Check Point’s latest Threat Index has shown cyber threat group RansomHub to be one of today’s most prevalent Ransomware groups – brutally efficient due to their Ransomware as a Service (RaaS) model, A cross-strain of pre-existing ransomware and a singular financial ethos has allowed this group to steal the personal information of millions of Americans.
RansomHub was born in the throes of the record-breaking Change Healthcare attack in early 2024.
When Change Healthcare was attacked, its healthcare data was stolen by the ransomware affiliate, and its systems were scrambled by ALPHV’s own in-house strain of ransomware.
Under ALPHV’s terms and conditions, the affiliate was supposed to earn a majority of the $22 million payout, with ALPHV being given a cut. This time, however, the ransomware owners broke into the affiliate’s wallet and stole the entire payout. They then plastered a fake FBI takedown notice on their website to confuse onlookers.
Researchers now believe they conducted an exit scam, cutting off the swathes of affiliates they otherwise had been using their service.
While the criminal’s eye-watering payout had been stolen by their own ransomware provider, the affiliate still had one thing: terabytes of victim health data.
In the same month, a long-running global effort reached a fiery conclusion, bringing once-reigning affiliate group LockBit to its knees. The trickle of cybercriminals abandoned by ALPHV rapidly grew into a flood of newly-solo opportunists.
In April 2024, the original Change Healthcare affiliate resurfaced with a bang – first setting up their own extortion company dubbed RansomHub – before immediately extorting Change Healthcare’s parent company, UnitedHealth, with the data they’d stolen in the initial ALPHV attack. The result was masses of black market attention, and a financial boon from the popular ransom notes.
Publishing a portion of the stolen files, RansomHub made its operational motto clear: “Our team members are… interested [only] in dollars.”
RansomHub, like its recent predecessors, relies on double extortion – where an affiliate gains initial access, steals as much sensitive data as possible, and then unleashes a ransomware payload on their way out. The victim is left to handle the double-pronged nightmare of not just descrambling its systems to return employee and customer access, but also the moral dilemma of paying criminals to stop sensitive data from being published.
This extortion method can be pushed even further in the case of healthcare breaches, as enterprises’ customers can be forced to pay up, or face their personal health information being published.
With affiliates drawn to RansomHub’s singular focus on financial gain, the decisive factor is how its for-hire ransomware actually works. RansomHub’s software combines a few features from older ransomware strains, such as Knight’s ability to shut down a device’s security features by restarting it in safe mode just before encryption.
It shares a programming language with Snatch, too, but with a few differences like configurable commands, and heavier code obfuscation.
Ransomware prevention almost always comes down to adequate cyber hygiene – so, let’s hone in on 3 strategies to keep RansomHub affiliates at bay.
In the ransomware attack that started it all, the one that targeted Change Healthcare in 2021, a post-forensic examination discovered that the affiliate in question had gained access via one user’s account; the password had been reused and at some point leaked, leading to a cascade of illicit access and data theft.
With Change Healthcare handling 40% of all US customers’ health payment processes – and only now beginning to send out notices of personal data theft to affected customers – the financial repercussions have only just begun.
The attack perfectly encapsulates how it’s often far faster and easier to simply use stolen credentials. Infostealers have already filled this niche in the cybercriminal market, making it even quicker to source valid credentials.
Preventing the misuse of stolen credentials is one of the infrastructurally easiest cybersecurity changes to bring about, especially if your enterprise already relies on an Identity and Access Management (IAM) solution like Ping, Microsoft, or Okta.
Multi-Factor Authentication (MFA) requires a user to confirm their login attempt via another piece of information – and cuts off account hijackers’ avenue of attack.
But stolen access credentials aren’t the only way RansomHub affiliates operate: researchers recently discovered that RansomHub criminals have also been gaining access via the Microsoft ZeroLogon flaw, before deploying legitimate remote access and network scanning tools.
It’s this process that allowed them to conduct an attack on Christie’s auction house – and led to them, ironically, auctioning off Christie’s personal data to the highest bidder.
By implementing regular patches and keeping all pieces of software up to date, you help prevent any malicious access via embedded flaws. To achieve this, look into the severity of every published software flaw. This helps you prioritize which should be patched first.
Even better are automated updates, which stop any from being exploited before your team gets around to fix it up.
Patelco Credit Union is one of RansomHub’s most recently-published victims – RansomHub’s extortion portal detailed how the credit union’s management “doesn’t care about the privacy” of its customers “at all”. Given their MO of intensely endpoint-heavy attacks, followed by lateral movement toward PII-heavy databases, endpoint segmentation has a great deal of RansomHub-stopping potential.
To implement network segmentation, network teams should begin by developing security policies tailored to each type of data and asset that requires protection. These policies should specify each resource, the users and systems that access it, and the level of access that should be granted.
The next step involves implementing allowlist access controls, which greatly enhance network security.
For this to be effective, teams must map out the application data flows for each application. Although this process can be time-consuming, the investment is justified when weighed against the potential costs of a cybersecurity breach – and is far easier than trying to remove ransomware.
Rather than spending hundreds of man hours on fixing up your security posture, take massive strides toward complete ransomware protection with Check Point Harmony.
Its multi-faceted approach secures email, endpoints, software, and databases with a suite of high-fidelity protection. Natural Language Processing abilities identify when fraudulent emails are sent, while just-in-time file analysis prevents malicious downloads.
Automate vulnerability and patch management and safeguard databases with industry-leading Data Loss Prevention. Finally, put all of this behind a single pane of glass, via an easily-readable dashboard. Start your RansomHub defense campaign with a demo today.