Cybersecurity researchers at Lab52 have highlighted the rise of the RansomHub ransomware gang, which employs a mix of old and new tactics to breach systems. Using tools like Advanced Port Scanner and hidden PowerShell scripts, this adaptable group obscures its ransomware to evade detection and analysis. Lab52’s recent analysis links RansomHub to the Knight ransomware, indicating a broader network of cybercriminals.
Two samples of RansomHub ransomware were examined, each with distinct characteristics. The first sample, Sample1.exe, is known for shutting down virtual machines, a non-disablable feature. The second sample, Sample2.exe, observed in June 2024, adds flexibility with options for virtual machine shutdown and “fast encryption mode.”
Both samples require a password for execution and employ sophisticated obfuscation using the open-source obfuscator Garble, complicating static analysis. While tools like GoReSym and decryption scripts from OALabs can help decipher some data, optimized functions resist full decryption.
Deployment tactics differ between samples. Sample1.exe used tools like Advanced Port Scanner and ScreenConnect to identify devices for infection. Sample2.exe employed obfuscated PowerShell scripts with execution delays, complicating detection and analysis.
Emerging in 2024 as a Ransomware-as-a-Service (RaaS) group, RansomHub’s code is linked to Knight ransomware, known on underground forums. Gaining notoriety after BlackCat affiliates used RansomHub in a second attack on Change Healthcare, this group has become a significant alternative to declining ransomware groups.
In June, RansomHub was one of the most impactful ransomware groups globally, with a notable increase in victims. Its influence has been particularly strong in Latin America and Europe, where it ranked high among ransomware groups and recorded the highest number of known victims in June.
