Recent Surge in Ransomware Attacks Linked to RansomHub Group and Evolution of Extortion Tactics

The U.S. government has identified a new ransomware group, RansomHub, that has targeted at least 210 victims across various sectors since its emergence in February 2024. Known for its ransomware-as-a-service model, RansomHub has attracted high-profile affiliates from other prominent variants such as LockBit and ALPHV.

According to ZeroFox, RansomHub’s activity has been on an upward trajectory, with the group accounting for approximately 2% of all ransomware attacks in Q1 2024, rising to 14.2% in Q3. The group employs the double extortion model, exfiltrating data and encrypting systems to extort victims.

RansomHub gains initial access to victim environments by exploiting known security vulnerabilities in various devices, followed by affiliates conducting reconnaissance and network scanning using tools like AngryIPScanner and Nmap. The group also disarms antivirus software to evade detection.

One notable aspect of RansomHub attacks is the use of intermittent encryption to speed up the process, with data exfiltration observed through various methods. The rise of RansomHub comes amidst a broader evolution in ransomware attacks, moving towards complex extortion strategies like triple and quadruple extortion schemes.

The lucrative nature of ransomware-as-a-service models has led to a surge in new variants, prompting even Iranian nation-state actors to collaborate with known groups for a share of illicit proceeds. The evolving landscape of ransomware threats underscores the need for robust cybersecurity measures to protect against such attacks.