Several federal agencies have warned about the escalating threat posed by the RansomHub ransomware group.
A joint advisory from the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Department of Health and Human Services (HHS) outlines the growing threat from RansomHub. The ransomware-as-a-service (RaaS) group has been targeting a wide range of sectors, including water and wastewater, IT, government services, food and agriculture, financial services, transportation, commercial facilities, manufacturing, communications, healthcare, and emergency services.
Since emerging in February 2024, RansomHub has been responsible for at least 210 attacks. The group primarily focuses on stealing sensitive data and threatening to release it unless large ransoms are paid. While they can also encrypt files, their main tactic is to use data theft as leverage. The rising number and severity of these attacks point to the urgent need for improved vigilance and defense strategies.
RansomHub has shown a high level of skill in breaking into networks. They often exploit known vulnerabilities they find from public sources, which proves their technical expertise and ability to use available tools effectively.
In addition to exploiting these vulnerabilities, RansomHub gains access through phishing and password-spraying attacks. Once inside a network, they set up new user accounts to maintain access, steal passwords to elevate their privileges, and use various remote access methods to control the network.
Recently, RansomHub was behind attacks on Haliburton and has also targeted several healthcare organizations, including Rite Aid, American Clinical Solutions, and the Florida Department of Health.
The joint advisory from the federal agencies provides a detailed breakdown of RansomHub's tactics, techniques, and procedures, equipping network defenders with the information to detect and mitigate the group's activities. The agencies have shared a set of indicators of compromise to aid in the identification of ongoing attacks.
Furthermore, the advisory outlines a range of recommended mitigations to enhance the security posture of organizations, including:
Ransomware-as-a-Service (RaaS) is a model where ransomware creators lease their malicious software to other criminals, who then use it to carry out attacks. The creators manage the technical aspects and payment collection.
Known vulnerabilities are documented flaws in software or hardware that can be exploited by attackers. Keeping systems updated with patches helps protect against these risks.
Phishing is a scam where attackers trick individuals into revealing sensitive information by posing as a trustworthy entity through emails or fake websites.
Password-spraying attacks involve trying common passwords across many accounts to gain unauthorized access, avoiding account lockout mechanisms by spreading out login attempts.