The Rise and Sudden Silence of RansomHub

The ransomware ecosystem is characterized by rapid shifts in power. Following the significant disruption of LockBit and the dramatic exit scam of ALPHV/BlackCat in early 2024, RansomHub rapidly emerged to become the most prolific Ransomware-as-a-Service (RaaS) operation by late 2024 and early 2025.

The Rapid Ascent and Abrupt Fall

RansomHub announced its operations in February 2024 on the RAMP cybercriminal forum. Its timing was impeccable, capitalizing on the distrust sown by the ALPHV/BlackCat exit scam.

The Change Healthcare Catalyst

ALPHV/BlackCat infamously attacked Change Healthcare, leading to a reported $22 million ransom payment. The ALPHV operators allegedly stole the funds, failing to pay the affiliate "Notchy" who executed the attack. RansomHub seized this opportunity, offering a lucrative 90/10 revenue split favoring affiliates and allowing them to receive payments directly.

The Knight Ransomware Lineage

Security researchers widely agree that RansomHub is a rebranded version of Knight ransomware (formerly Cyclops). Significant code overlap confirms this lineage: written primarily in Go (Golang) with C++ for ESXi targeting, use of Gobfuscate for obfuscation, and the capability to restart endpoints in Safe Mode before encryption.

Tactics, Techniques, and Procedures

1. Initial Access

• Vulnerability Exploitation: CVE-2020-1472 (ZeroLogon), Citrix ADC, FortiOS, Apache ActiveMQ, Atlassian Confluence, F5 BIG-IP T1190
• SocGholish (FakeUpdates): Compromising legitimate websites to display fake browser updates that download malicious JavaScript loaders T1189
• Social Engineering: Including sophisticated voice phishing (vishing) to reset passwords or gain VPN access T1566
• Credential Abuse: Password spraying and compromised RDP/VPN accounts T1078

2. Execution and Persistence

• Living off the Land (LotL): Extensive use of PowerShell and WMI T1059.001
• Remote Management Tools: Atera, Splashtop, AnyDesk, ConnectWise for covert access T1219
• Account Creation: Creating or re-enabling local administrator accounts T1136

3. Defense Evasion

• EDRKillShifter and BYOVD: Loading legitimate but vulnerable signed drivers to gain kernel-level access and terminate security processes T1562.001
• STONESTOP and POORTRY: Associated with Scattered Spider for disabling security tools T1562.001
• Log Clearing: Using wevtutil.exe to clear Application, Security, and System event logs T1070.001

4. Discovery and Lateral Movement

• Scanning: AngryIPScanner, Nmap, NetScan, Advanced Port Scanner T1046
• Credential Dumping: Mimikatz for LSASS memory harvesting T1003.001
• Movement: RDP, PsExec, Cobalt Strike, and Metasploit T1021

5. Exfiltration and Impact

• Exfiltration: Rclone, WinSCP, PuTTY, or attacker-controlled Amazon S3 buckets T1567
• Encryption: Elliptic Curve (Curve25519) with intermittent encryption for speed T1486
• Recovery Inhibition: Deleting Volume Shadow Copies using vssadmin.exe or WMI T1490

Threat Hunting Guidance

Hunting for BYOVD and EDR Killers

• Monitor Driver Loads: Utilize EDR or Sysmon (Event ID 6) to monitor for known vulnerable signed drivers
• Service/Process Termination: Hunt for rapid termination of security-related processes
• Log Clearing: Treat execution of wevtutil cl [LogName] as a high-severity alert

Anomalous RMM Tool Usage

• Baseline RMM Activity: Understand which RMM tools are authorized in your environment
• Hunt for Anomalies: Installation from unusual directories (C:\Temp, C:\PerfLogs) or by non-administrative accounts

Recovery Inhibition Detection

• Monitor for: vssadmin.exe Delete Shadows /all /quiet
• Monitor for: wmic.exe Shadowcopy Delete