InfoSecBulletin Cybersecurity for mankind
US authorities have issued a cybersecurity advisory about a ransomware group called RansomHub. The group is thought to have stolen data from at least 210 victims using encryption and double extortion techniques.
The group targeted various organizations, including healthcare, IT, government, emergency services, food and agriculture, and water and wastewater. They also targeted critical infrastructure in manufacturing, transport, and communications.
Alert! Google Fixes GCP Composer Flaw
CTF in Bangladesh: Unveiling Challenges, Opportunities and remedies
Bitdefender blog post
Medusa target Fortinet flaw (CVE-2023-48788) for Ransomware Attacks
Ivanti alerts ongoing exploitation of recently patched CAV
CISA unveils 25 new advisories for Industrial Control Systems
Intel Issues Alert on 20+ Vulnerabilities, Urges Firmware Updates
Urgent: GitLab Patches flaws allowing unapproved pipeline Job Execution
Fortinet admits data breach after hacker claims to steal 440GB
Gov.t issues high alert on android devices
TD Bank fined $28 million for sharing customer data
The advisory note provides information on tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), and steps organizations can take to protect themselves.
RansomHub’s Tactics, Techniques and Procedures:
RansomHub uses double extortion by encrypting systems and stealing data to extort victims, according to CISA, the US cyber defense agency. The method of data theft depends on the affiliate who has infiltrated the victim’s network.
Agencies state that RansomHub affiliates usually attack internet systems and user endpoints. They do this by using phishing, password spraying (targeting compromised accounts from password breaches), and exploiting known vulnerabilities.
Once the group’s members access the network, they will encrypt data and leave a ransom note, but they usually don’t specify a ransom amount or payment details. Instead, victims receive a client ID and are told to contact the group through a .onion URL using the Tor browser. Researchers explain that victims are usually given 3-90 days to pay, or else their data will be published on the RansomHub Tor data leak site.
The group employs the elliptic curve encryption algorithm Curve 25519 for data encryption, utilizing intermittent encryption. The ransomware focuses on encrypting data and usually avoids encrypting executable files.
CISA’s advisory mentions IP addresses and email addresses as possible signs of compromise, many related to QakBot.
How to Respond to RansomHub Attacks:
If victims think they’ve been targeted by a RansomHub affiliate, the agencies recommend taking any affected hosts offline, reformatting them, and creating new account credentials. They should also keep an eye on their systems for any suspicious activity.
CISA and its partners recommend keeping separate backups of data, following NIST’s password policies, and testing security controls.
The FBI, CISA, MS-ISAC, and HHS issued the #StopRansomware joint Cybersecurity Advisory notes.
