The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Department of Health and Human Services (HHS) are releasing this advisory to highlight known ransomware IOCs and TTPs. Identified through FBI threat response activities and third-party reporting as recent as August 2024, RansomHub—formerly Cyclops and Knight—has emerged as a prominent ransomware-as-a-service (RaaS) variant. It has attracted high-profile affiliates from other notable ransomware groups like LockBit and ALPHV.

Since its emergence in February 2024, RansomHub has impacted at least 210 victims across various sectors, including water and wastewater, information technology, government services, healthcare, emergency services, food and agriculture, financial services, commercial facilities, critical manufacturing, transportation, and communications. Utilizing a double-extortion model, RansomHub affiliates encrypt systems and exfiltrate data to coerce victims. Typically, ransom notes do not include initial payment instructions but provide a client ID and a .onion URL (accessible via the Tor browser) for communication. Victims are given between three to 90 days to pay the ransom before their data is published on the RansomHub Tor leak site.

The advisory includes mitigation recommendations to help reduce the likelihood and impact of ransomware incidents.

• Download the PDF version of this report: AA24-242A #StopRansomware: RansomHub Ransomware (PDF, 713.07 KB)
• For downloadable IOCs, see:
  • AA24-242A STIX XML (XML, 133.74 KB)
  • AA24-242A STIX JSON (JSON, 109.41 KB)

Technical Details

Initial Access RansomHub affiliates gain initial access through methods such as phishing [T1566], exploiting known vulnerabilities [T1190], and password spraying [T1110.003]. Commonly exploited vulnerabilities include:

• CVE-2023-3519: Citrix ADC Remote Code Execution
• CVE-2023-27997: FortiOS Heap-based Buffer Overflow
• CVE-2023-46604: Apache ActiveMQ Remote Code Execution
• CVE-2023-22515: Confluence Data Center Unauthorized Admin Creation
• CVE-2023-46747: BIG-IP Configuration Bypass
• CVE-2023-48788: Fortinet FortiClientEMS SQL Injection
• CVE-2017-0144: SMBv1 Remote Code Execution
• CVE-2020-1472: Netlogon Elevation of Privilege
• CVE-2020-0787: Zerologon Privilege Escalation

Discovery Affiliates use tools like AngryIPScanner, Nmap, and PowerShell for network scanning [T1018][T1046][T1059.001].

Defense Evasion RansomHub affiliates often rename ransomware executables with generic names, clear system logs, and use tools like Windows Management Instrumentation [T1047] to disable antivirus and EDR tools [T1562.001].

Privilege Escalation and Lateral Movement Affiliates create new user accounts, re-enable disabled accounts, and utilize tools like Mimikatz [S0002] for credential gathering and privilege escalation [T1003][T1068]. They move laterally using methods such as RDP [T1021.001], PsExec [S0029], and various command-and-control tools.

Data Exfiltration Data exfiltration is performed using tools like PuTTY [T1048.002], AWS S3 [T1537], HTTP POST requests [T1048.003], WinSCP, and others. The ransomware binary itself typically lacks built-in exfiltration capabilities.

Encryption RansomHub employs the Curve 25519 elliptic curve encryption algorithm [T1486]. It targets processes to encrypt files and uses a specific structure for encrypted data, including appending 58 bytes of metadata at the end of encrypted files.

Leveraged Tools RansomHub affiliates utilize a range of tools, including:

• BITSAdmin: Manages file transfers
• Cobalt Strike: Penetration testing and C2
• Mimikatz: Credential extraction
• PSExec: Remote command execution
• PowerShell: Automation and scripting
• RClone: Cloud storage synchronization
• WinSCP: File transfer
• CrackMapExec: Penetration testing
• Kerberoast: Kerberos ticket extraction

Indicators of Compromise (IOCs) The following IOCs have been associated with RansomHub:

• IPs: 8.211.2[.]97, 45.95.67[.]41, 45.134.140[.]69, etc.
• URLs: http://188.34.188[.]7/555, http://89.23.96[.]203/333, etc.
• Email Addresses: brahma2023[@]onionmail.org, <victim_organization_name>[@]protonmail.com

MITRE ATT&CK Tactics and Techniques Refer to Tables 6-17 for a detailed breakdown of TTPs used by RansomHub affiliates, mapped to the MITRE ATT&CK framework.

For further details and to access the complete list of IOCs and TTPs, refer to the downloadable advisory documents and resources provided above.