InfoSecBulletin Cybersecurity for mankind
US authorities have issued a cybersecurity advisory about a ransomware group called RansomHub. The group is thought to have stolen data from at least 210 victims using encryption and double extortion techniques.
The group targeted various organizations, including healthcare, IT, government, emergency services, food and agriculture, and water and wastewater. They also targeted critical infrastructure in manufacturing, transport, and communications.
Delay patching leaves about 50,000 Fortinet firewalls to zero-day attack
Daily Security Update Dated: 21.01.2025
126 Linux kernel Vulns Allow Attackers Exploit 78 Linux Sub-Systems
CERT-UA alerts about “security audit” requests through AnyDesk
Oracle Critical Pre-Release update addressed 320 flaw
OWASP Reveils Top 10 Smart Contract Vulnerabilities for 2025
Multiple Azure DevOps Vulns Allow To Inject CRLF Queries & Rebind DNS
Intel holds 22 employees from one Bangladeshi University
VPN Surge 1500% in USA after TikTok Shut Down
MITRE Launches D3FEND 1.0; The Milestone for Cybersecurity Ontology
The advisory note provides information on tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), and steps organizations can take to protect themselves.
RansomHub’s Tactics, Techniques and Procedures:
RansomHub uses double extortion by encrypting systems and stealing data to extort victims, according to CISA, the US cyber defense agency. The method of data theft depends on the affiliate who has infiltrated the victim’s network.
Agencies state that RansomHub affiliates usually attack internet systems and user endpoints. They do this by using phishing, password spraying (targeting compromised accounts from password breaches), and exploiting known vulnerabilities.
Once the group’s members access the network, they will encrypt data and leave a ransom note, but they usually don’t specify a ransom amount or payment details. Instead, victims receive a client ID and are told to contact the group through a .onion URL using the Tor browser. Researchers explain that victims are usually given 3-90 days to pay, or else their data will be published on the RansomHub Tor data leak site.
The group employs the elliptic curve encryption algorithm Curve 25519 for data encryption, utilizing intermittent encryption. The ransomware focuses on encrypting data and usually avoids encrypting executable files.
CISA’s advisory mentions IP addresses and email addresses as possible signs of compromise, many related to QakBot.
How to Respond to RansomHub Attacks:
If victims think they’ve been targeted by a RansomHub affiliate, the agencies recommend taking any affected hosts offline, reformatting them, and creating new account credentials. They should also keep an eye on their systems for any suspicious activity.
CISA and its partners recommend keeping separate backups of data, following NIST’s password policies, and testing security controls.
The FBI, CISA, MS-ISAC, and HHS issued the #StopRansomware joint Cybersecurity Advisory notes.
