Sunday, December 29, 2024
Latest:
The Register 

How cops taking down LockBit, ALPHV led to RansomHub’s meteoric rise

TH Author

RansomHub, the ransomware collective that emerged earlier this year, quickly gained momentum, outpacing its criminal colleagues and hitting its victims especially hard. The group named and shamed hundreds of organizations on its leak site, while demanding exorbitant payments across various industries.

The group, a suspected Knight rebrand, first appeared in February and quickly picked up out-of-work affiliates from Lockbit following that crew’s law enforcement takedown around the same time. RansomHub also eagerly filled the void left by ALPHV/BlackCat after that group’s widely reported exit scam in March – bragging about recruiting affiliates from both defunct groups via TOX and cyber crime forums.

By August, just six months after setting up shop, RansomHub had claimed 210 victims and drawn the attention of the FBI, CISA, and other government agencies gunning for cyber criminals. Its victims allegedly include auction house Christie’s, Frontier Communications, US pharmacy chain Rite Aid, Planned Parenthood, and Delaware public libraries, among many others.

Its brand of malware has since become the encryptor of choice for Scattered Spider and other sophisticated criminals, and the gang posted a record-high 98 victims on its leak site in November. 

But, as other prolific digital thieves – including Scattered Spider – have learned, a string of high-profile attacks paints a very large target on the group and its affiliates. While it’s much more difficult to apprehend ransomware crooks who are given safe harbor by Russian prosecutors, even cyber criminals take holidays – and sometimes, the cops are waiting to make arrests during those moments.

‘Most active and significant’ ransomware threat

“I don’t want to put RansomHub up on a pedestal. They are an opportunistic group,” Michael McPherson, SVP of Security Operations at ReliaQuest, told The Register. “But they were smart to make this landgrab when they did. It will be interesting to see how long they can keep this run going.”

During its brief tenure, the Russia-linked group has made a name for itself as “the current most active and significant threat in ransomware activity,” according to an October 30 report from ReliaQuest, which called the gang the most dominant ransomware group during the third quarter of 2024.

“It’s an interesting group that did have a meteoric rise and almost seems to come out of nowhere,” conceded McPherson, a former FBI special agent. “There was an obvious effort for RansomHub to gain affiliates. They’re very, I would say, generous in their model and advertising a 90–10 split.”

This means the affiliates who pull off the attack may keep 90 percent of the extortion payment while the ransomware operators receive 10 percent. An 80–20 or 70–30 split is more common among these crime crews, so the higher payout makes it easier for the new kids on the block to attract more workers.

It will be interesting to see how long they can keep this run going

“These affiliates will go where the money is, and if somebody pays more, it would be silly not to go there,” McPherson opined, adding that this business model “would feed RansomHub’s ability to go out and hit so many victims at once by having a large affiliate base.”

Additionally, RansomHub’s operators on their dark web sites like to tout transparency with their affiliates – likely an effort to build trust with fellow criminals, following ALPHV’s alleged exit scam.

“There’s marketing involved,” McPherson observed. “They are reaching out to affiliates, trying to be more of a partner with them. They’re trying to evolve and take advantage of the cyber criminal landscape to grab market share. That’s what they want.”

Crew ‘moved fast and filled a void’

Still, the group’s tactics are not unique, he noted. The group employs repurposed Knight code and double-extortion methods – which are used by most ransomware gangs today.

This involves first breaking into their victims’ network and stealing valuable files, and then encrypting the data on the network, while also extorting the orgs for massive sums of money on dark web leak sites.

“Their actual tactics are not unique, but their ability to move fast and fill a void is what makes them so noteworthy at this moment in time,” McPherson told us. “Or maybe they’re just trying to run as hard and fast as they can, because they know they’re protected where they are.”

ZeroFox analysts have also tracked RansomHub’s rise this year, and reported the group accounted for about 2 percent of all attacks in Q1, 5.1 percent in Q2, 14.2 in Q3, and about 20 percent in Q4.

While it is almost certain that this will plateau, there is a likely chance that the collective will continue to attract experienced affiliates and remain the most dangerous threat

“The greatest threat in early 2025 will very likely emanate from RansomHub,” the security firm declared [PDF] in a December 12 report that also called RansomHub “the most prominent R&DE [ransomware and data exfiltration] outfit” of 2024.

“RansomHub’s attack tempo has been on a consistent upward trajectory, accounting for approximately 20 percent of all R&DE incidents in Q4 2024,” according to the report. 

“While it is almost certain that this will plateau, there is a likely chance that the collective will continue to attract experienced affiliates and remain the most dangerous R&DE threat,” it noted.

“The way they’re conducting business, and the pace at which they’re exposing and publishing victims, is quite common with new ransomware groups,” ZeroFox VP of Intelligence Adam Darrah told The Register. “It is likely RansomHub is made up of individuals affiliated with other now-defunct or waning-in-their-influence ransomware collectives. It is not uncommon for a newer shakedown mafia to come in and to make a splash.”

The US presidential election this year also likely added to the increased attacks, added Darrah, a former CIA political analyst. 

“In the run up to a major US election, they [were] taking advantage of a community of defenders, both inside and outside the government, who are already on edge about cyber-based attacks,” he said. “Ransomware groups that have any kind of official or unofficial affiliation with a nation-state intelligence service know that publishing such a high number of victims at an increased pace, at such an alarming rate, takes away time, attention, and resources from other defensive operations.”

It’s important to note that the number of listed victims doesn’t directly equate to attacks. Victims that pay the ransom demand – or come to some sort of agreement with the criminals – may not ever see their org’s names on the criminals’ leak sites.

“When they get on a radar this quickly, that also catches the attention of very capable good guys around the world,” Darrah said. “So there’s a reason the life cycle of some of these groups is not long.”

ZeroFox’s report warns that other ransomware gangs such as Meow, Play Ransomware, and Hunters International are “very likely” to emerge as serious threats in early 2025. While it’s unknown how long RansomHub can keep up its run, one thing is clear: there’s no shortage of collectives waiting to take its place at the top of the charts. ®

READ MORE HERE