The threat actors behind the RansomHub ransomware-as-a-service (RaaS) scheme have been observed leveraging now-patched security flaws in Microsoft Active Directory and the Netlogon protocol to escalate privileges and gain unauthorized access to a victim network’s domain controller as part of their post-compromise strategy.
“RansomHub has targeted over 600 organizations globally, spanning sectors such as healthcare, finance, government, and critical infrastructure, firmly establishing it as the most active ransomware group in 2024,” Group-IB analysts said in an exhaustive report published this week.
The ransomware group first emerged in February 2024, acquiring the source code associated with the now-defunct Knight (formerly Cyclops) RaaS gang from the RAMP cybercrime forum to speed up its operations. About five months later, an updated version of the locker was advertised on the illicit marketplace with capabilities to remotely encrypt data via SFTP protocol.
It comes in multiple variants that are capable of encrypting files on Windows, VMware ESXi, and SFTP servers. RansomHub has also been observed actively recruiting affiliates from LockBit and BlackCat groups as part of a partnership program, indicating an attempt to capitalize on the law enforcement actions targeting its rivals.
In the incident analyzed by the Singaporean cybersecurity company, the threat actor is said to have unsuccessfully attempted to exploit a critical flaw impacting Palo Alto Networks PAN-OS devices (CVE-2024-3400) using a publicly available proof-of-concept (PoC), before ultimately breaching the victim network by means of a brute-force attack against the VPN service.
“This brute force attempt was based on an enriched dictionary of over 5,000 usernames and passwords,” the researchers said. “The attacker eventually gained access through a default account frequently used in data backup solutions, and the perimeter was finally breached.”
The initial access was then abused to carry out the ransomware attack, with both data encryption and exfiltration occurring within 24 hours of the compromise.
Particularly, it involved the weaponization of two known security flaws in Active Directory (CVE-2021-42278 aka noPac) and the Netlogon protocol (CVE-2020-1472 aka ZeroLogon) to seize control of the domain controller and conduct lateral movement across the network.
“The exploitation of the above-mentioned vulnerabilities enabled the attacker to gain full privileged access to the domain controller, which is the nerve center of a Microsoft Windows-based infrastructure,” the researchers said.
“Following the completion of the exfiltration operations, the attacker prepared the environment for the final phase of the attack. The attacker operated to render all company data, saved on the various NAS, completely unreadable and inaccessible, as well as impermissible to restore, with the aim of forcing the victim to pay the ransom to get their data back.”
Another notable aspect of the attack is the use of PCHunter to stop and bypass endpoint security solutions, as well as Filezilla for data exfiltration.
“The origins of the RansomHub group, its offensive operations, and its overlapping characteristics with other groups confirm the existence of a vivid cybercrime ecosystem,” the researchers said.
“This environment thrives on the sharing, reusing, and rebranding of tools and source codes, fueling a robust underground market where high-profile victims, infamous groups, and substantial sums of money play central roles.”
The development comes as the cybersecurity firm detailed the inner workings of a “formidable RaaS operator” known as Lynx, shedding light on their affiliate workflow, their cross-platform ransomware arsenal for Windows, Linux, and ESXi environments, and customizable encryption modes.
An analysis of the ransomware’s Windows and Linux versions shows that it closely resembles INC ransomware, indicating that the threat actors likely acquired the latter’s source code.
“Affiliates are incentivized with an 80% share of ransom proceeds, reflecting a competitive, recruitment-driven strategy,” it said. “Lynx recently added multiple encryption modes: ‘fast,’ ‘medium,’ ‘slow,’ and ‘entire,’ giving affiliates the freedom to adjust the trade-off between speed and depth of file encryption.”
“The group’s recruitment posts on underground forums emphasize a stringent verification process for pentesters and skilled intrusion teams, highlighting Lynx’s emphasis on operational security and quality control. They also offer ‘call centers’ for harassing victims and advanced storage solutions for affiliates who consistently deliver profitable results.”
In recent weeks, financially motivated attacks have also been observed using the Phorpiex (aka Trik) botnet malware propagated via phishing emails to deliver the LockBit ransomware.
“Unlike the past LockBit ransomware incidents, the threat actors relied on Phorpiex to deliver and execute LockBit ransomware,” Cybereason noted in an analysis. “This technique is unique as ransomware deployment usually consists of human operators conducting the attack.”
Another significant initial infection vector concerns the exploitation of unpatched VPN appliances (e.g., CVE-2021-20038) to gain access to internal network devices and hosts and ultimately deploy Abyss Locker ransomware.
The attacks are also characterized by the use of tunneling tools to maintain persistence, as well as leveraging Bring Your Own Vulnerable Driver (BYOVD) techniques to disable endpoint protection controls.
“After gaining access into the environment and performing reconnaissance, these tunneling tools are strategically deployed on critical network devices, including ESXi hosts, Windows hosts, VPN appliances, and network attached storage (NAS) devices,” Sygnia researchers said.
“By targeting these devices, the attackers ensure robust and reliable communication channels to maintain access and orchestrate their malicious activities across the compromised network.”
The ransomware landscape – led by threat actors new and old – continues to remain in a state of flux, with attacks pivoting from traditional encryption to data theft and extortion, even as victims increasingly refuse to pay up, leading to a decline in payments in 2024.
“Groups like RansomHub and Akira now incentivize stolen data with big rewards, making these tactics quite lucrative,” cybersecurity firm Huntress said.
