The Rise of RansomHub: Uncovering a New Ransomware-as-a-Service Operation

The Rise of RansomHub: Uncovering a New Ransomware-as-a-Service Operation

RansomHub has claimed five victims since February and published the data of one. But who is this new gang and how does it operate?

On February 25, 2024, time ran out for RansomHub’s first victim: Brazilian accounting and management company YKP. It was the first time the ransomware gang was observed and four more victims have since followed.

What’s more, unlike the recently debunked Mogilevich ransomware scam operation, RansomHub is publishing samples of the data its affiliates have exfiltrated and, in one case, has even begun publishing entire tranches of data.

RansomHub seems to be the real deal, so let’s see what we can learn about them.

RansomHub

The RansomHub darknet site features an index page listing all of its victims, as well as About and Contact pages.

According to the gang’s About page, RansomHub is a team of hackers from around the world, motivated by one thing: making money. There’s nothing too radical there, but the gang says it doesn’t allow attacks on certain targets.

“We do not allow the CIS, Cuba, North Korea and China to be attacked,” the gang’s site said.

It also lists some general rules that RansomHub follows, as well as rules for its affiliates. RansomHub is a ransomware-as-a-service operation and has strict rules. It does not allow nonprofit organizations to be attacked, nor does it allow “new attacks” – follow-up attacks on victims who have already paid.

The group also has a list of guidelines on the rights of its victims, especially as it relates to the behavior of its members.

“Affiliates must comply with agreements reached during negotiations and requirements,” RansomHub stated, “if they don’t, please contact us, we will ban them and never work with them again.”

RansomHub also promises to send victims a free decryptor if the affiliate does not provide one after receiving payment or if an organization that is out of its reach is attacked. Whatever ransomware the gang is using is clearly capable of encrypting data before it is leaked.

The gang’s contact page includes a contact ID for the Tox messaging app, as well as advice on how to make initial contact.

“If you have questions about decryption, write only in the site chat, if the person who encrypted your network does not respond to you for more than two days or if you have any other problems, you can contact me,” said the RansomHub spokesperson, suggesting that English is not the gang’s first language.

This also suggests that RansomHub offers its affiliates wide freedom in how they operate, as long as they do not violate the aforementioned rules.

Criminal affiliations

When it comes to posting victims on the leak site, it appears that the affiliates themselves do the posting. The way victims are listed differs in the way evidence for each attack is provided and in the language used. In some cases, a link to a hosting service is provided to share hacking proof documents, while in others, screenshots are included in the leak post itself.

Of the five victims currently listed on the RansomHub site, one had her data published, while another victim’s data was simply sold; The post doesn’t say who, but it’s clear that the particular affiliate is taking RansomHub’s rules seriously.

“The data has all been sold,” reads a post about the data belonging to a Romanian pharmacy. “Please note that we strictly follow RansomHub rules. The data has been completely sold and is no longer being sold a second time.”

Looking at the wording and structure of the five leaked posts published so far, it appears that four different affiliates are currently working with RansomHub.

“We stole a lot of sensitive data and if you don’t contact us within a specific time period, we will disclose 30 percent and again 50 percent in a few months,” one affiliate posted. in two of the leak messages still active.

“One of the largest companies in Vietnam was attacked by our group,” said what appears to be another affiliate in the third active post. “More than two Terabytes of data were stolen from the company’s servers, mostly due to negligence in network security and data storage.”

“You have three days to contact us and resolve this unfortunate error that left your IT department deciding what to do next.”

What’s interesting about the RansomHub leak site is that it doesn’t include any details on how a potential affiliate can approach the gang. The contact details provided appear to be only for victims who disagree with how they are treated by a given affiliate. RansomHub is likely advertising its services elsewhere, most likely on a Russian-language hacking forum.

So far, that’s all we know. However, what we can say is that RansomHub seems to be quite technically competent and prefers to stay away from communist economies.

And you’re here to make money.

Leave a Reply

Your email address will not be published. Required fields are marked *