747 in F5 Big-IP.
Among the confirmed targets of RansomHub and its affiliates, many provide critical services, including water and wastewater, critical manufacturing, emergency services, financial services and food and agriculture.
