{"id":2726,"date":"2024-07-26T10:34:20","date_gmt":"2024-07-26T08:34:20","guid":{"rendered":"https:\/\/lab52.io\/blog\/?p=2726"},"modified":"2025-10-24T10:26:28","modified_gmt":"2025-10-24T08:26:28","slug":"ransomhub","status":"publish","type":"post","link":"https:\/\/lab52.io\/blog\/ransomhub\/","title":{"rendered":"RansomHub Ransomware – New Infection Chains Unveiled"},"content":{"rendered":"\n

From Lab52, we are very aware that in the fight against ransomware, we must not focus solely on the final artifact but must pay attention to every phase of deployment. Unfortunately, it will not always be possible to accurately identify the entire infection chain, as highlighted in the latest statistics by Coveware<\/a>. <\/p>\n\n\n\n

The objective of this post is to contribute to early detection by sharing relevant parts of the observed infection chain in two ransomHub cases. In a recent post of Unit42 (Paloalto)<\/a>, a new variant of this ransomware is mentioned. In our case, one of the samples (sample2.exe shown bellow) appears to be intermediate between the published version and previous versions of this ransomware.<\/p>\n\n\n\n

General characteristics<\/h1>\n\n\n\n

The hashes for both samples are provided in the following table. sample1.exe was analysed months ago, while sample2.exe has been seen in the field during june 2024. <\/p>\n\n\n\n

Name<\/th>Sha256<\/th><\/tr><\/thead>
sample1.exe<\/td>fb78afe826a14d4e0cc883fcdb6fe339e45a3fe728e575137b231aec6418a18f<\/td><\/tr>
sample2.exe<\/td>3dabecacc40e2904beba9372e95cf25cec8bb021c080f5d892fbf2eeb0e97006<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

Command-line arguments<\/h2>\n\n\n\n

Both samples can be executed with options specified via the command line. However, sample1.exe includes, by default, the shutdown of virtual machines. This can be seen during its execution, and there is no option to avoid this behaviour.<\/p>\n\n\n\n

\"\"
Options for sample1.exe<\/figcaption><\/figure><\/div>\n\n\n\n

Sample2.exe includes this option, along with the “fast encryption mode”:<\/p>\n\n\n\n

\"\"
Options for sample2.exe<\/figcaption><\/figure><\/div>\n\n\n\n

Both samples require a password in order to execute<\/strong>. Moreover, both samples are protected to avoid the static analysis, using obfuscation methods.<\/p>\n\n\n\n

Obfuscation methods<\/h2>\n\n\n\n

RansomHub is developed in Go. It uses an open-source obfuscator called Garble<\/strong>, which hinders analysis in two ways. <\/p>\n\n\n\n

The first is by removing module names and replacing some with random character strings<\/strong>. To recover some module names, the GoReSym<\/a> tool can be used, with usage instructions available on its respective GitHub page.<\/p>\n\n\n\n

The second method is by obfuscating the executable strings<\/strong>. To decrypt them, the script described in the OALabs report<\/a> can be used. It is important to note that this script does not decrypt all the strings, as some functions are optimized, causing the pattern to stop working.<\/p>\n\n\n\n

Infection chain<\/h1>\n\n\n\n

The samples were deployed using different tactics. In case of sample1.exe, the actors behind the attack used tools such as Advanced Port Scanner and ScreenConnect between others, in order to discover devices to be infected.<\/p>\n\n\n\n

\"\"
Infection chain – sample1.exe<\/em><\/figcaption><\/figure><\/div>\n\n\n\n

During the deployment of sample2 the cybercriminals used obfuscated PowerShell scripts with execution delay. <\/p>\n\n\n\n

\"\"
Initial section of powershell<\/figcaption><\/figure><\/div>\n\n\n\n

The script can be successively deobfuscated until a dependent file is revealed, whose name change in different deployments.<\/p>\n\n\n\n

\"\"
Extract of payload used during the infection chain<\/figcaption><\/figure><\/div>\n\n\n\n

About RansomHub<\/h1>\n\n\n\n

RansomHub is a Ransomware-as-a-Service (RaaS) group emerged in 2024, although its code has been linked to the code of Knight ransomware (for sale on underground forums in February 2024), according to Symantec researchers<\/a>.<\/p>\n\n\n\n

This RaaS group made headlines after BlackCat affiliates, who had previously involved in the attack on Change Healthcare, targeted the organization again<\/a>, this time with RansomHub. Therefore, this group has been seen as an alternative to other groups whose popularity may have been negatively affected in recent months. <\/p>\n\n\n\n

During the month of June, RansomHub has been one of the ransomware groups with the most impact globally, according to public sources processed by Lab52. The next graph shows the approximate number of victims by month. <\/p>\n\n\n\n

\"\"
Ransiomware victims – Worldwide<\/figcaption><\/figure><\/div>\n\n\n\n

The impact of RansomHub in Latin America was documented in the latest ransomware report for Q1 2024 conducted by the Lab52 (S2 Grupo) team<\/a>. In this case, during the last quarter this group reaches the second position mong the groups with the greatest impact in the region.<\/p>\n\n\n\n

\"\"
Ransomware victims – Latin America <\/figcaption><\/figure><\/div>\n\n\n\n

Considering Europe, this group reaches during june the fourth position in June, and was the group with the highest number of known victims.<\/p>\n\n\n\n

\"\"
Ransomware victims – Europe<\/figcaption><\/figure><\/div>\n\n\n\n

Therefore, both globally and regionally, it is evident that the impact of this group has increased during the last quarter and could continue to rise. However, this will also depend largely on the deployment tactics employed by the actors behind the ransomware and the capabilities of the ransomware itself to facilitate achieving their goals.<\/p>\n\n\n\n

Tactics, Techniques and Procedures (TTP)<\/h1>\n\n\n\n
  • T1190 Exploit Public-Facing Application<\/li>
  • T1133 External Remote Services<\/li>
  • T1016 System Network Configuration Discovery<\/li>
  • T1082 System Information Discovery<\/li>
  • T1588.006 Vulnerabilities<\/li>
  • 1057 Process Discovery<\/li>
  • T1562.009 Safe Mode Boot<\/li>
  • T1562 Impair Defenses<\/li>
  • T1018 Remote System Discovery<\/li>
  • T1105 Ingress Tool Transfer<\/li>
  • T1562.001 Disable or Modify Tools<\/li>
  • T1219 Remote Access Software<\/li>
  • T1090 Proxy<\/li>
  • T1560.001 Archive via Utility<\/li>
  • T1041 Exfiltration Over C2 Channel<\/li>
  • T1587 Develop Capabilities<\/li>
  • T1587.001 Malware<\/li>
  • T1486 Data Encrypted for Impact<\/li>
  • T1657 Financial Theft<\/li><\/ul>\n\n\n\n

    Indicators of Compromise (IoC)<\/h1>\n\n\n\n

    Hashes<\/h2>\n\n\n\n
    Name<\/th>Sha256<\/th><\/tr><\/thead>
    sample1.exe<\/td>fb78afe826a14d4e0cc883fcdb6fe339e45a3fe728e575137b231aec6418a18f<\/td><\/tr>
    sample2.exe<\/td>3dabecacc40e2904beba9372e95cf25cec8bb021c080f5d892fbf2eeb0e97006<\/td><\/tr><\/tbody><\/table><\/figure>\n","protected":false},"excerpt":{"rendered":"

    From Lab52, we are very aware that in the fight against ransomware, we must not focus solely on the final artifact but must pay attention to every phase of deployment. Unfortunately, it will not always be possible to accurately identify the entire infection chain, as highlighted in the latest statistics by Coveware. The objective of […]<\/p>\n","protected":false},"author":31,"featured_media":2776,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[18,16],"tags":[81,32],"class_list":{"0":"post-2726","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-cyberattack","8":"category-ttp","9":"tag-ransomhub","10":"tag-ransomware","11":"entry"},"featured_image_src":"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2024\/07\/ransomHub-2-509x400.png","featured_image_src_square":"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2024\/07\/ransomHub-2.png","author_info":{"display_name":"10ba","author_link":"https:\/\/lab52.io\/blog\/author\/10ba\/"},"_links":{"self":[{"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/posts\/2726"}],"collection":[{"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/users\/31"}],"replies":[{"embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/comments?post=2726"}],"version-history":[{"count":22,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/posts\/2726\/revisions"}],"predecessor-version":[{"id":2781,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/posts\/2726\/revisions\/2781"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/media\/2776"}],"wp:attachment":[{"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/media?parent=2726"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/categories?post=2726"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/tags?post=2726"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}