Article Details
Scrape Timestamp (UTC): 2024-06-05 12:39:38.792
Original Article Text
Click to Toggle View
RansomHub extortion gang linked to now-defunct Knight ransomware. Security researchers analyzing the relatively new RansomHub ransomware-as-a-service believe that it has evoloved from the currently defunct Knight ransomware project. RansomHub has a short history and operated mainly as a data theft and extortion group that sells stolen files to the highest bidder. The gang grabbed attention in mid-April when it leaked stolen data from United Health subsidiary Change Healthcare following a BlackCat/ALPHV attack, suggesting some form of collaboration between the two. More recently, on May 28, the international auction house Christie’s admitted it had suffered a security incident after RansomHub threatened to leak stolen data. Knight ransomware launched in late July 2023 as a re-brand of the Cyclops operation and started breaching Windows, macOS, Linux/ESXi machines to steal data and demand a ransom. One of the peculiarities of Knight was that it also offered affiliates an info-stealer component that could make the attacks more impactful. In February 2024, the source code for version 3.0 of Knight ransomware put up for sale on hacker forums, the victims extortion portal went offline, and the RaaS operation went silent. RansomHub's Knight origin Malware analysts at Symantec, part of Broadcom, found multiple similarities between the two ransomware families that point to a common origin: The above suggests that RansomHub was likely derived from Knight, and confirms that the extortion group indeed uses a data encryptor. Also, the time RansomHub first appeared in the cybercrime space, in February 2024, matches the Knight source code sale. According to the researchers, it is unlikely that RansomHub is run by Knight ransomware creators. They believe that another actor purchased the Knight source code and started using it in attacks. Since it emerged, RansomHub has grown to become one of the most prolific RaaS operations, which Symantec attributes to the gang attracting former affiliates of the ALPHV operation, such as Notchy and Scattered Spider.
Daily Brief Summary
RansomHub, a ransomware-as-a-service (RaaS), evolved from the defunct Knight ransomware, according to security analysts.
The gang is involved in data theft and extortion, selling stolen files to the highest bidder.
In April, RansomHub leaked data from United Health's Change Healthcare following an attack in collaboration with BlackCat/ALPHV.
Christie’s confirmed a security breach in May after RansomHub threatened to disclose its stolen data.
Knight ransomware, launched in July 2023 as a rebrand of Cyclops, was known for breaching various operating systems and included an info-stealer component.
The shutdown of Knight in early 2024 followed by the sale of its source code coincided with the emergence of RansomHub.
Symantec suggests RansomHub was not founded by Knight’s creators but possibly by another actor using the purchased source code.
RansomHub has quickly become a major player in the RaaS field, attracting affiliates from other notorious groups.