Безпечна інтеграція в майбутнє


Безпечна інтеграція в майбутнє

Secured integration to the future

Secured integration to the future

How RansomHub Engages Criminals and Risk Mitigation Recommendations

Майстер-клас: секрети випікання найсмачніших млинців!

13.08.2024

In February 2024, a new platform named RansomHub emerged, offering ransomware-as-a-service (RaaS) targeting Windows, Linux, and ESXi systems. Written in Go and C++, RansomHub quickly gained popularity among cybercriminals. The platform offers affiliates a 90% commission rate, surpassing the typical range of 80–90%, attracting seasoned attackers from other platforms and increasing infected systems associated with RansomHub.
This article, prepared in collaboration with IT Specialist and CLICO Ukraine, a distributor of cybersecurity, network technology, and management products, summarises findings from a Recorded Future report, an international company specialising in cyber threat intelligence.

What is RansomHub?

RansomHub is a sophisticated RaaS platform designed to exploit vulnerabilities in various operating systems, targeting Windows, Linux, and ESXi systems. Its use of Go and C++ programming languages ensures the malicious software's high efficiency and reliability.
Since its launch, RansomHub has affected 45 victims across 18 countries, with the most significant activity observed in the IT sector. RansomHub affiliates often engage in "big game hunting," targeting high-value entities that are more likely to pay substantial ransoms due to severe financial consequences of downtime or data loss. In a notable case, RansomHub affiliates exploited misconfigured Amazon S3 instances to access backups from their primary target and other clients using the same backup provider.
Recently, RansomHub attracted attention by selling 4 TB of data stolen from Change Healthcare, a US-based healthcare technology company. This underscores the platform's ability to inflict significant damage and extract valuable data from targeted organisations.

Analysis of Typical RansomHub Threats for Mac, Windows, and Linux

The Recorded Future Insikt group’s analysis revealed code similarities between RansomHub and other groups like ALPHV (BlackCat) and Knight Ransomware, indicating potential connections or shared resources among criminal networks. RansomHub’s strategy of using passwords to decrypt embedded configurations complicates the malware's dynamic analysis for threat research.
The Insikt group obtained three RansomHub samples and the smbexec.exe tool provided to affiliates to spread the malware via the server message block (SMB) protocol. These ransomware samples are designed to attack Windows, Linux, and ESXi systems.
The RansomHub variant for ESXi employs a unique tactic, creating a file named /tmp/app.pid to prevent multiple instances from running simultaneously. Altering this file can stop the ransomware, presenting a potential mitigation strategy for affected systems.
Command Line Arguments
Each of the three RansomHub variants requires the -pass argument upon execution. This value decrypts the embedded configuration, providing instructions for the specific RansomHub sample. Entering an incorrect password results in RansomHub not executing correctly and displaying a "bad config" message in the console.
Configuration KeysThe configuration keys are identical across all three variants. The settings configuration key, detailed in each variant section, contains each operating system's specifics.
Configuration Keys:
● master_public_key: Curve25519 public key used for file encryption.● extension: Extension appended to encrypted files; default is the first six characters of the public key.● note_file_name: Ransom note filename; default README_<first six characters of public key>.txt.● note_full_text: Full text of the ransom note; default in Appendix B.● note_short_text: Short version of the ransom note; default "Your data is stolen and encrypted, see README_<first six characters of public key>.txt."● settings: OS-specific settings, such as kill_processes and kill_services in Windows, indicate which processes and services need to be stopped.
Ransomware Encryption Method
ESXiA separate thread processes each file in target directories. ChaCha20 encryption with Curve25519 generates "victim" public and private keys. /dev/urandom generates a 32-byte ChaCha20 nonce and a 32-byte shared secret. The encrypted file contains a 113-byte footer with the victim's public key, ChaCha20 nonce, encrypted block count, and the attacker’s public key.
Windows and LinuxThe Windows and Linux variants use goroutines to speed up the encryption process. They compare files against a blacklist of folders and files, skipping those that match. File encryption follows these steps:
1. Renaming the file to filename.<configured extension>;2. Generating a random 32-byte number for the private key;3. Creating the first ECDH shared secret with edwards25519;4. Generating an AES key for file encryption using the second ECDH shared secret;5. Generating a second random 32-byte number for the IV for AES encryption;6. Encrypting the file using AES in CTR mode;7. Write the encrypted content and add a footer.
Windows Variant CommandsThe Windows sample supports the following command-line arguments:
● -disable-net: Disables the network before execution.● -host: Processes only SMB hosts within the specified host.● -only-local: Encrypts only local disks.● -pass: Configuration password● -path: Processes files only in specified paths.● -safeboot: Reboots in safe mode before execution.● -safeboot-instance: Runs as an instance in safe mode.● -sleep: Delayed execution.● -verbose: Logs to the console.
AnalysisAnalysing a RansomHub sample with correct command-line arguments reveals the following execution flow:
● powershell.exe -Command "Get-VM | Stop-VM -Force": Stops virtual machines.● cmd.exe /c iisreset.exe /stop: Stops IIS services.● powershell.exe -Command "Get-CimInstance Win32_ShadowCopy | Remove-CimInstance": Deletes shadow copies.

Risk Mitigation Measures

The Insikt group has developed YARA and Sigma rules to detect RansomHub's presence or activity in your environment. These rules cover variants for ESXi, Linux, and Windows. Additionally, analysts can check endpoint logs for command-line executions used by RansomHub to stop virtual machines, delete shadow copies, and halt the Internet Information Service (IIS).
Commands to Monitor:
● powershell.exe -Command PowerShell -Command ""Get-VM | Stop-VM -Force""● cmd.exe /c iisreset.exe /stop● powershell.exe -Command PowerShell -Command ""Get-CimInstance Win32_ShadowCopy | Remove-CimInstance""

Best Practices for Organisational Protection

To effectively reduce the risk of ransomware infection, organisations should follow these general recommendations:
● Ізоляція мережі — Segment your network to limit ransomware lateral movement.● SIEM — Implement a security information and event management system for centralised logging and detection.● Виявлення на кінцевих точках — Use EDR with YARA and Sigma rules.● Мінімальні привілеї доступу — Enforce minimal privilege access and multifactor authentication for remote access services.● Регулярне резервне копіювання — Conduct regular backups and store them offline or in isolated segments.● Оцінка провайдерів — Collaborate with cybersecurity service providers for ongoing system audits.● Управління виправленнями — Keep all software applications and operating systems updated with the latest patches and updates.● Recorded Future Hunting Packages — For malware detection, use YARA and Sigma rules similar to those in Recorded Future Hunting Packages or Snort rules for endpoint detection.

Recommendations and Conclusions

RansomHub is one of the newest and most dangerous RaaS platforms, exploiting vulnerabilities in operating systems such as Windows, Linux, and ESXi. Cybercriminals' "big game hunting" strategy has already caused dozens of major organisations to suffer.
To effectively counter the threats associated with RansomHub, researchers recommend implementing comprehensive cybersecurity measures, such as using YARA and Sigma rules to detect ransomware presence, conducting regular backups, network segmentation, implementing SIEM systems, and enforcing minimal privilege access.
For a detailed overview, refer to the full Recorded Future.


Call Us

+38 (044) 390 81 90

Write Us

moc.tsilaicepsti-ym%40olleh

Meet for coffee

Sigma Business Center,Vatslav Havel Boulevard, 6, building 3,Ukraine, Kyiv, 03124


Call Us

+38 (044) 390 81 90

Write Us

moc.tsilaicepsti-ym%40olleh

Meet for coffee

Sigma Business Center,Vatslav Havel Boulevard, 6, building 3,Ukraine, Kyiv, 03124

Illustration


Зателефонувати

+38 (044) 390 81 90

Написати

moc.tsilaicepsti-ym%40olleh

Приїхати на каву

Бізнес-центр Sigma,
бульвар Вацлава Гавела, 6, корпус 3,
Україна, Київ, 03124

Illustration


Зателефонувати

+38 (044) 390 81 90

Написати

moc.tsilaicepsti-ym%40olleh

Приїхати на каву

Бізнес-центр Sigma,
бульвар Вацлава Гавела, 6, корпус 3,
Україна, Київ, 03124