#StopRansomware: RansomHub Ransomware
The joint Cybersecurity Advisory by the FBI, CISA, MS-ISAC, and HHS aims to provide information on the RansomHub ransomware variant, which has been identified as a ransomware-as-a-service model that has attracted high-profile affiliates from other prominent variants. RansomHub has encrypted and exfiltrated data from at least 210 victims across various sectors. Affiliates use phishing emails, exploit known vulnerabilities, and password spraying to gain initial access. They then conduct network scanning, disable antivirus products, and move laterally inside the network using tools like Mimikatz, Cobalt Strike, and others. Data exfiltration methods vary but include tools such as PuTTY, AWS S3 buckets, and HTTP POST requests. The ransomware uses an Elliptic Curve Encryption algorithm to encrypt files, appending a unique key and checksum at the end of each file. The ransomware executable does not encrypt executable files and deletes volume shadow copies to hinder system recovery.