Cyberdudebivash

RansomHub (RaaS) — Threat Analysis & Playbook Prepared by CyberDudeBivash Threat Intelligence

Executive summary

RansomHub is a ransomware-as-a-service (RaaS) program active since Feb 2024, offering lockers for Windows, Linux, ESXi, and FreeBSD, and recruiting affiliates with an unusually affiliate-friendly model (affiliates keep payments in their own wallets and remit a small cut to the core). The operation (with clear lineage to Knight/Cyclops) surged through 2024–25 with hundreds of victims across healthcare, manufacturing, IT services, and more. As of Aug 31, 2025, multiple sources note a cartel-style merger/takeover narrative with DragonForce and a resulting shift or pause in RansomHub’s own branding—yet its TTPs and tooling remain in active affiliate use across the ecosystem. MITRE ATT&CKCISABitsightTrend Micro

Who/what is RansomHub (status + traits)

  • Platform support: lockers for Windows/Linux/ESXi/FreeBSD; Go-based with obfuscation; supports safe-mode execution, event-log wiping, VSS deletion, allow-listing hosts, and chunk-skipping for faster crypto. MITRE ATT&CK
  • Lineage: credible overlaps with Knight/Cyclops (panel and code). MITRE ATT&CKTrend Micro
  • Scale: public estimates range widely (e.g., ≥210 victims by Aug 2024~534 attacks in 2024hundreds more into 2025), reflecting differing telemetry/methods. CISABitsight
  • Rules & targeting: do-not-attack lists (CIS/China/Cuba/NK) and “no repeat of paid victims”; often big-game hunting of US-centric enterprises. Trend Micro
  • Business model: affiliate-managed wallets (10% to core) and payouts up to ~90% advertised to lure top operators. Bitsightdarktrace.com
  • 2025 landscape: reporting indicates a DragonForce ‘takeover’/cartel dynamic in spring 2025; campaigns and affiliates appear to have migrated or re-badged, driving rivalry and potential double-extortion collisionsTrend MicroTom’s Hardware

Notable incidents (context)

  • Change Healthcare: second-wave extortion and data-sale claims after ALPHV; emblematic of affiliate disputes and re-extortion. WIREDForescout
  • Christie’s (2024): claims and leak-site proof-of-data samples highlighted the group’s “name-and-shame” playbook. The Record from Recorded FutureThe Guardian

Attack chain (MITRE ATT&CK mapping + specifics)

1) Initial access — TA0001

  • Vectors: phishing/spear-phishing (including voice-phishing resets), valid accounts, exploitation of public-facing appsCISATrend Micro
  • Common CVEs exploited (examples): Citrix CVE-2023-3519, FortiOS CVE-2023-27997, ActiveMQ CVE-2023-46604, Confluence CVE-2023-22515, F5 BIG-IP CVE-2023-46747, FortiClientEMS CVE-2023-48788, EternalBlue CVE-2017-0144, Zerologon CVE-2020-1472CISABitsight

2) Discovery/Lateral movement — TA0007/TA0008

  • Tools observed across campaigns: AngryIP, Nmap, nbtscan, native PowerShellRDP/SMB/AnyDesk/SplashtopPsExecCobalt Strike/Sliver; account creation and admin-group adds; proxy/SOCKS use. BitsightTrend Microdarktrace.com

3) Exfiltration — TA0010

  • Affiliate-chosen methods (the core doesn’t bundle an exfil module): WinSCPRcloneMEGA/HTTP POSTSFTP, cloud buckets; SSH to infrastructure tied to affiliates (e.g., ShadowSyndicate). Bitsightdarktrace.com

4) Impact/Encryption — TA0040 (T1486)

  • Notes & file patterns: ransom notes like README_[A-Za-z0-9]{6}.txt; extensions like .[A-Za-z0-9]{6}; leak-site threats and deadlines 3–90 dayssafe-mode bootVSS deleteservice/process killevent-log clearingdarktrace.comCISAMITRE ATT&CK

Artifacts & IOCs (examples you can hunt today)

  • Ransom note: README_[A-Za-z0-9]{6}.txt (and matching 6-char extension). darktrace.com
  • TTP hallmarks: vssadmin Delete Shadows, boot to Safe Mode prior to encrypt, wevtutil cl to clear logs, targeted network shares over SMB. MITRE ATT&CK
  • Exfil indicators: rcloneWinSCP, large outbound SSH bursts; MEGA user-agents. darktrace.comTrend Micro
    (Treat IOCs as short-lived; focus on behaviors above.)

Detection & hunting quick wins (defender-friendly)

Windows (EDR/SIEM)

  • Alert on Safe Mode changes + shadow copy deletion:
    Process = vssadmin.exe OR wmic.exe shadowcopy delete → followed by service stops and high-volume file-renames. MITRE ATT&CK
  • Log wiping: wevtutil cl Security|System|Application followed by encryption spikes. MITRE ATT&CK
  • RDP/RMM abuse: rare AnyDesk/Splashtop installs + new local admin creation + inbound 3389 from new ASNs. Trend Microdarktrace.com

Linux/ESXi

  • Watch for ESXi SSH enablement/reset, mass VM stops, and simultaneous SFTP of an encryptor to multiple hosts. Trend Micro

Network

  • LotL C2 frameworks (Cobalt Strike/Sliver) + SSH bulk egress; cloud-storage destinations (MEGA/S3) from atypical hosts. darktrace.comBitsight

Mitigation priorities (what really moves risk)

  1. Patch the edge first (the CVE set above + VPNs/NetScaler/ESXi/Confluence/F5) and kill SMBv1CISA
  2. MFA everywhere, especially remote access; block risky RMM/tunneling tools by default; allowlist only business-approved ones. Varonis
  3. Hardening & monitoring: strict admin creation alerts; PowerShell constrained language mode; log immutability; audit share accessCISA
  4. Backups: offline/immutable, cross-tenant replicated, restore tested; assume leak-site exposure regardless of payment. CISA
  5. Tabletop IR for double/triple extortion (legal/comms/sector regulators); pre-draft breach notifications. (Change Healthcare is a cautionary case.) WIRED

Negotiation & extortion style (what to expect)

  • Initial notes often omit a demand; victims receive a client ID + Tor URL; timers range 3–90 days; threats include regulator reporting and contacting competitors to amplify pressure. Affiliates control comms/wallets, so tone and asks vary. Law enforcement discourages payment; it does not guarantee deletion or decryption. CISABitsight

Risk to your business (2024–25)

  • RansomHub became one of the most prolific RaaS operations, with hundreds of posted victims; healthcare and manufacturing consistently appear in the top buckets across datasets. Costs extend far beyond ransoms: downtime, regulatory penalties, cyber-insurance friction, and post-breach audits. BitsightTrend Micro

Fast response playbook (print-ready)

  1. Contain: isolate suspected endpoints/VMs; block RDP/SSH from rare ASNs; cut access for newly created admins.
  2. Preserve: snapshot evidence before wiping (memory, disks, firewall/EDR/CloudTrail/Entra logs); mirror exfil endpoints.
  3. Hunt: search for the note/extension regex; vssadminwevtutil, service kills; AnyDesk/Splashtop installs; rclone/WinSCP beacons.
  4. Eradicate: remove footholds (new users/services/GPOs); rotate creds; re-image ESXi and domain controllers if needed.
  5. Recover: restore from offline immutable backups; staged bring-up with extra egress controls.
  6. Report & notify: regulators (HIPAA/GDPR as applicable); engage legal and PR; share indicators with ISACs. CISA

Sources / further reading

  • CISA #StopRansomware: RansomHub (IOCs, ATT&CK mapping, CVEs, mitigations). CISA
  • MITRE ATT&CK S1212 (features, techniques). MITRE ATT&CK
  • Bitsight (2025) — affiliate wallet model, victim counts, toolset overview. Bitsight
  • Darktrace (2025) — ShadowSyndicate affiliate ops; 90% affiliate payout; note/extension patterns; SSH/MEGA exfil. darktrace.com
  • Trend Micro (2024–25) — infection chains, ESXi scripts, tooling (NodeStealer/XWorm/RClone/AMSI bypass), DragonForce takeover timeline. Trend Micro
  • Change Healthcare & Christie’s reporting for context on impacts and leak-site pressure. WIREDThe Record from Recorded FutureThe Guardian

CTA (CyberDudeBivash services)

Need a 2-hour tabletop or rapid patch-prioritization for the CVEs above? We’ll run it and deliver a custom MITRE-mapped detection pack for your SIEM/XDR.
cyberdudebivash.com | cyberbivash.blogspot.com

#CyberDudeBivash #RansomHub #RaaS #Ransomware #ThreatIntel #MITREATTACK #CISA #ZeroTrust #HealthcareSecurity #ESXi #DFIR #XDR #DataExfiltration #DoubleExtortion #IncidentResponse

Leave a comment

Design a site like this with WordPress.com
Get started