Recent Attacks Exploit ZeroLogon Flaw to Deploy RansomHub Ransomware

In the realm of cybersecurity, a new and insidious threat has emerged: the RansomHub ransomware. Recent attacks have utilized the ZeroLogon flaw in the Windows Netlogon Remote Protocol from 2020 to infiltrate victims’ systems, leading to data encryption and ransom demands.

According to researchers at Symantec Broadcom, the attackers behind RansomHub have employed a variety of tools, including remote access products from companies like Atera and Splashtop, as well as network scanners from NetScan, to gain access and gather information before deploying the ransomware payload. The use of these tools highlights the sophisticated nature of the attacks orchestrated by RansomHub.

RansomHub, classified as a ransomware-as-a-service operation, has quickly risen in prominence since its inception in February. Symantec ranks it as the fourth most prolific ransomware strain, with a growing list of victims that includes both smaller organizations and well-known entities like Christie’s Auction House and UnitedHealth Group subsidiary Change Healthcare.

Symantec’s investigation revealed extensive code overlaps between RansomHub and an older ransomware family called Knight, suggesting a shared origin. Despite the similarities, it is believed that RansomHub operators acquired the Knight source code and are now repurposing it for their malicious activities.

As RansomHub continues to evolve and expand its operations, cybersecurity experts urge organizations to remain vigilant and ensure that their systems are protected against vulnerabilities like ZeroLogon. The group’s rapid growth and recruitment of former members of other ransomware groups signal a concerning trend in the cybersecurity landscape, highlighting the importance of proactive cybersecurity measures to combat the ever-evolving threat of ransomware.