adarma_logo_twgt-black[11615449]
adarma_logo_twgt-black[11615449]
Assessments
All Cybersecurity Assessments

Improve security maturity and capability while reducing risk
Cyber Maturity Assessment

Define, measure and improve your security posture
SOC Maturity Assessment

Understand and improve the capability and maturity of your SOC
SIEM Assessment

Your roadmap to increase the performance and value of your SIEM
Crisis Simulation Assessment

Stress-test your organisation’s cyber response capability

Latest Insights

Cyber Insiders is a cybersecurity podcast by Adarma.
Podcast
Nov 2

Cyber Insiders Podcast: Liz Banbury on Safeguarding Critical National Infrastructure
Threat Intelligence Exposure Management
Detection & Response
Managed SOC

Delivering today’s capability, while staying adaptable for tomorrow’s threat
Microsoft MDR Solution

Maximise the potential of your Microsoft E5 License
SOC Engineering

We help design, build, and integrate the security operations capability you need
Incident Response

Intelligence-led preparation, practice and real-world cyber incident response
Socket Platform
About Us
We Are Adarma

Your partner for effective cyber threat management
ESG

Protecting the promise of cyber resilience
Partners

Working in partnership to make the world a safer place
Careers

Become a Cyber Defender
Contact Us

Get in touch today
Insights
Cyber Hub
Cyber Insiders
News & Blog
SIEM Transformation
Future-Ready SOC Report
SecOps Excellence
Events
Share:
September 3, 2024

RansomHub Threat Profile: An Emerging RaaS Powerhouse

By Cian Heasley, Threat Lead at Adarma

RansomHub is a sophisticated and rapidly emerging force within the ransomware ecosystem, operating as a highly organised ransomware-as-a-service (RaaS) platform on the dark web. Since its debut in February 2024, RansomHub has distinguished itself by providing a comprehensive, user-friendly service that enables even those with minimal technical expertise to launch ransomware attacks.

RansomHub’s platform manages the complex aspects of ransomware campaigns, including encryption, payment processing, and victim communication, allowing affiliates to focus on the distribution of ransomware. In return, RansomHub typically claims a significant portion of the ransom payments, reflecting its integral role in the operation.

The Rise of RansomHub

RansomHub has quickly gained traction, targeting multiple sectors with its attacks. Notably, the group’s activities have intensified following the law enforcement crackdowns on other prominent ransomware groups such as ALPHV (BlackCat) and LockBit in late 2023 and early 2024. In March 2024, RansomHub initiated a recruitment drive on underground forums, likely aiming to absorb affiliates from these disrupted groups. This recruitment effort has reportedly attracted resources and talent from affiliates previously associated with ALPHV and LockBit, further solidifying RansomHub’s position in the cybercriminal underworld.

Evidence of RansomHub’s growing influence includes the group’s association with ALPHV in terms of shared source code and tactics. In April 2024, RansomHub briefly listed Change Healthcare, a subsidiary of United Health Group, on its extortion leak site before removing the entry, possibly indicating that a ransom was paid. This incident followed a February 2024 attack on Change Healthcare, initially attributed to an ALPHV affiliate, who later leaked the stolen data to RansomHub after ALPHV’s involvement in an exit scam.

The group has also expanded its operations to critical infrastructure, targeting industrial control systems (ICS) in various attacks. For instance, RansomHub is suspected to have disabled Supervisory Control and Data Acquisition (SCADA) systems during an attack on a Serbian gas storage provider. The group also disrupted operations at a Spanish biogas energy facility and a Colombian electricity distribution company. While ICS-targeting ransomware is not new, RansomHub’s increasing focus on such high-impact targets suggests a potential escalation in the threat level posed by this group.

Given RansomHub’s rapid growth and aggressive recruitment strategies, it is poised to become one of the most prominent RaaS platforms of 2024, with a significant capability to inflict widespread disruption across various industries.

RansomHub’s Key Characteristics

Operational Structure: RansomHub operates with a decentralised structure, allowing various criminal groups to collaborate while maintaining a level of anonymity. It provides tools for affiliates to execute ransomware campaigns, making it an attractive option for less technically skilled cybercriminals.

Encryption and Decryption: The platform uses advanced encryption techniques to lock victims’ files, demanding payment, typically in cryptocurrency, for the decryption key. The use of robust encryption methods ensures that victims have little to no alternative but to pay the ransom.

Payment Mechanisms: RansomHub often handles the financial transactions involved in the ransom payments. Payments are usually demanded in Bitcoin or other cryptocurrencies to ensure anonymity and reduce traceability.

Targeting and Distribution: Affiliates using RansomHub can customise their campaigns to target specific industries or geographic regions. The platform provides access to various distribution methods, including phishing emails and exploit kits, to maximise the spread of their ransomware.

Victim Communication: RansomHub includes built-in communication channels that allow victims to negotiate with the attackers. This feature is designed to facilitate payment and increase the likelihood of a successful ransom transaction.

Mitigation Strategies

RansomHub exemplifies the evolving threat landscape where cybercrime services are increasingly professionalised, making it imperative for organisations to adopt a multi-layered defence strategy to mitigate these risks.

Proactive Monitoring: Organisations should employ advanced dark web monitoring tools to detect mentions of their data or vulnerabilities before platforms like RansomHub exploit them.

Employee Training: Regular cybersecurity awareness training can help prevent phishing attacks, a common method for distributing ransomware.

Robust Backup Solutions: Maintaining regular, offline backups of critical data can minimise the impact of a ransomware attack, allowing businesses to restore operations without paying a ransom.

How Adarma Can Help

Adarma provides customised cybersecurity solutions to assist businesses in achieving future-ready cyber resilience. Our approach enables organisations to decrease cyber risks by implementing effective threat intelligence, exposure management, and detection and response capabilities. We offer tailored threat intelligence, technological solutions, and strategic consultations that cater to our customer’s specific security requirements and business goals. Our expertise guarantees a balanced approach between security and operational efficiency, safeguarding our customers’ most crucial infrastructure and data.

Discover our tailored services and find out why we are the preferred security partner for FTSE 350 firms.

Let’s Talk

If you would like to learn more about how Adarma can support your organisation’s cyber resilience, please get in touch with us at hello@adarma.com.

To hear more from us, check out the latest issue of ‘Cyber Insiders,’ our c-suite publication that explores the state of the threat landscape, emerging cyber threats, and most effective cybersecurity best practices.

You can also listen to our new podcast, which explores what it’s really like to work in cybersecurity in today’s threat landscape.

Stay updated with the latest threat insights from Adarma by following us on X and LinkedIn.

Contact Us