Full Report
ESET researchers discover new ties between affiliates of RansomHub and of rival gangs Medusa, BianLian, and Play
Analysis Summary
# Threat Actor: RansomHub (RaaS Gang)
## Attribution & Identity
RansomHub is a newly emerged Ransomware-as-a-Service (RaaS) gang that rose to prominence in 2024, coinciding with the disruption of major groups like LockBit and BlackCat. Researchers found clear connections between RansomHub and the established gangs **Play**, **Medusa**, and **BianLian** through observed tooling usage by RansomHub affiliates. The RaaS model involves **Operators** (developers/DLS maintainers) and **Affiliates** (who deploy the encryptor and perform exfiltration).
## Activity Summary
RansomHub officially announced its first victim on February 10, 2024. Since emerging, it has rapidly grown to dominate the ransomware scene, accumulating more victims since its start than LockBit did in the same timeframe by the end of 2024. This growth is partially attributed to skilled affiliates migrating from the dismantled LockBit and BlackCat operations (e.g., "Notchy," the BlackCat affiliate linked to the Change Healthcare breach). RansomHub utilizes a specific ransom note promising decryption tools, data security, secrecy, and free trial decryption for small files.
## Tactics, Techniques & Procedures
RansomHub affiliates leverage a variety of techniques, with specific TTPs identified across the related gangs:
- **Defense Evasion:** Development and use of a custom EDR killer called **EDRKillShifter**, which is specifically designed to search for and terminate security solution processes ([T1057] Process Discovery).
- **Lateral Movement:** Frequent use of **Remote Desktop Protocol (RDP)** ([T1021.001]) and **SMB/Windows Admin Shares** for remote encryption ([T1021.002]).
- **Collection (Associated with BianLian):** Focus on exfiltration by collecting data from local systems ([T1005]) and network shared drives ([T1039]).
- **Command and Control (Associated with Play):** Retrieving payloads via **HTTP** ([T1071]). SystemBC malware uses a custom network protocol ([T1132.002]). Use of Remote Monitoring and Management (RMM) tools such as **AnyDesk** and **MeshAgent** ([T1219]).
- **Exfiltration (Associated with BianLian):** Use of the tool **Rclone** to transfer exfiltrated data to cloud accounts ([T1537]), bypassing typical network detection.
- **Impact:** Data Encrypted for Impact ([T1486]), Data Destruction (potential destruction of backups) ([T1485]), and pressuring victims through Financial Theft ([T1657]).
## Targeting
- **Sectors:** Not explicitly detailed, but implied targets based on the scale and nature of major RaaS operations.
- **Geography:** Not specified, but inferred to be global due to the nature of major RaaS operations.
- **Victims:** The article notes RansomHub rapidly increased its victim postings on its DLS; one publicly known example of a presumed migrating affiliate is the BlackCat affiliate responsible for the large-scale breach at **Change Healthcare**.
## Tools & Infrastructure
- **Malware Families Used:** RansomHub encryptor/payload, EDRKillShifter (custom EDR killer). Infrastructure/tooling linking to Play, Medusa, and BianLian affiliates is implied. Evidence of **SystemBC** usage noted.
- **Infrastructure (C2, domains, IPs):** Multiple RMM tools observed: **AnyDesk** and **MeshAgent**. Affiliates use **Rclone** for exfiltration to cloud accounts. Payloads retrieved via **HTTP**.
## Implications
RansomHub represents a significant consolidation and continuation of threat activity following the law enforcement disruption of LockBit and BlackCat. Its rapid accumulation of victims suggests it has successfully absorbed high-skilled affiliates, presenting an immediate, dominant threat in the 2024 ransomware landscape. The development and deployment of custom EDR killing tools like EDRKillShifter indicate a sustained focus on highly evasive operations designed to bypass modern security controls.
## Mitigations
- Enhance detection and response capabilities focusing on process termination attempts targeting security solutions (related to [T1057] and EDRKillShifter).
- Monitor for lateral movement indicators utilizing RDP ([T1021.001]) and SMB ([T1021.002]) within the network environment.
- Implement strict controls and monitoring over the use of remote access tools (RMM) like AnyDesk and MeshAgent ([T1219]).
- Review data exfiltration pathways, specifically monitoring for unusual activity involving tools like Rclone transferring data to cloud storage services ([T1537]).