RansomHub ransomware breached 210 victims since February

FBI: RansomHub ransomware breached 210 victims since February from a wide range of critical U.S. infrastructure sectors.

This relatively new ransomware-as-a-service (RaaS) operation extorts victims in exchange for not leaking stolen files and sells the documents to the highest bidder if negotiations fail. The ransomware group focuses on data-theft-based extortion rather than encrypting victims’ files, although they were also identified as potential buyers of Knight ransomware source code.

Since the start of the year, RansomHub has claimed responsibility for breaching American not-for-profit credit union Patelco, the Rite Aid drugstore chain, the Christie’s auction house, U.S. telecom provider Frontier Communications, and oil services giant Halliburton. Frontier Communications later warned over 750,000 customers their personal information was exposed in a data breach.

RansomHub’s data leak site also leaked stolen Change Healthcare data after the BlackCat/ALPHV ransomware operation shut down.

A joint advisory released today by the FBI, CISA, the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Department of Health and Human Services (HHS) also confirms that the threat actors target their victims in double-extortion attacks.

The federal agencies said RansomHub (formerly known as Cyclops and Knight) “has established itself as an efficient and successful service model (recently attracting high-profile affiliates from other prominent variants such as LockBit and ALPHV).”

“Since its inception in February 2024, RansomHub has encrypted and exfiltrated data from at least 210 victims representing the water and wastewater, information technology, government services and facilities, healthcare and public health, emergency services, food and agriculture, financial services, commercial facilities, critical manufacturing, transportation, and communications critical infrastructure sectors,” the advisory adds.

The four authoring agencies advised network defenders to implement the recommendations in today’s advisory to reduce the risk and impact of RansomHub ransomware attacks.

They should focus on patching vulnerabilities already exploited in the wild and use strong passwords and multifactor authentication (MFA) for webmail, VPN, and accounts linked to critical systems. It’s also recommended to keep software updated and conduct vulnerability assessments as a standard part of security protocols.

The four agencies also provide RansomHub indicators of compromise (IOCs) and information on their affiliates’ tactics, techniques, and procedures (TTPs) identified during FBI investigations as recently as August 2024.

“The authoring organizations do not encourage paying a ransom, as payment does not guarantee victim files will be recovered,” the federal agencies added.

“Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities.”