A study of the emerging ransomware variant known as RansomHub has uncovered it as a revamped and rebranded form of Knight ransomware, which itself evolved from the earlier Cyclops ransomware.
Knight ransomware, also referred to as Cyclops 2.0, debuted in May 2023, using double extortion techniques to both steal and encrypt victims’ data for monetary gain. It operates on several platforms, including Windows, Linux, macOS, ESXi, and Android.
Promoted and sold on the RAMP cybercrime forum, Knight ransomware attacks have utilized phishing and spear-phishing campaigns to distribute malicious attachments.
The ransomware-as-a-service (RaaS) operation was discontinued in late February 2024, when its source code was offered for sale. This suggests that it may have been acquired by a different actor, who chose to update and relaunch it under the RansomHub name.
RansomHub, which announced its first victim in the same month, has been linked to a series of ransomware attacks in recent weeks, targeting entities such as Change Healthcare, Christie’s, and Frontier Communications. It has pledged not to attack organizations in the Commonwealth of Independent States (CIS) countries, Cuba, North Korea, and China.
“Both payloads are written in Go, and most variants of each family are obfuscated with Gobfuscate,” Symantec, part of Broadcom, stated in a report shared with The Hacker News. “The significant code overlap between the two families makes it very difficult to distinguish them.”
The ransomware families share identical command-line help menus, with RansomHub introducing a new “sleep” option that allows it to remain dormant for a specified number of minutes before execution. Similar sleep commands have been noted in Chaos/Yashma and Trigona ransomware families.
The similarities between Knight and RansomHub also extend to the obfuscation techniques used to encode strings, the ransom notes left after file encryption, and their ability to restart a host in safe mode before beginning encryption.
The primary difference lies in the set of commands executed via cmd.exe, although “the way and order in which they are called relative to other operations is the same,” according to Symantec.
RansomHub attacks have been observed exploiting known security vulnerabilities (e.g., ZeroLogon) to gain initial access and deploy remote desktop software such as Atera and Splashtop before initiating ransomware.
Statistics from Malwarebytes indicate that the ransomware family has been linked to 26 confirmed attacks in April 2024 alone, ranking it behind Play, Hunters International, Black Basta, and LockBit.
Image by The Hacker News
Google-owned Mandiant, in a report published this week, disclosed that RansomHub is actively seeking to recruit affiliates affected by recent shutdowns or exit scams, such as those involving LockBit and BlackCat.
“One former Noberus affiliate known as Notchy is now reportedly collaborating with RansomHub,” Symantec noted. “Additionally, tools previously associated with another Noberus affiliate known as Scattered Spider were used in a recent RansomHub attack.”
“The rapid establishment of RansomHub’s operations suggests that the group may comprise veteran operators with extensive experience and connections in the cyber underground.”
This development comes amidst a rise in ransomware activity in 2023, following a “slight dip” in 2022. Approximately one-third of the 50 new families observed this year have been identified as variants of previously known ransomware families, highlighting the increasing trend of code reuse, actor overlaps, and rebranding.
“In almost one-third of incidents, ransomware was deployed within 48 hours of the initial attacker access,” Mandiant researchers reported. “Seventy-six percent of ransomware deployments occurred outside of work hours, with the majority taking place in the early morning.”
These attacks are also marked by the use of commercially available and legitimate remote desktop tools to facilitate intrusion operations, rather than relying on Cobalt Strike.
“The observed increasing reliance on legitimate tools likely reflects efforts by attackers to conceal their operations from detection mechanisms and reduce the time and resources required to develop and maintain custom tools,” Mandiant stated.
The resurgence in ransomware attacks coincides with the emergence of new variants such as BlackSuit, Fog, and ShrinkLocker. ShrinkLocker, in particular, has been observed deploying a Visual Basic Script (VBScript) that exploits Microsoft’s native BitLocker utilit for unauthorized file encryption in extortion attacks targeting Mexico, Indonesia, and Jordan.
ShrinkLocker derives its name from its ability to create a new boot partition by reducing the size of each available non-boot partition by 100 MB. It then converts the unallocated space into a new primary partition and uses it to reinstall the boot files to enable recovery.
“This threat actor has an extensive understanding of the VBScript language and Windows internals and utilities, such as WMI, diskpart, and bcdboot,” Kaspersky noted in its analysis of ShrinkLocker, adding that they likely “already had full control of the target system when the script was executed.”
Source: TheHackersNews