US agencies warn against ransomware group behind hundreds of attacks in recent months

More than 210 organizations have dealt with ransomware attacks launched by the RansomHub group since February, according to an advisory from several U.S. cybersecurity agencies. 

The FBI joined the Cybersecurity and Infrastructure Security Agency (CISA) and Department of Health and Human Services (HHS) in publishing an advisory on Thursday about RansomHub — which has gained prominence since hosting data stolen from UnitedHealth Group in April. 

The advisory from U.S. agencies said the group has made a point of going after victims across several sectors including water, IT, healthcare, emergency services, agriculture, financial services, manufacturing, transportation, communications and government. 

RansomHub’s emergence coincided with the takedown of two of the most prolific groups currently operating — LockBit and AlphV. The agencies said RansomHub is now attracting what they consider “high-profile” affiliates from both groups. 

The attack on UnitedHealth Group — which involved information on nearly a third of all Americans, according to the company — was conducted by affiliates working for AlphV. When that group folded due to law enforcement action, the hackers turned to RansomHub, which offered the data for sale.

Since the UnitedHealth incident, the group has taken on a prominent role in the ransomware ecosystem, claiming credit for several high-profile attacks on telecom giant Frontier, Rite Aid, British auction house Christie’s, the city of Columbus, Ohio and one of the oldest credit unions in the U.S.

The advisory notes that RansomHub is a descendant of previous ransomware operations called Cyclops and Knight but has now “established itself as an efficient and successful service model.”

Recorded Future ransomware expert Allan Liska previously said the ransomware Knight was considered a lower-tier ransomware operation, noting that its predecessor has been around since 2015 but that a new version of it has been active since August 2023.

Last year there was some indication that more sophisticated cybercriminals had joined forces with those behind Knight.

3 to 90 days

The advisory’s findings are based on several incident response engagements conducted by CISA, the FBI and other cybersecurity officials within the federal government. 

As with most incidents, the agencies found that affiliates of the group encrypt systems and exfiltrate data before attempting to extort victims. Victims are typically not given any ransom demand and are instead given a link to communicate with the hackers. 

Depending on the affiliate, victims have between 3 and 90 days to pay a ransom before data is published. 

Victims are typically compromised through internet-facing systems with phishing emails or vulnerabilities. 

The advisory lists dozens of vulnerabilities U.S. agencies have seen RansomHub exploit, including bugs in products from Citrix, Fortinet, Apache, BIG-IP, Microsoft and Atlassian. Exploits for the vulnerabilities are typically bought or stolen.

RansomHub affiliates have also been seen using remote access software from Anydesk.

All of the agencies behind the advisory urged victims to report incidents to the government. The advisory was released on the same day that CISA unveiled a new cyber incident reporting portal as part of a larger effort to improve the notification process. 

“Any organization experiencing a cyber attack or incident should report it – for its own benefit, and to help the broader community. CISA and our government partners have unique resources and tools to aid with response and recovery, but we can’t help if we don’t know about an incident,” said CISA Executive Assistant Director for Cybersecurity Jeff Greene. 

“Sharing information allows us to work with our full breadth of partners so that the attackers can’t use the same techniques on other victims, and can provide insight into the scale of an adversary’s campaign.”