FBI: RansomHub Hits Over 200 Entities Since Feb

RansomHub, previously known as Cyclops and Knight, has quickly gained traction, targeting over 210 victims across US critical infrastructure sectors. This ransomware-as-a-service (RaaS) model has been active since February 2024.

These include water and wastewater, information technology, government services and facilities, healthcare and public health, emergency services, food and agriculture, financial services, commercial facilities, critical manufacturing, transportation, and communications critical infrastructure sectors.

This was revealed in a new joint Cybersecurity Advisory that was issued by the FBI, CISA, MS-ISAC, and the Department of Health and Human Services. This advisory is part of the broader #StopRansomware campaign, which aims to protect network defenders from various ransomware variants and threat actors.

The advisory highlights various tactics, techniques, and procedures (TTPs) used by RansomHub affiliates, who have recently attracted high-profile actors from other notorious ransomware variants such as LockBit and ALPHV.

How RansomHub Operates

The ransomware operates on a double-extortion model, encrypting and exfiltrating data to coerce victims into paying ransoms.

Unusually, instead of including the ransom demand in the initial attack, RansomHub directs targets to a Tor website, where they are provided with a unique client ID and instructions on how to proceed.

Depending on the affiliate, the ransom note usually gives victims between three and 90 days to cough up the ransom before the gang publishes their data on the RansomHub Tor data leak site.

To date, RansomHub has claimed many prominent victims, including Frontier Communications, Christie’s Auction House, Change Healthcare, and oil field services firm Halliburton.

Mitigations to Defend Against RansomHub Ransomware

The joint advisory issued by the FBI, CISA, MS-ISAC, and HHS outlines a comprehensive set of mitigations to protect organizations from the growing threat posed by RansomHub ransomware.

These recommendations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST), which are designed to help organizations strengthen their cybersecurity posture against the most common and impactful threats.

Network Defenders – Mitigations

CISA and NIST recommend organizations implement the following mitigations to strengthen their cybersecurity posture against threats like RansomHub:

Recovery and Backup:

• Develop a recovery plan with multiple copies of sensitive data stored separately and securely (such as hard drive, storage device, cloud).
• Maintain offline backups that are encrypted, immutable, and cover the entire data infrastructure.

Password Policies:

• Enforce NIST standards for password management (8-64 characters, hashed storage, no reuse, lockouts for failed attempts, avoid frequent resets).
• Require administrator credentials for software installation.

System and Software Updates:

• Keep all systems, software, and firmware up to date, prioritizing patches for known vulnerabilities.

Authentication and Access Control:

• Mandate phishing-resistant multifactor authentication (MFA) for admin accounts and standard MFA for critical services.
• Implement network segmentation to limit ransomware spread and enforce least privilege access.

Monitoring and Detection:

• Utilize network monitoring tools, including endpoint detection and response (EDR) systems, to detect abnormal activities.
• Regularly audit user accounts, disable unused ports, and review domain controllers for unrecognized accounts.

Email and Script Security:

• Enforce email security policies, disable macros by default, and consider email banners for external messages.
• Disable hyperlinks in received emails and restrict command-line and scripting activities to prevent privilege escalation.

Additional Security Practices:

• Implement secure logging, maintain antivirus software with real-time detection, and apply time-based access for admin accounts.

Mitigations for Software Manufacturers

CISA stresses that software manufacturers play a crucial role in mitigating security risks by embedding security into their product architecture throughout the entire software development lifecycle (SDLC). They are encouraged to make security a default feature, including mandating phishing-resistant multifactor authentication (MFA) for privileged users, instead of leaving these measures as optional.

By adopting secure-by-design principles, manufacturers can reduce vulnerabilities such as misconfigurations and weak passwords, thereby relieving customers of the burden of making additional security enhancements. These efforts align with the guidelines outlined in CISA’s “Shifting the Balance of Cybersecurity Risk” guide, encouraging manufacturers to deliver products that are secure “out of the box.”

CISA also recommends that organizations regularly test and validate their security controls against the MITRE ATT&CK for Enterprise framework. This process involves selecting ATT&CK techniques relevant to their environment, aligning and testing their security technologies against these techniques, and analyzing the performance of detection and prevention measures. By continually refining their security programs based on these assessments, organizations can ensure that their defenses remain robust against evolving threats.