The actors behind the RansomHub ransomware-as-a-service (RaaS) scheme have been observed using now-patched security vulnerabilities in Microsoft Active Directory! and the Netlogon protocol to escalate privileges and gain unauthorized access to a victim network’s domain controller as part of their post-compromise strategy.
RansomHub has targeted over 600 organizations globally, spanning various sectors such as healthcare, finance, government, and critical infrastructure, establishing itself as the most active ransomware group in 2024, according to Group-IB analysts in an exhaustive report published this week.
This ransomware group first emerged in February 2024, acquiring the source code associated with the now-defunct Knight (formerly Cyclops) RaaS gang from the RAMP cybercrime forum to accelerate its operations. Approximately five months later, an updated version of the locker was advertised on the illicit marketplace with capabilities to remotely encrypt data via SFTP protocol.
RansomHub comes in multiple variants that can encrypt files on Windows, VMware ESXi, and SFTP servers. The group has also been observed actively recruiting affiliates from LockBit and BlackCat groups as part of a partnership program, indicating an attempt to capitalize on law enforcement actions targeting its rivals.
In the analyzed incident, the threat actor attempted to exploit a critical flaw impacting Palo Alto Networks PAN-OS devices (CVE-2024-3400) using a publicly available proof-of-concept (PoC) before ultimately breaching the victim network via a brute-force attack against the VPN service.
This brute-force attempt used an enriched dictionary of over 5,000 usernames and passwords. The attacker eventually gained access through a default account frequently used in data backup solutions, and the perimeter was finally breached.
The initial access was then abused to carry out the ransomware attack, with both data encryption and exfiltration occurring within 24 hours of the compromise.
Notably, the attack involved the exploitation of two known security vulnerabilities in Active Directory (CVE-2021-42278, aka noPac) and the Netlogon protocol (CVE-2020-1472, aka ZeroLogon) to seize control of the domain controller and conduct lateral movement across the network.
The exploitation of these vulnerabilities enabled the attacker to gain full privileged access to the domain controller, which is the nerve center of a Microsoft Windows-based infrastructure, according to the researchers.
Following the completion of the exfiltration operations, the attacker prepared the environment for the final phase of the attack, rendering all company data completely unreadable and inaccessible, with the aim of forcing the victim to pay the ransom to retrieve their data.
Another notable aspect of the attack is the use of PCHunter to stop and bypass endpoint security solutions, as well as Filezilla for data exfiltration.
The origins of the RansomHub group, its offensive operations, and its overlapping characteristics with other groups confirm the existence of a vivid cybercrime ecosystem, where tools and source codes are shared, reused, and rebranded, fueling a robust underground market.
The development comes as the cybersecurity firm detailed the inner workings of a “formidable RaaS operator” known as Lynx, shedding light on their affiliate workflow, cross-platform ransomware arsenal, and customizable encryption modes.
An analysis of the ransomware’s Windows and Linux versions reveals that it closely resembles INC ransomware, indicating that the threat actors likely acquired the latter’s source code.
Affiliates are incentivized with an 80% share of ransom proceeds, reflecting a competitive, recruitment-driven strategy, and Lynx recently added multiple encryption modes, giving affiliates the freedom to adjust the trade-off between speed and depth of file encryption.
