Digital extorsion: tactics, threats and prevention

Intel 471 Issues a Warning on RansomHub

2024-10-10

Since its first appearance in February 2024 on the infamous "RAMP" hacking forum, RansomHub has rapidly gained notoriety for its aggressive tactics and high-profile targets.

RansomHub is believed to be an updated and rebranded version of the older Knight ransomware. The rebranding and evolution have made RansomHub a formidable force in the digital extortion industry.

Tactics and Techniques

RansomHub employs a variety of tactics to breach its targets. Initial access is usually achieved through software vulnerabilities, phishing or the reuse of credentials. Once inside a network, the ransomware encrypts files on the system, meaning they can no longer be accessed. This can cause significant disruption to the operation of a business, and this tactic is employed to apply more pressure to the victim of the attack.

After encrypting the files, the group will keep the decryption key to itself, and will only release it to the victim if they agree to pay a ransom. This is RansomHub's main source of income, and is what attracts affiliates to its platform in the first place. The group also employs a double-extortion strategy, whereby they will also threaten to release the stolen data to public if the ransom is not paid. This data can include critical key information that can cause businesses to go into bankruptcy, as well as undermine the safety of all individuals whose data may appear in the breach.

On the note of income, RaaS platforms have become known to maintain very sophisticated hierarchies and affiliate programs. The degree of professionalism that is observed within these criminal enterprises is enticing to would-be affiliates, who benefit greatly through access to the software that is provided to them by the ransomware operator, the security in exfiltrating the data and in receiving the ransom payment. The benefits and income security, as well as things like better guarantee of anonymity and access to targets, makes joining a platform more economically viable to a bad actor than 'flying solo'. This is how they are able to attract a higher quality of hackers to their platforms, who are able to pull off more challenging and more lucrative attacks.

Impact and Reach of RansomHub Attacks

Per the FBI, RansomHub has breached over 210 organizations to date, primarily targeting critical infrastructure sectors in the U.S., including healthcare, government, and financial services.

In response to the growing threat, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), along with other agencies, has issued advisories detailing RansomHub’s tactics and providing guidance on mitigation. Organizations are urged to implement robust cybersecurity measures, including regular software updates, employee training on phishing, and maintaining offline backups of critical data.

How to protect your business from RaaS

Here is a run-down of the mitigations that are recommended by CISA, who have made recommendations to several key parties including blue teams and software manufacturers.

To network defenders and security professionals:

Implement a recovery plan where sensitive data is backed up onto a separate network or device
Maintain a stringent password policy for system users
Keep all operating systems and software up to date
Employ Multi-Factor Authentication
Keep networks segmented to reduce the spread of malware
Monitor indicators of compromise (IOCs)
Stress test your network using frameworks such as MITRE's ATT&CK

To software developers:

Embed security protocols into your product architecture
Make Multi-Factor Authentication the default, particularly for admins

Stay alerted

RansomHub’s rapid ascension in the ransomware industry underscores the importance of vigilance and proactive cybersecurity measures. As cyber threats continue to evolve, staying informed and prepared is crucial for organizations to protect themselves against threats such as ransomware.

Sources

https://go.intel471.com/hubfs/Emerging%20Threats/RansomHub%20Ransomware%20-%20Emerging%20Threat.pdf

https://www.bleepingcomputer.com/news/security/fbi-ransomhub-ransomware-breached-210-victims-since-february/

https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-242a

https://go.intel471.com/hubfs/Emerging%20Threats/RansomHub%20Ransomware%20-%20Emerging%20Threat.pdf

The information contained in this article is provided for informational purposes only and does not constitute professional advice and is not guaranteed to be accurate, complete, reliable, current or error-free.

Protected by Copyscape

Related news

Akira Ransomware: a rising global cybercrime threat White Blue Ocean

Akira: the ransomware group quietly building a cybercrime enterprise

2025-06-04

Akira has quickly become one of the most feared ransomware groups that emerged in 2023, launching indiscriminate attacks across countries and sectors. Known for its aggression, use of double extortion, and links to Conti and Ryuk, Akira represents a new level of cybercrime professionalism and global risk.

A Brief History of Ransomware

2023-11-10

Ransomware is continuously developing and becoming more and more sophisticated. It isn’t going anywhere anytime soon, but where did it come from? Where did it go? And how has it evolved?

7 Major Breaches of 2024

2025-05-07

Cyber threats evolved rapidly in 2024, affecting companies like Ticketmaster, AT&T, and Intesa Sanpaolo. From insider threats to massive cloud breaches, these seven events highlight critical failures in cybersecurity and the growing cost of digital vulnerabilities.

Are AI tools worth the risk? The dark side of convenience White Blue Ocean Blog

AI tools – Is it time to let it go?

2025-05-21

AI tools have become essential in daily life, but their rise also brings significant cybersecurity threats. From malicious downloads to data breaches, this article explores the risks and offers tips on staying safe in the age of AI. Learn about the importance of trusted sources, 2FA, and cybersecurity awareness.

Hackers Are Using CAPTCHA as Attack Vector

2025-03-14

Cybercriminals use malicious CHAPTCHAs to install stealers on victims' computers, collecting sensitive data such as emails, passwords, addresses, and financial information. We examine various attack methods, including watering hole attacks, ad abuse, and SEO poisoning, and provide practical tips for protecting yourself from these sophisticated threats.

Not a Snowflake's chance

2024-12-20

The 2024 Snowflake data breaches, caused by infostealer malware and poor implementation of security policies, exposed millions of records. The case underscores the urgent need for robust authentication and improved password hygiene.

Let's talk

Please fill in the form below (fields with * are mandatory) and we will respond to your request as soon as possible!

I agree with the Privacy Policy