ransomhub

842 tracked victims

·first seen 2023-03-09·last activity 2025-03-31

Group profile

The group emerged in mid-February 2024 and has already listed several organizations as alleged victims of their attacks, resulting from extortion through encryption and data leaks. The announcement of the sale of the new Ransomware-as-a-Service (RaaS) by RansomHub was published on one of the Russian-origin forums used by cybercrime to advertise malicious services, known as RAMP4U (or RAMP). A user with the nickname and persona of 'koley' announced the affiliate program on February 2, 2024. In the new RaaS announcement, it was mentioned that the money laundering operation of the paid ransoms is the responsibility of the affiliate. This means that all communication and sending of the decryptor to the victim are done through chat. The split of this RaaS would be 90% of the value for the affiliate and 10% for the developer, who in this case would be the persona of Koley. Furthermore, according to the publication, the ransomware payload is written in Golang language, uses the asymmetric algorithm based on x25519, and encryption algorithms AES256, ChaCha20, and xChaCha20, standing out for its speed. The encryption is obfuscated using AST. The payload would support network propagation and encryption of data both in secure and local mode. According to Koley, the ransomware is designed to operate on platforms such as Windows, Linux, and ESXi, as well as other architectures such as ARM and MIPS. As pointed out by the panel and already highlighted by the intelligence team, Koley stated that the panel uses a .onion domain, allowing the affiliate to organize and manage targets and chat rooms, view access logs, automatically respond when offline, and create private blog pages. Source: https://github.com/crocodyli/ThreatActors-TTPs

MITRE ATT&CK TTPs

TA0001

Initial Access

T1078Valid Accounts
T1078.003Valid Accounts: Local Accounts
T1190Exploit Public-Facing Application
T1566.001Phishing: Spearphishing Attachment
T1566.004Phishing: Spearphishing Voice

TA0002

Execution

T1047Windows Management Instrumentation
The ransomware deletes shadow copies using the WMIC.exe utility.
T1059Command and Scripting Interpreter
T1059.001Command and Scripting Interpreter: PowerShell
T1059.003Command and Scripting Interpreter: Windows Command Shell
The ransomware utilizes cmd.exe to execute various Windows utilities to implement various other techniques.
T1059.006Command and Scripting Interpreter: Python
T1203Exploitation for Client Execution

TA0003

Persistence

T1098Account Manipulation
T1133External Remote Services
T1136Create Account
T1136.001Create Account: Local Account
T1136.002Create Account: Domain Account
T1547Boot or Logon Autostart Execution
T1547.001Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
T1547.004Boot or Logon Autostart Execution: Winlogon Helper DLL

TA0004

Privilege Escalation

T1068Exploitation for Privilege Escalation
T1548.002Abuse Elevation Control Mechanism: Bypass UAC

TA0005

Defense Evasion

T1027Obfuscated Files or Information
T1027.009Obfuscated Files or Information: Embedded Payloads
T1027.013Obfuscated Files or Information: Encrypted/Encoded File
T1036Masquerading
T1055.012Process Injection: Process Hollowing
T1070Indicator Removal
T1070.001Indicator Removal: Clear Windows Event Logs
The ransomware clears the victim machine's application, system, and security event logs using the wevtutil.exe utility.
T1112Modify Registry
T1134Access Token Manipulation
T1134.001Access Token Manipulation: Token Impersonation/Theft
T1222.001File and Directory Permissions Modification: Windows Permissions
T1480Execution Guardrails
T1484.001Domain or Tenant Policy Modification: Group Policy Modification
T1562Impair Defenses: Disable or Modify Tools
Threat actors use files such as: STONESTOP and POORTRY to load drivers for the purpose of disabling and deleting AV files.
T1562.001Impair Defenses: Disable or Modify Tools
T1564Hidden Artifacts
T1564.003Hidden Artifacts: Hidden Window
T1620Reflective DLL Injection

TA0006

Credential Access

T1003OS Credential Dumping
T1003.001OS Credential Dumping: LSASS Memory
T1003.003OS Credential Dumping: NTDS
T1003.008OS Credential Dumping: /etc/passwd and /etc/shadow
T1110Brute Force
T1110.003Brute Force: Password Spraying
T1555.005Credentials from Password Stores: Password Managers

TA0007

Discovery

T1007System Service Discovery
T1016.001Internet Connection Discovery
T1018Remote System Discovery
T1033System Owner/User Discovery
T1046Network Service Discovery
T1057Process Discovery
T1082System Information Discovery
T1083File and Directory Discovery
T1087Account Discovery
T1087.001Account Discovery: Local Account
T1087.002Account Discovery: Domain Account
T1120Peripheral Device Discovery
T1135Network Share Discovery
T1482Domain Trust Discovery

TA0008

Lateral Movement

T1021Remote Services
T1021.001Remote Services: Remote Desktop Protocol
T1021.002Remote Services: SMB/Windows Admin Shares
T1021.004Remote Services: SSH
T1210Exploitation of Remote Services
T1570Lateral Tool Transfer
Affiliates were identified using: psexec.exe, PsExec.exe, and smbexec.exe for lateral movement.

TA0009

Collection

T1005Data from Local System

TA0010

Exfiltration

T1048Exfiltration Over Alternative Protocol
T1048.002Exfiltration Over Alternative Protocol: Asymmetric Encrypted Non-C2 Protocol
T1048.003Exfiltration Over Alternative Protocol: Unencrypted Non-C2 Protocol
T1537Transfer Data to Cloud Account
T1567Exfiltration Over Web Service
T1567.002Exfiltration Over Web Service: Exfiltration to Cloud Storage

TA0011

Command and Control

T1071.001Application Layer Protocol: Web Protocols
T1102.002Web Service: Bidirectional Communication
T1219Remote Access Tools

TA0040

Impact

T1486Data Encrypted for Impact
Files are encrypted using file replacement method.
T1489Service Stop
The Windows IIS service stop command is executed using iisreset.exe. Allows for encryption of web applications hosted on IIS servers as files linked to these applications are typically locked while IIS is running.
T1490Inhibit System Recovery
The ransomware deletes system shadow copies to inhibit system recovery.
T1529System Shutdown/Reboot
T1531Account Access Removal
T1561.001Disk Wipe: Disk Content Wipe

TA0042

Resource Development

T1586Compromise Accounts

Recent victims

showing 50 of 842

Date	Website / victim	Sector	Country
2025-03-30	intellioan.comintellioan.com	Not Found	US
2025-03-31	jackpotjunction.comjackpotjunction.com	Hospitality and Tourism	US
2025-03-27	europtec.comeuroptec.com	Technology	DE
2025-03-30	delta-life.comdelta-life.com	Healthcare	DE
2025-02-17	www.assisi.nlassisi.nl	Healthcare	NL
2025-03-28	phaus.us&phakr.com&phabodysystems.comphaus.us	Not Found	US
2025-03-27	www.bassi.itbassi.it	Technology	IT
2025-03-26	www.allmilmoe.comallmilmoe.com	Manufacturing	DE
2025-03-26	brattenelectrictn.combrattenelectrictn.com	Manufacturing	US
2025-03-25	www.hongthongrice.comhongthongrice.com	Agriculture and Food Production	TH
2025-03-26	www.fkm-elemente.defkm-elemente.de	Manufacturing	DE
2025-03-26	conterra.comconterra.com	Technology	DE
2025-03-14	www.DSelectrical.comDSelectrical.com	Construction	US
2025-03-12	www.carolinaac.comcarolinaac.com	Consumer Services	US
2025-03-08	www.garbinc.comgarbinc.com	Manufacturing	US
2025-03-08	www.mododoc.commododoc.com	Consumer Services	US
2025-03-07	www.argentosc.comargentosc.com	Not Found	AR
2025-03-10	www.ripplejunction.comripplejunction.com	Consumer Services	US
2025-03-12	www.creativelogisticservices.comcreativelogisticservices.com	Transportation/Logistics	US
2025-03-25	www.afnigc.caafnigc.ca	Public Sector	CA
2025-03-18	www.cormidom.com.docormidom.com.do	Manufacturing	DO
2025-03-08	www.lions-online.orglions-online.org	Not Found	DE
2025-03-24	www.solidworld.itsolidworld.it	Technology	IT
2025-02-17	www.s3s.coms3s.com	Not Found	US
2025-03-24	www.rivaldt.comrivaldt.com	Technology	BR
2025-03-24	OMLTD.CO.JPOMLTD.CO.JP	Not Found	JP
2025-03-24	technicare.comtechnicare.com	Technology	US
2025-03-24	cisd.orgcisd.org	Education	US
2025-03-24	mnm.humnm.hu	Technology	HU
2025-03-24	texascompressionservices.comtexascompressionservices.com	Manufacturing	US
2025-02-28	www.exemplar.comexemplar.com	Not Found	IT
2025-03-03	www.solventacentroamerica.comsolventacentroamerica.com	Manufacturing	GT
2025-03-20	gbsn.com.brgbsn.com.br	Technology	BR
2025-03-21	www.scpautomation.comscpautomation.com	Manufacturing	CA
2025-03-21	www.gestionquintessence.comgestionquintessence.com	Financial Services	CA
2025-03-21	www.engines.man.euengines.man.eu	Manufacturing	EU
2025-03-21	www.abmenviro.caabmenviro.ca	Manufacturing	CA
2025-02-28	www.accessfinanceonline.comaccessfinanceonline.com	Financial Services	US
2025-03-21	www.ahmadiyya.caahmadiyya.ca	Not Found	CA
2025-03-21	www.elizajennings.orgelizajennings.org	Healthcare	US
2025-03-21	www.sinkdirect.comsinkdirect.com	Consumer Services	US
2025-03-06	www.broadmoormethodist.orgbroadmoormethodist.org	Education	US
2025-03-13	www.parklandmanufacturing.comparklandmanufacturing.com	Manufacturing
2025-03-15	www.solinst.comsolinst.com	Manufacturing	CA
2025-03-21	www.allstarhealthcaresolutions.comallstarhealthcaresolutions.com	Healthcare	US
2025-03-07	www.njcalwe.comnjcalwe.com	Not Found
2025-03-09	www.gcsnet.comgcsnet.com	Technology
2025-03-21	www.core-1.comcore-1.com	Technology
2025-03-06	www.esquirebrands.comesquirebrands.com	Consumer Services	US
2025-03-21	www.avalonapparel.comavalonapparel.com	Manufacturing	US