Thursday , April 24 2025
Ransomhub

RansomHub exfiltrated data over 210 victims: US alert

US authorities have issued a cybersecurity advisory about a ransomware group called RansomHub. The group is thought to have stolen data from at least 210 victims using encryption and double extortion techniques.

The group targeted various organizations, including healthcare, IT, government, emergency services, food and agriculture, and water and wastewater. They also targeted critical infrastructure in manufacturing, transport, and communications.

SonicWall patched SSLVPN Vuln Allowing Firewall Crashing

SonicWall has revealed a vulnerability in its SonicOS SSLVPN Virtual Office interface that could let remote attackers crash firewall appliances....
Read More
SonicWall patched SSLVPN Vuln Allowing Firewall Crashing

GitLab Releases Security Update For Multiple Vulns

GitLab has announced a security advisory urging users to upgrade their self-managed installations right away. Versions 17.11.1, 17.10.5, and 17.9.7...
Read More
GitLab Releases Security Update For Multiple Vulns

ISPAB president “whatsapp” got hacked via phishing link

Imdadul Haque, the president of Internet Service Provider of Bangladesh (ISPAB) said, I automatically got back my WhatsApp account. What...
Read More
ISPAB president “whatsapp” got hacked via phishing link

Zyxel released patches 2 vulns in its USG FLEX H series firewalls

Zyxel Networks has issued critical security patches for two high-severity vulnerabilities in its USG FLEX H series firewalls. These flaws...
Read More
Zyxel released patches 2 vulns in its USG FLEX H series firewalls

South Korea’s largest SK Telecom Hit by Malware: SIM-related info leaked

South Korea's largest mobile operator, SK Telecom, is warning that a malware infection allowed threat actors to access sensitive USIM-related...
Read More
South Korea’s largest SK Telecom Hit by Malware: SIM-related info leaked

ChatGPT Develops Exploit for CVEs Before Public PoCs Share

Security researcher Matt Keeley showed that artificial intelligence can now develop working exploits for critical vulnerabilities before public proof-of-concept (PoC)...
Read More
ChatGPT Develops Exploit for CVEs Before Public PoCs Share

TP-Link Router Vulns Allow to Execute Malicious SQL Commands

Several vulnerabilities have been found in TP-Link routers, exposing users to serious security risks from SQL injection flaws in their...
Read More
TP-Link Router Vulns Allow to Execute Malicious SQL Commands

SSL.com’s domain validation system’s bug found: Hacker exploited

SSL.com has revealed a major security flaw in its domain validation system, which could enable attackers to acquire fake SSL...
Read More
SSL.com’s domain validation system’s bug found: Hacker exploited

Amazon Follows Microsoft’s Lead, Halts Some Data Center Deals

Amazon has paused some data center lease negotiations for its cloud division, particularly in international markets, according to Wells Fargo...
Read More
Amazon Follows Microsoft’s Lead, Halts Some Data Center Deals

Hackers Exploit Zoom’s Remote Control Feature for System Access

ELUSIVE COMET is a threat actor conducting a sophisticated attack campaign that uses Zoom's remote control feature to access victims'...
Read More
Hackers Exploit Zoom’s Remote Control Feature for System Access

The advisory note provides information on tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), and steps organizations can take to protect themselves.

RansomHub’s Tactics, Techniques and Procedures:

RansomHub uses double extortion by encrypting systems and stealing data to extort victims, according to CISA, the US cyber defense agency. The method of data theft depends on the affiliate who has infiltrated the victim’s network.

Agencies state that RansomHub affiliates usually attack internet systems and user endpoints. They do this by using phishing, password spraying (targeting compromised accounts from password breaches), and exploiting known vulnerabilities.

Once the group’s members access the network, they will encrypt data and leave a ransom note, but they usually don’t specify a ransom amount or payment details. Instead, victims receive a client ID and are told to contact the group through a .onion URL using the Tor browser. Researchers explain that victims are usually given 3-90 days to pay, or else their data will be published on the RansomHub Tor data leak site.

The group employs the elliptic curve encryption algorithm Curve 25519 for data encryption, utilizing intermittent encryption. The ransomware focuses on encrypting data and usually avoids encrypting executable files.

CISA’s advisory mentions IP addresses and email addresses as possible signs of compromise, many related to QakBot.

How to Respond to RansomHub Attacks:

If victims think they’ve been targeted by a RansomHub affiliate, the agencies recommend taking any affected hosts offline, reformatting them, and creating new account credentials. They should also keep an eye on their systems for any suspicious activity.

CISA and its partners recommend keeping separate backups of data, following NIST’s password policies, and testing security controls.

The FBI, CISA, MS-ISAC, and HHS issued the #StopRansomware joint Cybersecurity Advisory notes.

Check Also

ransomware

Bengaluru firm got ransomware attack, Hacker demanded $70,000

Bengaluru’s Whiteboard Technologies Pvt Ltd was hit by a ransomware attack, with hackers demanding a …

Leave a Reply

Your email address will not be published. Required fields are marked *