The lucrative business model and the simplicity of running Ransomware-as-a-Service (RaaS) are driving rapid evolution and adoption.
Threat actors go for RaaS as it eliminates technical barriers to entry, instead serving up ready-made ransomware tools and infrastructure.
This has brought in less technically skilled actors, such that even they can launch sophisticated attacks, increasing the prevalence and profitability of ransomware campaigns.
Cybersecurity analysts at Symantec recently identified that RansomHub Raas has been emerging as the largest ransomware group operating.
RansomHub Raas
An updated and rebranded version of the old Knight ransomware operation, RansomHub is one of the largest active Ransomware-as-a-Service (RaaS) groups.
Symantec’s analysis reveals significant code similarities between the payload for RansomHub and Knight, this suggests that Knight was a sort of foundation for the new group.
However, it seems unlikely that those who created Knight initially are also behind RansomHub since they made its source code available to the public in February 2024 before closing down shop.
With ANYRUN You can Analyze any URL, Files & Email for Malicious Activity : Start your Analysis
New actors most likely established RansomHub after acquiring and modifying this leaked codebase to launch their RaaS campaign with a different brand name.
Knight and RansomHub malware families have similar types of source code written in Go, and the application has only the initial forms of unobfuscated Knight.
It is extremely difficult to distinguish between the two families due to a significant proportion of overlapping code; sometimes, one has to visit the data leak site link embedded in the sample for confirmation.
The command line options of both RansomHub and EDA2 provide a help option interface that is nearly identical.
The only difference is the “sleep” command of RansomHub’s help menu.
This confirms that there is a high amount of code reuse, which strongly points toward the conclusion that RansomHub might have been developed based on the Knight ransomware, with some changes made to the code.
RansomHub and Knight employ different techniques for string obfuscation, but similarities in ransom notes suggest that RansomHub has updated Knight’s original text.
The execution order of their two sets of cmd.exe commands is similar.
In fact, victims are restarted in safe mode before encryption, a feature previously used by Snatch ransomware, which shares the Go language and capabilities of its codebase.
This could imply a common conventional source. Also, RansomHub’s approach to configuration storage resembles Noberus’ JSON-based method, which belongs to different families.
So, these substantial code overlaps, techniques, and note similarities prove that RansomHub derived from reusing Knight’s codebase as groundwork.
By February 2024, RansomHub had become number four among ransomware operators, which had gained prominence within three months.
Its growth has been derived from luring ex-Noberus associates such as Notchy and using tools owned by Scattered Spider.
The team’s prompt creation implies experienced operators in contact with the underground world.
IOCs
Looking for Full Data Breach Protection? Try Cynet's All-in-One Cybersecurity Platform for MSPs: Try Free Demo