Ransomhub Ransomware: Double-Extortion Attack and How to Defend
defence
Attack Overview
The threat actor targeted a Cisco ASA firewall and compromised VPN users. Successfully compromised users were used to move laterally to servers, targeting especially file-servers. Data was (rather hastily) collected and exfiltrated through sFTP with FileZilla to a Russian IP-address. Then ransomware was rolled out via SMB with a compromised domain administrator. The attackers used PSExec to connect via SMB and services.exe to implement a service starting the ransomware.
Threat Actor
Ransomhub is a ransomware group utilizing the double-extortion model - exfiltrating data threatening to publish it as well as encryption of the data on-site. According to CISA and Watchguard, the threat actor appears to be active since February 2024 and focuses on critical infrastructure. Since their first appearance they listed more than 500 organizations on their leak page.
Defences
When a threat actor is detected in a network, a cat and mouse game begins, where the defenders attempt to increase the cost for an attacker. The goal is to either drive the attacker out of the systems, or to force them into giving up on their objectives due to the high costs. In this case the threat actor was unable to persist as an Endpoint Detection and Response (EDR) tool was rolled out within hours to increase visibility and isolate the threat. Through coordinated partial isolations of non-critical systems and compromised users we successfully locked the threat actor out of the network while keeping critical services online. Credential rotation proofed to be an effective defensive measure. In parallel we increased the overall visibility in the network and brought in further security measures and tools for deeper threat hunting on scale.
The threat actor was able to use some anti-forensics techniques with the ransomware deployment, affecting Windows Event Logs in particular. Other logs were unaffected based on our investigation.
The attacker used of the land techniques, utilizing Remote Access Solutions such as Atera and Splashtop. Blocklisting these two applications in combination with credentials rotation prevented further logins from the threat actor.
Indicators of Compromise (IOCs)
The following lists show the Indicators of Compromise (IOCs), i.e. artifacts the attacker(s) left on compromised machines.
Host-Based IOCs
| Type | IOC | Hash | Description | Severity (0-10; 0 = less severe; 10 = very severe) |
|---|---|---|---|---|
| Filepath | C:\Windows\TEMP\ ateraAgentSetup64_1_8_7_2.msi | - | Abused legitimate software: Atera | 1 |
| Filename | 123.bat | - | Script which deletes all log-files via wevutil.exe | 5 |
| Filename | amd64.exe | SHA-256: 101B975A940991E82085F9CC763532BE3B234B6BAB97ACFED8331F4FF0494216 SHA-1: 4cde493288c142daa6e377c2ab0ace750cedcfe8 MD5: C193CBFBE78F2119398A888C0148ECF2 Imphash: F0EA7B7844BBC5BFA9BB32EFDCEA957C | Ransomware (installer) | 10 |
| Filename-pattern | C:\[a-zA-Z]{6}.exe | - | Regex-path to the distributed ransomware (with random 6-character name). Gets created via C:\Windows\system32\services.exe Commandline execution: C:\[a-zA-Z]{6}.exe -only-local -pass [a-z0-9]{64} | 10 |
| Filepath | C:\windows\amd64.exe | SHA-256: 101B975A940991E82085F9CC763532BE3B234B6BAB97ACFED8331F4FF0494216 SHA-1: 4cde493288c142daa6e377c2ab0ace750cedcfe8 MD5: C193CBFBE78F2119398A888C0148ECF2 Imphash: F0EA7B7844BBC5BFA9BB32EFDCEA957C
| Commands executed to start the ransomware: amd64.exe -pass [a-z0-9][64] powershell.exe -Command PowerShell -Command "{ Get-VM | Stop-VM -Force }" cmd.exe /c iisreset.exe /stop powershell.exe -Command PowerShell -Command "\"Get-CimInstance Win32_ShadowCopy | Remove-CimInstance\"" cmd.exe /c wevtutil cl security cmd.exe /c wevtutil cl system cmd.exe /c wevtutil cl application | 10 |
| Filename | AteraAgent.exe | SHA-256: a96a0ba7998a6956c8073b6eff9306398cc03fb9866e4cabf0810a69bb2a43b2 SHA-1: e9aa4e6c514ee951665a7cd6f0b4a4c49146241d MD5: 477293f80461713d51a98a24023d45e8 | Abused legitimate software: Atera | 1 |
| Filepath | C:\Audit\Active Directory\ntds.dit | - | Dump location of Active Directory passwords | 7 |
| Filepath | C:\Audit\registry\SECURITY | - | Dump location of Security Registry | 5 |
| Filepath | C:\Audit\registry\SYSTEM | - | Dump location of System Registry | 5 |
| Filepath | C:\temp\tftpd64.464\tftpd64.exe | SHA-256: 34de53b43c32e3ed5231a57683103acad1aebeef08309cf8e770c27acc90e4e7 SHA-1: ea34a6bad04bc5a1fcb494668347cd302557f327 MD5: 3c1e3215acc69f06f044802ed4695333 | Abused legitimate software (T)FTP-client from https://pjo2.github.io/tftpd64/ | 1 |
| Filepath | C:\Users\[Username]\Downloads\amd64.exe | - | Alternative path for ransomware | 10 |
| Filepath | C:\Users\[Username]\Downloads\net82\SoftPerfectNetworkScannerPortable.exe | - | Abused legitimate software: NetworkScanner | 1 |
| Filepath | C:\Users\[Username]\Downloads\netscan.exe | - | Abused legitimate software: Netscan | 1 |
| Filename | Def.bat | - | Batch script to disable Anti-Virus. Content: powershell Add-MpPreference -ExclusionPath C:\ powershell Set-MpPreference -DisableRealtimeMonitoring $true | 9 |
| Filename | Defeat-Defender2.bat | - | Batch script to disable Anti-Virus. Content: powershell -nop -win 1 -c iex ([io.file]::ReadAllText($env:0)) | 9 |
| Filename | FileZilla_3.67.1_win64_sponsored2-setup.exe | - | Abused legitimate software: FileZilla | 1 |
| Filename | lsass.DMP | - | Filename of LSASS dump (likely through mimikatz) | 7 |
| Filename | lsass.zip | - | Filename of LSASS dump (likely through mimikatz) | 7 |
| Filename | mimikatz.exe | SHA-256: 61C0810A23580CF492A6BA4F7654566108331E7A4134C968C2D6A05261B2D8A1 SHA-1: e3b6ea8c46fa831cec6f235a5cf48b38a4ae8d69 MD5: 29efd64dd3c7fe1e2b022b7ad73a1ba5 | Used attacker tool: Mimikatz | 10 |
| Filepath | C:\Users\[Username]\Downloads\PsExec.exe | - | Abused legitimate software: PsExec | 1 |
| Filepath | C:\Windows\PSEXESVC.exe | - | Abused legitimate software: PsExec | 1 |
| Filename | SRAgent.exe | SHA-256: 2f7dcf7256d091c3ef9c68b63c6f2e87d5dbc0131aca402cf0f6052a8df610b0 SHA-1: 7d3481e4318c08c626ad22c25ca2a3a587343fe8 MD5: bc978e6240296fc134feac2360f5b688 | Abused legitimate software: Splashtop | 1 |
| Filename-pattern | README_[a-z0-9]{6}.txt | - | RansomHub Ransomnote (some systems included the ransomnote even though the encryption failed) | 7 |
Table 2: Host-based Indicators of Compromise of RansomHub
Network-based IOCs
| Type | IOC | Description | Severity (0-10; 0 = less severe; 10 = very severe) |
|---|---|---|---|
| Hostname | DESKTOP-HB93HTQ | hostname of the attacker | 7 |
| IP | 83.97.73.198 | Russian IP used for exfiltration with FileZilla, see https://whois.domaintools.com/83.97.73.198 | 10 |
| IP | 152.67.73.250 | Connection via Splashtop (US; Oracle Public Cloud) | 5 |
| IP | 172.202.80.17 | Connection of AteraWatchdog (US; Microsoft) | 2 |
| IP | 18.66.112.49 | Connection via AteraAgent (Germany; Amazon) | 5 |
| IP | 35.157.63.227 | Connection of AteraWatchdog (Germany; Amazon) | 2 |
| IP | 35.157.63.228 | Connection of AteraWatchdog (Germany; Amazon) | 2 |
| IP | 35.157.63.229 | Connection of AteraWatchdog (Germany; Amazon) | 2 |
| IP | 89.168.24.63 | Connection via Splashtop (UK; Oracle) | 5 |
Table 3: Network-based Indicators of Compromise of RansomHub
The analysis of this ransomware case was a team-effort. Special thanks goes to Frieder Uhlig, Barbara Obermair, Michael Popovtschak, Chris Golitschek, Dominik Augustin, Ivan Boranijasevic, Lukas Gartner, Marek Jablonski, Volkan Teterra and Dr. Michael Denzel.