InfoSecBulletin Cybersecurity for mankind
US authorities have issued a cybersecurity advisory about a ransomware group called RansomHub. The group is thought to have stolen data from at least 210 victims using encryption and double extortion techniques.
The group targeted various organizations, including healthcare, IT, government, emergency services, food and agriculture, and water and wastewater. They also targeted critical infrastructure in manufacturing, transport, and communications.
Eight New ICS Advisories released by CISA
Authority Denies
Hacker claim ransomware attack on Indonesia’s state bank BRI
London-based company “Builder.ai” reportedly exposed 1.2 TB data
(CVE-2024-12727, CVE-2024-12728, CVE-2024-12729)
Sophos resolved 3 critical vulnerabilities in Firewall
“Workshop on Cybersecurity Awareness and Needs Analysis” held at BBTA
CVE-2023-48788
Kaspersky reveals active exploitation of Fortinet Vulnerability
U.S. Weighs Ban on Chinese-Made Router TP-Link: WSJ reports
Daily Security Update Dated: 18.12.2024
CISA released best practices to secure Microsoft 365 Cloud environments
Data breach! Ireland fines Meta $264 million, Australia $50m
The advisory note provides information on tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), and steps organizations can take to protect themselves.
RansomHub’s Tactics, Techniques and Procedures:
RansomHub uses double extortion by encrypting systems and stealing data to extort victims, according to CISA, the US cyber defense agency. The method of data theft depends on the affiliate who has infiltrated the victim’s network.
Agencies state that RansomHub affiliates usually attack internet systems and user endpoints. They do this by using phishing, password spraying (targeting compromised accounts from password breaches), and exploiting known vulnerabilities.
Once the group’s members access the network, they will encrypt data and leave a ransom note, but they usually don’t specify a ransom amount or payment details. Instead, victims receive a client ID and are told to contact the group through a .onion URL using the Tor browser. Researchers explain that victims are usually given 3-90 days to pay, or else their data will be published on the RansomHub Tor data leak site.
The group employs the elliptic curve encryption algorithm Curve 25519 for data encryption, utilizing intermittent encryption. The ransomware focuses on encrypting data and usually avoids encrypting executable files.
CISA’s advisory mentions IP addresses and email addresses as possible signs of compromise, many related to QakBot.
How to Respond to RansomHub Attacks:
If victims think they’ve been targeted by a RansomHub affiliate, the agencies recommend taking any affected hosts offline, reformatting them, and creating new account credentials. They should also keep an eye on their systems for any suspicious activity.
CISA and its partners recommend keeping separate backups of data, following NIST’s password policies, and testing security controls.
The FBI, CISA, MS-ISAC, and HHS issued the #StopRansomware joint Cybersecurity Advisory notes.
