InfoSecBulletin Cybersecurity for mankind
US authorities have issued a cybersecurity advisory about a ransomware group called RansomHub. The group is thought to have stolen data from at least 210 victims using encryption and double extortion techniques.
The group targeted various organizations, including healthcare, IT, government, emergency services, food and agriculture, and water and wastewater. They also targeted critical infrastructure in manufacturing, transport, and communications.
CVSS 10.0 Flaw
Critical flaw in Siemens OZW Web Servers Enable Unauthenticated RCE
Microsoft Patch Tuesday May 2025: 72 flaws, 5 Actively Exploited Zero-Day
OTP glitch disrupted NID services across the country
Google to pay Texas $1.4 billion for location tracking practices
YouTube geo-blocks at least 4 Bangladeshi TV channels in India
Microsoft Patches Four Critical Azure and Power Apps Vulns
Qilin Ransomware topped April 2025 with 45+ data leak disclosures
SonicWall Patches 3 Flaws in SMA 100 Devices
Top Ransomware Actively Attacking Financial Sector: 406 Incidents Disclosed
Critical (CVSS 10) Flaw in Cisco IOS XE WLCs Allows RRA
The advisory note provides information on tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), and steps organizations can take to protect themselves.
RansomHub’s Tactics, Techniques and Procedures:
RansomHub uses double extortion by encrypting systems and stealing data to extort victims, according to CISA, the US cyber defense agency. The method of data theft depends on the affiliate who has infiltrated the victim’s network.
Agencies state that RansomHub affiliates usually attack internet systems and user endpoints. They do this by using phishing, password spraying (targeting compromised accounts from password breaches), and exploiting known vulnerabilities.
Once the group’s members access the network, they will encrypt data and leave a ransom note, but they usually don’t specify a ransom amount or payment details. Instead, victims receive a client ID and are told to contact the group through a .onion URL using the Tor browser. Researchers explain that victims are usually given 3-90 days to pay, or else their data will be published on the RansomHub Tor data leak site.
The group employs the elliptic curve encryption algorithm Curve 25519 for data encryption, utilizing intermittent encryption. The ransomware focuses on encrypting data and usually avoids encrypting executable files.
CISA’s advisory mentions IP addresses and email addresses as possible signs of compromise, many related to QakBot.
How to Respond to RansomHub Attacks:
If victims think they’ve been targeted by a RansomHub affiliate, the agencies recommend taking any affected hosts offline, reformatting them, and creating new account credentials. They should also keep an eye on their systems for any suspicious activity.
CISA and its partners recommend keeping separate backups of data, following NIST’s password policies, and testing security controls.
The FBI, CISA, MS-ISAC, and HHS issued the #StopRansomware joint Cybersecurity Advisory notes.
