Earlier this week, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) published a new security advisory describing a prolific ransomware threat actor. The advisory, titled “#StopRansomware: RansomHub Ransomware,” discusses the RansomHub group and was written in collaboration with the Federal Bureau of Investigation (FBI), Multi-State Information Sharing and Analysis Center (MS-ISCA), and the Department of Health and Human Services (HHS).
In the advisory, the government agencies list indicators of compromise (IoC), tactics, techniques and procedures (TTP) and detection methods, all to help organizations better identify the attack and stop it as quickly as possible.
RansomHub used to be nothing more than an affiliate of ALPHV (BlackCat). This group was responsible for the Change Healthcare breach, when the healthcare company paid a $22 million ransom in exchange for stolen files. However, that affiliate never received its share of the loot, as ALPHV’s administrators took everything and disappeared.
Become famous
RansomHub was left with the stolen data and tried again, unsuccessfully, to extort Change Healthcare.
Since then, the group has been working hard to create a name for themselves in the underground community, with some success. According to a recent report on Infosecurity MagazineThe group has successfully hacked at least 210 organizations worldwide to date. In late May, it took responsibility for the attack on auction house Christie’s, which took down the company’s website just hours before a major event. A few months later, in mid-July, the American drugstore chain Rite Aid also confirmed that it had fallen victim to the same organization.
In the advisory, CISA says RansomHub is a ransomware-as-a-service variant formerly known as Cyclops and Knight, and has recently attracted partners from LockBit and ALPHV.
“CISA encourages network defenders to review this advisory and implement the recommended measures,” the organization concludes, adding that software vendors “must take responsibility for improving their customers’ security outcomes by implementing secure by design practices.”