Ransomhub is a threat actor that's been extremely busy and aggressive since it first emerged in February 2024, targeting at least 210 critical national infrastructure (CNI) victims.
Now the FBI and CISA have teamed up to release Ransomhub's tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs), as well as mitigation details - which are available here.
RansomHub is a ransomware-as-a-service variant formerly known as Cyclops and Knight, which has "established itself as an efficient and successful service model" and attracted "high-profile affiliates from other prominent variants" including LockBit and ALPHV, the agencies warned in a joint advisory.
They said that the threat actor has targeted CNI sectors including water and wastewater, information technology, government services and facilities, healthcare and public health, emergency services, food and agriculture, financial services, commercial facilities, critical manufacturing, transportation, and communications.
The affiliates deployed a double-extortion model in which systems are encrypted and data is exfiltrated, whereupon a ransom demand is issued. Victims are then given a client ID number and told to contact the ransomware actor via a dark web .onion URL that can be reached using the Tor browsers.
They are typically given between three and 90 days to pay the ransom. If they refuse, their data is published on the dark web page.
"RansomHub affiliates typically compromise internet facing systems and user endpoints by using methods such as phishing emails, exploitation of known vulnerabilities, and password spraying," CISA wrote: "Password spraying targets accounts compromised through data breaches."
You can find the full IOCs here. The group is targeting the CVEs set out below:
- CVE-2023-3519 (CWE-94): Citrix ADC (NetScaler) Remote Code Execution that "allows an unauthenticated attacker to trigger a stack buffer overflow of the NSPPE (NetScaler Packet Processing Engine) process by making a specially crafted HTTP GET request. Exploitation results in remote code execution as root.
- CVE-2023-27997: A heap-based buffer overflow vulnerability in FortiOS version 7.2.4 and below, version 7.0.11 and below, version 6.4.12 and below, version 6.0.16 and below and FortiProxy version 7.2.3 and below, version 7.0.9 and below, version 2.0.12 and below, version 1.2 all versions, version 1.1 and all versions SSL-VPN. It "may allow a remote attacker to execute arbitrary code or commands via specifically crafted requests."
- CVE-2023-46604: :Vuln in Java OpenWire protocol marshaller, such as Apache ActiveMQ, which "may allow a remote attacker with network access to open either a Java-based OpenWire broker or client to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause either the client or the broker (respectively) to instantiate any class on the classpath." Upgrading both brokers and clients to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3 fixes this issue.
- CVE-2023-22515: A vulnerability in publicly accessible Confluence Data Center and Server instances that "allows the creation of unauthorised Confluence administrator accounts and access to Confluence instances". Atlassian Cloud sites are not affected by this vulnerability. "If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue," CISA wrote.
- CVE-2023-46747: Undisclosed requests may bypass configuration utility authentication, allowing an attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
- CVE-2023-48788: An "improper neutralization of special elements" used in an SQL command (SQL injection') in Fortinet FortiClientEMS version 7.2.0 through 7.2.2 and FortiClientEMS 7.0.1 through 7.0.10 allows attackers to "execute unauthorized code or commands via specially crafted packets."
- CVE-2017-0144: A Windows SMB Remote Code Execution Vulnerability impacts the SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016. This vulnerability allows remote attackers to execute arbitrary code via crafted packets.
- CVE-2020-1472: An elevation of privilege vulnerability in which attackers could establish a vulnerable Netlogon secure channel connection to a domain controller using the Netlogon Remote Protocol (MS-NRPC).
- CVE-2020-0787: This vulnerability was "potentially exploited along with the Zerologon privilege escalation vulnerability."
The mitigation advice is pretty standard, including basics like setting a recovery plan, using MFA and keeping software up to date. We've attached the full list in the dropdown menu below, which has not been edited.
CISA's mitigation guidelines for RansomHub
- Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud).
- Require all accounts with password logins (e.g., service accounts, admin accounts, and domain admin accounts) to comply with National Institute for Standards and Technology (NIST) standards for developing and managing password policies.
- Use longer passwords consisting of at least 8 characters and no more than 64 characters in length;
- Store passwords in hashed format using industry-recognized password managers;
- Add password user “salts” to shared login credentials;
- Avoid reusing passwords;
- Implement multiple failed login attempt account lockouts;
- Disable password “hints”; and
- Refrain from requiring password changes more frequently than once per year.
Note: NIST guidance suggests favoring longer passwords instead of requiring regular and frequent password resets. Frequent password resets are more likely to result in users developing password “patterns” cyber criminals can easily decipher. - Require administrator credentials to install software.
- Keep all operating systems, software, and firmware up to date [CPG 1.E]. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Prioritize patching known exploited vulnerabilities in internet-facing systems.
- Require Phishing-Resistant multifactor authentication to administrator accounts [CPG 2.H] and require standard MFA for all services to the extent possible (particularly for webmail, virtual private networks, and accounts that access critical systems).
- Segment networks [CPG 2.F] to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement.
- Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool [CPG 3.A]. To aid in detecting the ransomware, implement a tool that logs and reports all network traffic, including lateral movement activity on a network. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host.
- Install, regularly update, and enable real time detection for antivirus software on all hosts.
- Implement Secure Logging Collection and Storage Practices [CPG 2.T]. Learn more about logging best practices by referencing CISA’s Logging Made Easy resources.
- Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts.
- Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege.
- Disable unused ports.
- Implement and enforce email security policies [CPG 2.M].
- Disable macros by default [CPG 2.N].
- Consider adding an email banner to emails received from outside your organization.
- Disable hyperlinks in received emails.
- Implement time-based access for accounts set at the admin level and higher. For example, the Just-in-Time (JIT) access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the Zero Trust model). This is a process where a network-wide policy is set in place to automatically disable admin accounts at the Active Directory level when the account is not in direct need. Individual users may submit their requests through an automated process that grants them access to a specified system for a set timeframe when they need to support the completion of a certain task.
- Disable command-line and scripting activities and permissions. Privilege escalation and lateral movement often depend on software utilities running from the command line. If threat actors are not able to run these tools, they will have difficulty escalating privileges and/or moving laterally.
- Maintain offline backups of data, and regularly maintain backup and restoration [CPG 2.R]. By instituting this practice, the organization ensures they will not be severely interrupted, and/or only have irretrievable data.
- Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure.
- Software Manufacturers
The above mitigations apply to enterprises and critical infrastructure organizations with on-premises or hybrid environments. Recognizing that insecure software is the root cause of many of these flaws and that the responsibility should not be on the end user, CISA urges software manufacturers to implement the following to reduce the prevalence of identified or exploited issues (e.g., misconfigurations, weak passwords, and other weaknesses identified and exploited through the assessment team):
- Embed security into product architecture throughout the entire software development lifecycle (SDLC).
- Mandate MFA, ideally phishing-resistant MFA, for privileged users and make MFA a default, rather than opt-in, feature.
These mitigations align with tactics provided in the joint guide Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software. CISA urges software manufacturers to take ownership of improving the security outcomes of their customers by applying these and other secure by design tactics. By using secure by design tactics, software manufacturers can make their product lines secure “out of the box” without requiring customers to spend additional resources making configuration changes, purchasing security software and logs, monitoring, and making routine updates.
For more information on secure by design, see CISA’s Secure by Design webpage.
Validate Security Controls
In addition to applying mitigations, CISA recommends exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. The authoring organizations recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.
To get started:
- Select an ATT&CK technique described in this advisory (see Table 6–Table 17).
- Align your security technologies against the technique.
- Test your technologies against the technique.
- Analyze your detection and prevention technologies’ performance.
- Repeat the process for all security technologies to obtain a set of comprehensive performance data.
- Tune your security program, including people, processes, and technologies, based on the data generated by this process.
CISA, FBI, MS-ISAC, and HHS recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.
CISA wrote: "The authoring organizations encourage network defenders to implement the recommendations... to reduce the likelihood and impact of ransomware incidents."
