Safety researchers analyzing the comparatively new RansomHub ransomware-as-a-service imagine that it has evoloved from the at the moment defunct Knight ransomware mission.
RansomHub has a brief historical past and operated primarily as a knowledge theft and extortion group that sells stolen information to the best bidder.
The gang grabbed consideration in mid-April when it leaked stolen information from United Well being subsidiary Change Healthcare following a BlackCat/ALPHV assault, suggesting some type of collaboration between the 2.
Extra lately, on Might 28, the worldwide public sale home Christie’s admitted it had suffered a safety incident after RansomHub threatened to leak stolen information.
Knight ransomware launched in late July 2023 as a re-brand of the Cyclops operation and began breaching Home windows, macOS, Linux/ESXi machines to steal information and demand a ransom.
One of many peculiarities of Knight was that it additionally supplied associates an info-stealer element that might make the assaults extra impactful.
In February 2024, the supply code for model 3.0 of Knight ransomware put up on the market on hacker boards, the victims extortion portal went offline, and the RaaS operation went silent.
RansomHub’s Knight origin
Malware analysts at Symantec, a part of Broadcom, discovered a number of similarities between the 2 ransomware households that time to a typical origin:
- Each ransomware households are written in Go and use Gobfuscate for obfuscation.
- There are intensive code overlaps within the two malware payloads.
- Each use a novel obfuscation approach the place vital strings are encoded with distinctive keys.
- The ransom notes utilized by the 2 ransomware households are comparable, with minor updates added on RansomHub.
- Each ransomware households restart endpoints in secure mode earlier than encryption.
- The command-line assist menus on the 2 households are an identical, with the one distinction being a ‘sleep’ command on RansomHub.
- The sequence and methodology of command execution operations are the identical, although RansomHub now executes them by way of cmd.exe.
The above means that RansomHub was doubtless derived from Knight, and confirms that the extortion group certainly makes use of a knowledge encryptor.
Additionally, the time RansomHub first appeared within the cybercrime area, in February 2024, matches the Knight supply code sale.
Based on the researchers, it’s unlikely that RansomHub is run by Knight ransomware creators. They imagine that one other actor bought the Knight supply code and began utilizing it in assaults.
Because it emerged, RansomHub has grown to turn into probably the most prolific RaaS operations, which Symantec attributes to the gang attracting former associates of the ALPHV operation, reminiscent of Notchy and Scattered Spider.