Authorities in the United States have issued a joint cybersecurity advisory covering a prolific ransomware group, RansomHub.
The group is believed to have “encrypted and exfiltrated” data from at least 210 victims, through double extortion techniques.
The group’s victims spanned organizations in the public and private sectors, including healthcare, IT, government, emergency services, food and agriculture, and water and wastewater. The group also targeted “critical” infrastructure in manufacturing, transport and communications.
The advisory note details the tactics, techniques and procedures (TTPs), and indicators of compromise (IOCs), as well as steps organizations can take to defend themselves.
RansomHub's Tactics, Techniques and Procedures
RansomHub uses double extortion “by encrypting systems and exfiltrating data to extort victims”, according to CISA, the US national cyber defense agency. However, as RansomHub works on an affiliate model, the exact method of data exfiltration will depend on the affiliate that has broken into the victim’s network.
The agencies say that RansomHub affiliates typically “compromise internet facing systems and user endpoints” through phishing, password spraying – targeting accounts compromised in password breaches – and by exploiting known vulnerabilities.
Once inside the network, the group’s affiliates will encrypt data and drop a ransomware note, but do not, typically, include a ransom demand or payment details. Instead, victims are given a client ID and instructions to contact the group via a .onion URL through the Tor browser. Researchers say victims are typically given 3-90 days to pay, or their data will be published on the RansomHub Tor data leak site.
To encrypt data, the group uses the elliptic curve encryption algorithm Curve 25519 and uses intermittent encryption. The ransomware targets data and does not typically encrypt executable files.
In the advisory, CISA lists IP addresses – many linked to QakBot – and email addresses as potential IOCs.
How to Respond to RansomHub Attacks
If victims believe they have been targeted by a RansomHub affiliate, the agencies advise taking any potentially affected hosts offline, reimaging them and issuing new account credentials. They should also monitor their systems for suspicious behavior.
CISA and its partners also advise organizations to maintain multiple, segmented backups of data, and to follow NIST guidance for password policies. CISOs should also ensure that organizations validate their security controls through testing and exercises.
The #StopRansomware joint Cybersecurity Advisory notes are issued by the FBI, CISA, the Multi-State Information Sharing and Analysis Center (MS-ISAC) and the Department of Health and Human Services (HHS).