Several federal agencies have warned about the escalating threat posed by the RansomHub ransomware group.
What happened
A joint advisory from the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Department of Health and Human Services (HHS) outlines the growing threat from RansomHub. The ransomware-as-a-service (RaaS) group has been targeting a wide range of sectors, including water and wastewater, IT, government services, food and agriculture, financial services, transportation, commercial facilities, manufacturing, communications, healthcare, and emergency services.
Since emerging in February 2024, RansomHub has been responsible for at least 210 attacks. The group primarily focuses on stealing sensitive data and threatening to release it unless large ransoms are paid. While they can also encrypt files, their main tactic is to use data theft as leverage. The rising number and severity of these attacks point to the urgent need for improved vigilance and defense strategies.
Going deeper
RansomHub has shown a high level of skill in breaking into networks. They often exploit known vulnerabilities they find from public sources, which proves their technical expertise and ability to use available tools effectively.
In addition to exploiting these vulnerabilities, RansomHub gains access through phishing and password-spraying attacks. Once inside a network, they set up new user accounts to maintain access, steal passwords to elevate their privileges, and use various remote access methods to control the network.
Recently, RansomHub was behind attacks on Haliburton and has also targeted several healthcare organizations, including Rite Aid, American Clinical Solutions, and the Florida Department of Health.
What was said
The joint advisory from the federal agencies provides a detailed breakdown of RansomHub's tactics, techniques, and procedures, equipping network defenders with the information to detect and mitigate the group's activities. The agencies have shared a set of indicators of compromise to aid in the identification of ongoing attacks.
Furthermore, the advisory outlines a range of recommended mitigations to enhance the security posture of organizations, including:
- Promptly patching and updating systems to address known vulnerabilities
- Implementing access controls and multi-factor authentication
- Regularly backing up data and maintaining offline backups
- Conducting employee security awareness training to mitigate the risk of phishing and social engineering attacks
- Closely monitoring network traffic and activity for signs of suspicious behavior
FAQs
What is ransomware-as-a-service?
Ransomware-as-a-Service (RaaS) is a model where ransomware creators lease their malicious software to other criminals, who then use it to carry out attacks. The creators manage the technical aspects and payment collection.
What are known vulnerabilities?
Known vulnerabilities are documented flaws in software or hardware that can be exploited by attackers. Keeping systems updated with patches helps protect against these risks.
What is phishing?
Phishing is a scam where attackers trick individuals into revealing sensitive information by posing as a trustworthy entity through emails or fake websites.
What are password-spraying attacks?
Password-spraying attacks involve trying common passwords across many accounts to gain unauthorized access, avoiding account lockout mechanisms by spreading out login attempts.
Farah Amod
