StopRansomware RansomHub Ransomware CISA
pAn official website of the United States governmentppHeres how you knowpp
Official websites use gov
A gov website belongs to an official government organization in the United States
pp
Secure gov websites use HTTPS
A lock LockA locked padlock or https means youve safely connected to the gov website Share sensitive information only on official secure websites
ppFree Cyber ServicesElection Threat Updatesprotect2024Secure Our WorldShields UpReport A Cyber IssueppSearchppppFree Cyber ServicesElection Threat Updatesprotect2024Secure Our WorldShields UpReport A Cyber IssueppNote This joint Cybersecurity Advisory is part of an ongoing StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors These StopRansomware advisories include recently and historically observed tactics techniques and procedures TTPs and indicators of compromise IOCs to help organizations protect against ransomware Visit stopransomwaregov to see all StopRansomware advisories and to learn more about other ransomware threats and nocost resourcesppThe Federal Bureau of Investigation FBI the Cybersecurity and Infrastructure Security Agency CISA the MultiState Information Sharing and Analysis Center MSISAC and the Department of Health and Human Services HHS hereafter referred to as the authoring organizations are releasing this joint advisory to disseminate known RansomHub ransomware IOCs and TTPs These have been identified through FBI threat response activities and thirdparty reporting as recently as August 2024 RansomHub is a ransomwareasaservice variantformerly known as Cyclops and Knightthat has established itself as an efficient and successful service model recently attracting highprofile affiliates from other prominent variants such as LockBit and ALPHVppSince its inception in February 2024 RansomHub has encrypted and exfiltrated data from at least 210 victims representing the water and wastewater information technology government services and facilities healthcare and public health emergency services food and agriculture financial services commercial facilities critical manufacturing transportation and communications critical infrastructure sectorsppThe affiliates leverage a doubleextortion model by encrypting systems and exfiltrating data to extort victims It should be noted that data exfiltration methods are dependent on the affiliate conducting the network compromise The ransom note dropped during encryption does not generally include an initial ransom demand or payment instructions Instead the note provides victims with a client ID and instructs them to contact the ransomware group via a unique onion URL reachable through the Tor browser The ransom note typically gives victims between three and 90 days to pay the ransom depending on the affiliate before the ransomware group publishes their data on the RansomHub Tor data leak siteppThe authoring organizations encourage network defenders to implement the recommendations in the Mitigations section of this cybersecurity advisory to reduce the likelihood and impact of ransomware incidentsppDownload the PDF version of this reportppFor a downloadable copy of IOCs seeppNote This advisory uses the MITRE ATTCK Matrix for Enterprise framework version 15 See the MITRE ATTCK Tactics and Techniques section for a table of the threat actors activity mapped to MITRE ATTCK tactics and techniquesppRansomHub affiliates typically compromise internet facing systems and user endpoints by using methods such as phishing emails T1566 exploitation of known vulnerabilities T1190 and password spraying T1110003 Password spraying targets accounts compromised through data breaches Proofofconcept exploits are obtained from sources such as ExploitDB and GitHub T1588005 Exploits based on the following CVEs have been observedppRansomHub affiliates conduct network scanning with tools such as AngryIPScanner Nmap and PowerShellbased living off the land methods with PowerShell to conduct network scanning T1018T1046T1059001ppCybersecurity researchers have observed affiliates renaming the ransomware executable with innocuous file names such as Windowsexe left on the users desktop CUsersUSERNAMEDesktop or downloads CUsersUSERNAMEDownloads T1036 The affiliates have also cleared Windows and Linux system logs to inhibit any potential incident response T1070 Affiliates used Windows Management Instrumentation T1047 to disable antivirus products In some instances RansomHubspecific tools were deployed to disable endpoint detection and response EDR tooling T1562001ppFollowing initial access RansomHub affiliates created user accounts for persistence T1136 reenabled disabled accounts T1098 and used Mimikatz S0002 on Windows systems to gather credentials T1003 and escalate privileges to SYSTEM T1068 Affiliates then moved laterally inside the network through methods including Remote Desktop Protocol RDP T1021001 PsExec S0029 Anydesk T1219 Connectwise NAble Cobalt Strike S0154 Metasploit or other widely used commandandcontrol C2 methodsppData exfiltration methods depend heavily on the affiliate conducting the network compromise The ransomware binary does not normally include any mechanism for data exfiltration Data exfiltration has been observed through the usage of tools such as PuTTY T1048002 Amazon AWS S3 bucketstools T1537 HTTP POST requests T1048003 WinSCP Rclone Cobalt Strike Metasploit and other methodsppRansomHub ransomware has typically leveraged an Elliptic Curve Encryption algorithm called Curve 25519 to encrypt user accessible files on the system T1486 Curve 25519 uses a publicprivate key that is unique to each victim organization To successfully encrypt files that are currently in use the ransomware binary will typically attempt to stop the following processesppThe ransomware binary will attempt to encrypt any files that the user has access to including user files and networked sharesppRansomHub implements intermittent encryption encrypting files in 0x100000 byte chunks and skipping every 0x200000 bytes of data in between encrypted chunks Files smaller than 0x100000 bytes in size are completely encrypted Files are appended with 58 0x3A bytes of data at the end This data contains a value which is likely part of an encryptiondecryption key The structure of the appended 0x3A bytes is listed below with images from three different encrypted filesppThe next eight bytes are the size of encrypted blocks If the entire file is encrypted this section is all zeros In this example each encrypted section is 0x100000 bytes long with 0x100000 bytes between each encrypted block This number was observed changing based on the size of the encrypted fileppThe next two bytes were always seen to be 0x0001ppThe next 32 bytes are the public encryption key for the fileppThe next four bytes are a checksum valueppThe last four bytes are always seen to be the sequence 0x00ABCDEFppThe ransomware executable does not typically encrypt executable files A random file extension is added to file names and a ransom note generally titled How To Restore Your Filestxt is left on the compromised system To further inhibit system recovery the ransomware executable typically leverages the vssadminexe program to delete volume shadow copies T1490ppSee Table 1 for publicly available tools and applications used by RansomHub affiliates This includes legitimate tools repurposed for their operationsppDisclaimer Use of these tools and applications should not be attributed as malicious without analytical evidence to support threat actor use andor controlppDisclaimer Several of these IP addresses were first observed as early as 2020 although most date from 2022 or 2023 and have been historically linked to QakBot The authoring organizations recommend organizations investigate or vet these IP addresses prior to taking action such as blockingppSee Table 2Table 5 for IOCs obtained from FBI investigationsppDisclaimer The authoring organizations recommend network defenders investigate or vet IP addresses prior to taking action such as blocking Many cyber actors are known to change IP addresses sometimes daily and some IP addresses may host valid domainsppSee Table 6Table 17 for all referenced threat actor tactics and techniques in this advisory For assistance with mapping malicious cyber activity to the MITRE ATTCK framework see CISA and MITRE ATTCKs Best Practices for MITRE ATTCK Mapping and CISAs Decider ToolppIf compromise is detected organizations shouldppThe authoring organizations recommend organizations implement the mitigations below to improve cybersecurity posture based on RansomHubs activity These mitigations align with the CrossSector Cybersecurity Performance Goals CPGs developed by CISA and the National Institute of Standards and Technology NIST The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats tactics techniques and procedures Visit CISAs CrossSector Cybersecurity Performance Goals for more information on the CPGs including additional recommended baseline protectionsppThe above mitigations apply to enterprises and critical infrastructure organizations with onpremises or hybrid environments Recognizing that insecure software is the root cause of many of these flaws and that the responsibility should not be on the end user CISA urges software manufacturers to implement the following to reduce the prevalence of identified or exploited issues eg misconfigurations weak passwords and other weaknesses identified and exploited through the assessment teamppThese mitigations align with tactics provided in the joint guide Shifting the Balance of Cybersecurity Risk Principles and Approaches for Secure by Design Software CISA urges software manufacturers to take ownership of improving the security outcomes of their customers by applying these and other secure by design tactics By using secure by design tactics software manufacturers can make their product lines secure out of the box without requiring customers to spend additional resources making configuration changes purchasing security software and logs monitoring and making routine updatesppFor more information on secure by design see CISAs Secure by Design webpageppIn addition to applying mitigations CISA recommends exercising testing and validating your organizations security program against the threat behaviors mapped to the MITRE ATTCK for Enterprise framework in this advisory The authoring organizations recommend testing your existing security controls inventory to assess how they perform against the ATTCK techniques described in this advisoryppTo get startedppCISA FBI MSISAC and HHS recommend continually testing your security program at scale in a production environment to ensure optimal performance against the MITRE ATTCK techniques identified in this advisoryppYour organization has no obligation to respond or provide information to the FBI in response to this joint advisory If after reviewing the information provided your organization decides to provide information to the FBI reporting must be consistent with applicable state and federal lawsppThe FBI is interested in any information that can be shared to include boundary logs showing communication to and from foreign IP addresses a sample ransom note communications with threat actors Bitcoin wallet information decryptor files andor a benign sample of an encrypted fileppAdditional details of interest include a targeted company point of contact status and scope of infection estimated loss operational impact transaction IDs date of infection date detected initial attack vector and host and networkbased indicatorsppThe authoring organizations do not encourage paying a ransom as payment does not guarantee victim files will be recovered Furthermore payment may also embolden adversaries to target additional organizations encourage other criminal actors to engage in the distribution of ransomware andor fund illicit activities Regardless of whether you or your organization have decided to pay the ransom the FBI and CISA urge you to promptly report ransomware incidents to the FBIs Internet Crime Complain Center IC3 a local FBI Field Office or CISA via the agencys Incident Reporting System or its 247 Operations Center reportcisagov or by calling 1844SayCISA 18447292472ppThe information in this report is being provided as is for informational purposes only The authoring organizations do not endorse any commercial entity product company or service including any entities products or services linked within this document Any reference to specific commercial entities products processes or services by service mark trademark manufacturer or otherwise does not constitute or imply endorsement recommendation or favoring by the authoring organizationsppThis product is provided subject to this Notification and this Privacy Use policyppWe recently updated our anonymous product survey wed welcome your feedbackp
Official websites use gov
A gov website belongs to an official government organization in the United States
pp
Secure gov websites use HTTPS
A lock LockA locked padlock or https means youve safely connected to the gov website Share sensitive information only on official secure websites
ppFree Cyber ServicesElection Threat Updatesprotect2024Secure Our WorldShields UpReport A Cyber IssueppSearchppppFree Cyber ServicesElection Threat Updatesprotect2024Secure Our WorldShields UpReport A Cyber IssueppNote This joint Cybersecurity Advisory is part of an ongoing StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors These StopRansomware advisories include recently and historically observed tactics techniques and procedures TTPs and indicators of compromise IOCs to help organizations protect against ransomware Visit stopransomwaregov to see all StopRansomware advisories and to learn more about other ransomware threats and nocost resourcesppThe Federal Bureau of Investigation FBI the Cybersecurity and Infrastructure Security Agency CISA the MultiState Information Sharing and Analysis Center MSISAC and the Department of Health and Human Services HHS hereafter referred to as the authoring organizations are releasing this joint advisory to disseminate known RansomHub ransomware IOCs and TTPs These have been identified through FBI threat response activities and thirdparty reporting as recently as August 2024 RansomHub is a ransomwareasaservice variantformerly known as Cyclops and Knightthat has established itself as an efficient and successful service model recently attracting highprofile affiliates from other prominent variants such as LockBit and ALPHVppSince its inception in February 2024 RansomHub has encrypted and exfiltrated data from at least 210 victims representing the water and wastewater information technology government services and facilities healthcare and public health emergency services food and agriculture financial services commercial facilities critical manufacturing transportation and communications critical infrastructure sectorsppThe affiliates leverage a doubleextortion model by encrypting systems and exfiltrating data to extort victims It should be noted that data exfiltration methods are dependent on the affiliate conducting the network compromise The ransom note dropped during encryption does not generally include an initial ransom demand or payment instructions Instead the note provides victims with a client ID and instructs them to contact the ransomware group via a unique onion URL reachable through the Tor browser The ransom note typically gives victims between three and 90 days to pay the ransom depending on the affiliate before the ransomware group publishes their data on the RansomHub Tor data leak siteppThe authoring organizations encourage network defenders to implement the recommendations in the Mitigations section of this cybersecurity advisory to reduce the likelihood and impact of ransomware incidentsppDownload the PDF version of this reportppFor a downloadable copy of IOCs seeppNote This advisory uses the MITRE ATTCK Matrix for Enterprise framework version 15 See the MITRE ATTCK Tactics and Techniques section for a table of the threat actors activity mapped to MITRE ATTCK tactics and techniquesppRansomHub affiliates typically compromise internet facing systems and user endpoints by using methods such as phishing emails T1566 exploitation of known vulnerabilities T1190 and password spraying T1110003 Password spraying targets accounts compromised through data breaches Proofofconcept exploits are obtained from sources such as ExploitDB and GitHub T1588005 Exploits based on the following CVEs have been observedppRansomHub affiliates conduct network scanning with tools such as AngryIPScanner Nmap and PowerShellbased living off the land methods with PowerShell to conduct network scanning T1018T1046T1059001ppCybersecurity researchers have observed affiliates renaming the ransomware executable with innocuous file names such as Windowsexe left on the users desktop CUsersUSERNAMEDesktop or downloads CUsersUSERNAMEDownloads T1036 The affiliates have also cleared Windows and Linux system logs to inhibit any potential incident response T1070 Affiliates used Windows Management Instrumentation T1047 to disable antivirus products In some instances RansomHubspecific tools were deployed to disable endpoint detection and response EDR tooling T1562001ppFollowing initial access RansomHub affiliates created user accounts for persistence T1136 reenabled disabled accounts T1098 and used Mimikatz S0002 on Windows systems to gather credentials T1003 and escalate privileges to SYSTEM T1068 Affiliates then moved laterally inside the network through methods including Remote Desktop Protocol RDP T1021001 PsExec S0029 Anydesk T1219 Connectwise NAble Cobalt Strike S0154 Metasploit or other widely used commandandcontrol C2 methodsppData exfiltration methods depend heavily on the affiliate conducting the network compromise The ransomware binary does not normally include any mechanism for data exfiltration Data exfiltration has been observed through the usage of tools such as PuTTY T1048002 Amazon AWS S3 bucketstools T1537 HTTP POST requests T1048003 WinSCP Rclone Cobalt Strike Metasploit and other methodsppRansomHub ransomware has typically leveraged an Elliptic Curve Encryption algorithm called Curve 25519 to encrypt user accessible files on the system T1486 Curve 25519 uses a publicprivate key that is unique to each victim organization To successfully encrypt files that are currently in use the ransomware binary will typically attempt to stop the following processesppThe ransomware binary will attempt to encrypt any files that the user has access to including user files and networked sharesppRansomHub implements intermittent encryption encrypting files in 0x100000 byte chunks and skipping every 0x200000 bytes of data in between encrypted chunks Files smaller than 0x100000 bytes in size are completely encrypted Files are appended with 58 0x3A bytes of data at the end This data contains a value which is likely part of an encryptiondecryption key The structure of the appended 0x3A bytes is listed below with images from three different encrypted filesppThe next eight bytes are the size of encrypted blocks If the entire file is encrypted this section is all zeros In this example each encrypted section is 0x100000 bytes long with 0x100000 bytes between each encrypted block This number was observed changing based on the size of the encrypted fileppThe next two bytes were always seen to be 0x0001ppThe next 32 bytes are the public encryption key for the fileppThe next four bytes are a checksum valueppThe last four bytes are always seen to be the sequence 0x00ABCDEFppThe ransomware executable does not typically encrypt executable files A random file extension is added to file names and a ransom note generally titled How To Restore Your Filestxt is left on the compromised system To further inhibit system recovery the ransomware executable typically leverages the vssadminexe program to delete volume shadow copies T1490ppSee Table 1 for publicly available tools and applications used by RansomHub affiliates This includes legitimate tools repurposed for their operationsppDisclaimer Use of these tools and applications should not be attributed as malicious without analytical evidence to support threat actor use andor controlppDisclaimer Several of these IP addresses were first observed as early as 2020 although most date from 2022 or 2023 and have been historically linked to QakBot The authoring organizations recommend organizations investigate or vet these IP addresses prior to taking action such as blockingppSee Table 2Table 5 for IOCs obtained from FBI investigationsppDisclaimer The authoring organizations recommend network defenders investigate or vet IP addresses prior to taking action such as blocking Many cyber actors are known to change IP addresses sometimes daily and some IP addresses may host valid domainsppSee Table 6Table 17 for all referenced threat actor tactics and techniques in this advisory For assistance with mapping malicious cyber activity to the MITRE ATTCK framework see CISA and MITRE ATTCKs Best Practices for MITRE ATTCK Mapping and CISAs Decider ToolppIf compromise is detected organizations shouldppThe authoring organizations recommend organizations implement the mitigations below to improve cybersecurity posture based on RansomHubs activity These mitigations align with the CrossSector Cybersecurity Performance Goals CPGs developed by CISA and the National Institute of Standards and Technology NIST The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats tactics techniques and procedures Visit CISAs CrossSector Cybersecurity Performance Goals for more information on the CPGs including additional recommended baseline protectionsppThe above mitigations apply to enterprises and critical infrastructure organizations with onpremises or hybrid environments Recognizing that insecure software is the root cause of many of these flaws and that the responsibility should not be on the end user CISA urges software manufacturers to implement the following to reduce the prevalence of identified or exploited issues eg misconfigurations weak passwords and other weaknesses identified and exploited through the assessment teamppThese mitigations align with tactics provided in the joint guide Shifting the Balance of Cybersecurity Risk Principles and Approaches for Secure by Design Software CISA urges software manufacturers to take ownership of improving the security outcomes of their customers by applying these and other secure by design tactics By using secure by design tactics software manufacturers can make their product lines secure out of the box without requiring customers to spend additional resources making configuration changes purchasing security software and logs monitoring and making routine updatesppFor more information on secure by design see CISAs Secure by Design webpageppIn addition to applying mitigations CISA recommends exercising testing and validating your organizations security program against the threat behaviors mapped to the MITRE ATTCK for Enterprise framework in this advisory The authoring organizations recommend testing your existing security controls inventory to assess how they perform against the ATTCK techniques described in this advisoryppTo get startedppCISA FBI MSISAC and HHS recommend continually testing your security program at scale in a production environment to ensure optimal performance against the MITRE ATTCK techniques identified in this advisoryppYour organization has no obligation to respond or provide information to the FBI in response to this joint advisory If after reviewing the information provided your organization decides to provide information to the FBI reporting must be consistent with applicable state and federal lawsppThe FBI is interested in any information that can be shared to include boundary logs showing communication to and from foreign IP addresses a sample ransom note communications with threat actors Bitcoin wallet information decryptor files andor a benign sample of an encrypted fileppAdditional details of interest include a targeted company point of contact status and scope of infection estimated loss operational impact transaction IDs date of infection date detected initial attack vector and host and networkbased indicatorsppThe authoring organizations do not encourage paying a ransom as payment does not guarantee victim files will be recovered Furthermore payment may also embolden adversaries to target additional organizations encourage other criminal actors to engage in the distribution of ransomware andor fund illicit activities Regardless of whether you or your organization have decided to pay the ransom the FBI and CISA urge you to promptly report ransomware incidents to the FBIs Internet Crime Complain Center IC3 a local FBI Field Office or CISA via the agencys Incident Reporting System or its 247 Operations Center reportcisagov or by calling 1844SayCISA 18447292472ppThe information in this report is being provided as is for informational purposes only The authoring organizations do not endorse any commercial entity product company or service including any entities products or services linked within this document Any reference to specific commercial entities products processes or services by service mark trademark manufacturer or otherwise does not constitute or imply endorsement recommendation or favoring by the authoring organizationsppThis product is provided subject to this Notification and this Privacy Use policyppWe recently updated our anonymous product survey wed welcome your feedbackp
