RansomHub Exploiting RDP Services To Exfiltrate Large Volumes Of Data


Ransomware-as-a-Service (RaaS) significantly lowers the technical barriers for threat actors to launch ransomware attacks, even it also enables threat actors with minimal skills to execute sophisticated cyber attacks.

On a subscription basis, this model operates, and through this model, the developers of such services offer other threat actors ready-to-use ransomware tools.

EHA

Cybersecurity researchers at Group-IB recently identified that RansomHub has been exploiting RDP services to exfiltrate large volumes of data.

RansomHub Exploiting RDP Services

RansomHub is a complex Ransomware-as-a-Service (RaaS) group that operates in the usual double extortion manner by encrypting files and stealing files from their victims’ systems.

Free Webinar on Detecting & Blocking Supply Chain Attack -> Book your Spot

This group primarily targets organizations in the United States, the United Kingdom, Spain, France, and Italy with specializations being mainly in healthcare, finance, and government.

Their operations may not be advanced but they use dual-use tools for network propagation and control of C2 through remote monitoring and management.

RansomHub Exploiting RDP Services To Exfiltrate Large Volumes Of Data
Ransomhub profile (Source – Group-IB)

The amount of ransom requests is reportedly high; an estimated $50 million in ransom payments were demanded for attacks on northern Africa.

A financial assessment of victims of RansomHub outlines that the Manipulation of funds through ransom was very effective due to reported transactions of the target being accessed on the internet.

Attacks through the global networks continue even though the targets may be withdrawn as diverse investigations by Group-IB’s Digital Forensics and Incident Response have shown that the majority of victims lacked the appropriate security measures with respect to the people, processes, and technology.

RansomHub, operating as a Ransomware-as-a-Service (RaaS) operation, started on 2nd February 2024 at ‘RAMP’ dark web forum, writing under the alias, “Koley.” 

They promise their affiliates a profit share of 90-10%, then run Tor-based DLS at hxxp://ransomxifxwc5eteopdobynonjctkxxvap77yqifu2emfbecgbqdw6qd[.]onion/. 

Their ransomware, which is based on Golang, is able to run on Windows, Linux, and ESXi IDE. Besides this, it has network propagation, Safe Mode, and hardware-accelerated encryption (AES-256, Cha-Cha20, Xcha-Cha20) features. 

The attack chain typically involves the use of domain Admin accounts that have been compromised, in most cases lured through the LummaC2 stealer, then remotely logging into external services such as RDP.

For network discovery and lateral movement, attackers deploy tools including Netscan, smbexec, and PsExec. Before encryption, it is possible to use rclone to perform data exfiltration to Mega.

After encrypting the files, the ransomware attaches an arbitrary 6-character extension and creates files called README_[random 6 char].txt containing ransom messages.

RansomHub Exploiting RDP Services To Exfiltrate Large Volumes Of Data
RansomHub ransom note file contents (Source – Group-IB)

RansomHub restricts attacks against the CIS countries, North Korea, China, Romania, and Cuba. While the RansomHub gains access through hacked accounts and public VPNs, it steals and encrypts the data.

Their new strategy involves deploying RaaS and extracting high ransom demands, which shows their aggressive tactics.

Researchers urged that organizations improve access controls, improve monitoring, and respond more efficiently to security incidents to avoid such threats.

Recommendations

Here below we have mentioned all the recommendations:-

  • Use tools to find cyber-threat exposures.
  • Enforce OTP-based MFA for remote access.
  • Regularly assess ransomware readiness.
  • Maintain strong data backup policies.
  • Set fast response times for security alerts.
  • Avoid and monitor dual-use tools.
  • Watch for large network spikes.
  • Conduct annual security audits.
  • Use advanced analytics for intrusion detection.
  • Review Ransomware Readiness guidance.

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial



Source link