Who are these RansomHub cyber-thieves? Looks like a Knight ransomware reboot

Who are these RansomHub cyber-thieves? Looks like a Knight ransomware reboot

June 5, 2024 at 04:22PM

RansomHub, a new cyber-crime group, has been identified as a possible rebrand of the Knight ransomware gang. It has been active in stealing and auctioning off data from various organizations using sophisticated techniques. There is evidence of overlap between RansomHub and Knight’s code, suggesting a connection between the two groups.

Based on the meeting notes provided, the key takeaways are:

1. RansomHub is likely a rebrand of the Knight ransomware gang, and both are believed to be iterations of the original Cyclops ransomware.
2. RansomHub has been active, targeting organizations like Christie’s auction house and US broadband telco Frontier Communications, using tactics such as stealing and auctioning off customer data.
3. Symantec reports that RansomHub has been the fourth most prolific ransomware crew in terms of claimed attacks in the past three months.
4. The criminals behind RansomHub frequently gain access to victims by exploiting the ZeroLogon elevation-of-privilege vulnerability in Microsoft’s netlogon remote protocol.
5. RansomHub and Knight’s code and tactics exhibit striking similarities, indicating a potential connection between the two.
6. There are indications that a former ALPHV affiliate known as Notchy is working with RansomHub, which may be partially attributed to the disruption of ALPHV by law enforcement.
7. The cyber-crime ecosystem is increasingly segmented, with individuals and groups specializing in specific areas and collaborating to perform attacks, making it more challenging for law enforcement to disrupt these operations.

These takeaways summarized the key points from the meeting notes regarding RansomHub and its activities.

Full Article