June 5, 2024 at 08:43AM
RansomHub is a new Ransomware-as-a-Service believed to have evolved from the defunct Knight ransomware project. It operates as a data theft and extortion group, recently targeting United Health subsidiary Change Healthcare and international auction house Christie’s. Symantec analysts found commonalities with Knight, indicating a likely derived lineage, though operated by a different actor.
From the meeting notes, it is evident that the RansomHub ransomware-as-a-service has evolved from the defunct Knight ransomware project. RansomHub primarily operates as an extortion group that sells stolen files to the highest bidder and has gained attention by leaking data from various organizations, including a subsidiary of United Health and the international auction house Christie’s.
Malware analysts at Symantec, a part of Broadcom, have found multiple similarities between RansomHub and Knight ransomware, indicating a common origin. Both ransomware families are written in Go and use a unique obfuscation technique for important strings. Furthermore, the ransom notes, command-line help menus, and the method of command execution operations are similar between the two families. This strongly suggests that RansomHub is derived from Knight and confirms that the extortion group indeed uses a data encryptor.
It is unlikely that RansomHub is run by the creators of Knight ransomware. Instead, researchers believe that another actor purchased the Knight source code and started using it in attacks. Since its emergence in February 2024, RansomHub has grown to become one of the most prolific RaaS operations, attracting former affiliates of the ALPHV operation.
Overall, RansomHub’s connection to Knight ransomware and its rapid growth in the cybercrime space highlight the significance of this threat and the potential impact on organizations.