The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Department of Health and Human Services (HHS) have issued a joint advisory on a ransomware-as-a-service (RaaS) variant known as RansomHub.
This new variant has emerged as a major threat, already claiming at least 210 victims across multiple critical infrastructure sectors, including healthcare, financial services, and telecommunications.
The Rise of RansomHub
RansomHub, previously known as Cyclops and Knight, has quickly gained notoriety since its debut in February 2024. It operates under a ransomware-as-a-service model, which means that the developers of RansomHub offer their ransomware to affiliates who then deploy it against targets. This approach allows RansomHub to attract affiliates, including those previously associated with other prominent ransomware groups like LockBit and ALPHV, thereby expanding its reach and impact.
According to the joint advisory, RansomHub affiliates have successfully encrypted and exfiltrated data from organizations in various sectors, including water and wastewater systems, government services, emergency services, food and agriculture, critical manufacturing, and transportation.
High-Profile Attacks and Double-Extortion Tactics
Among the notable victims of RansomHub’s attacks are several high-profile organizations, such as Florida Health Dept., NTT Data, Patelco Credit Union, Rite Aid, Christie’s auction house, McDowall and U.S. telecom provider Frontier Communications.
RansomHub’s affiliates utilize a double-extortion model to maximize their leverage over victims. This strategy involves both encrypting the victims’ data and exfiltrating it, which is then used to coerce the victims into paying a ransom. The stolen data’s exposure is threatened if the ransom demands are not met, which can lead to severe reputational damage and financial loss for the affected organizations.
RansomHub’s ransom notes typically do not specify an initial ransom demand or provide direct payment instructions. Instead, they guide victims to a unique .onion URL accessible via the Tor browser, where further negotiations and instructions are given. The timeline for ransom payment varies from three to ninety days, depending on the affiliate conducting the attack.
Recommendations and Mitigations
In response to the growing threat of RansomHub, the authoring organizations have outlined several critical mitigations for organizations to strengthen their cybersecurity posture. These recommendations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). Key mitigations include:
- Implement a Robust Data Recovery Plan: Organizations should maintain multiple copies of sensitive data in physically separate, secure locations to ensure recovery in the event of an attack. This step is crucial for minimizing downtime and data loss.
- Strengthen Password Policies: Accounts with password logins, particularly administrative accounts, should adhere to NIST standards for password management. This includes using complex passwords, avoiding password reuse, and employing hashed storage methods with added security measures such as “salts” for shared login credentials.
- Enforce Multi-Factor Authentication (MFA): Requiring phishing-resistant MFA for administrator accounts and standard MFA for all other accounts significantly reduces the risk of unauthorized access. This is especially important for services such as webmail, VPNs, and critical systems.
- Network Segmentation and Monitoring: Segmenting networks to control traffic flows and restrict adversary movement can prevent the spread of ransomware. Utilizing network monitoring tools to detect abnormal activity is also crucial for early detection and response.
- Regular Software Updates and Patching: Keeping all operating systems, software, and firmware up to date is one of the most cost-effective measures to protect against ransomware attacks. Prioritizing patches for known vulnerabilities in internet-facing systems is particularly important.
- Implement Secure Logging Practices: Organizations should follow best practices for logging to detect suspicious activity. This includes regularly reviewing domain controllers, servers, and workstations for any new or unrecognized accounts and auditing user accounts with administrative privileges.
- Maintain Offline Backups: Ensuring that backups are kept offline and regularly maintained helps organizations recover quickly after an attack. It’s essential that all backup data is encrypted and immutable to protect against alteration or deletion by ransomware actors.
Call to Action for Software Manufacturers
While the immediate focus is on enterprise mitigations, the joint advisory also calls upon software manufacturers to embed security throughout the software development lifecycle (SDLC). By implementing security measures like MFA by default, manufacturers can help reduce the prevalence of vulnerabilities that ransomware groups like RansomHub exploit.
The advisory emphasizes the importance of continuous testing, exercising, and validating cybersecurity measures against threats mapped to the MITRE ATT&CK framework. This process helps organizations tune their security programs and ensure optimal performance against emerging threats.
