The US Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the Federal Bureau of Investigation (FBI), Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Department of Health and Human Services (HHS), has issued a critical advisory titled “#StopRansomware: RansomHub Ransomware.” This alert sheds light on the growing threat posed by the RansomHub group, a ransomware actor that has gained notoriety in recent months.
The advisory provides detailed insights into RansomHub’s operations, including Indicators of Compromise (IoC), Tactics, Techniques, and Procedures (TTP), and detection methods. This information is designed to help organizations proactively identify and mitigate attacks, potentially stopping them before significant damage occurs.
RansomHub’s origins trace back to its affiliation with the notorious ALPHV (BlackCat) group, responsible for a major breach at Change Healthcare. Despite initially working as an affiliate, RansomHub was left empty-handed when ALPHV’s operators absconded with the entire $22 million ransom payment. In a desperate move, RansomHub attempted to re-extort Change Healthcare, though it was unsuccessful.
Undeterred, RansomHub has since carved out a niche in the cybercriminal underground. The group has been linked to at least 210 successful breaches worldwide, including high-profile attacks on Christie’s auction house and the Rite Aid pharmacy chain. The attack on Christie’s, which took the auction house’s website offline just hours before a major event, showcased RansomHub’s capability and growing influence.
According to CISA, RansomHub is a ransomware-as-a-Service (RaaS) variant, formerly known as Cyclops and Knight. Recently, the group has begun attracting affiliates from other prominent ransomware groups, such as LockBit and ALPHV, further expanding its reach.
CISA urges network defenders to carefully review the advisory and implement the recommended mitigations. The agency also calls on software manufacturers to prioritize security by design, emphasizing the importance of safeguarding customer data against these increasingly sophisticated threats.