September 2, 2024 at 10:18AM
RansomHub, a Ransomware-as-a-service variant, has targeted at least 210 victims across various sectors, using the double extortion model to extort data and funds. Exploiting security vulnerabilities, affiliates conduct reconnaissance and network scanning before targeting victim environments. The surge in Ransomware-as-a-service variants has led to new variants and collaborations with nation-state actors for illicit gains.
Key takeaways from the meeting notes:
1. The RansomHub ransomware group has targeted at least 210 victims across various sectors, employing a ransomware-as-a-service (RaaS) model and utilizing efficient and successful service tactics.
2. RansomHub’s activity as a proportion of all ransomware observed is on an upward trajectory, accounting for approximately 2% of all attacks in Q1 2024, 5.1% in Q2, and 14.2% in Q3.
3. The group uses the double extortion model and targets organizations by exploiting known security vulnerabilities in various devices, followed by reconnaissance and network scanning using specific programs.
4. Affiliates of RansomHub employ methods such as Remote Desktop Protocol (RDP), PsExec, and other widely used command-and-control (C2) methods to move laterally inside the network.
5. The group uses intermittent encryption to speed up the process and employs data exfiltration tools such as PuTTY, Amazon AWS S3 buckets, and other methods.
6. ShinyHunters ransomware, tracked as Bling Libra, has also evolved its tactics to focus on extorting victims rather than selling or publishing stolen data.
7. Ransomware attacks have evolved to employ complex, multi-faceted extortion strategies, including triple and quadruple extortion schemes.
8. The lucrative nature of RaaS models has led to a surge in new ransomware variants and collaborations between nation-state actors and known ransomware groups.
Please let me know if you need any further information or details.