RansomHub Emerges as Leading Ransomware Group in 2024, Impacting Over 600 Global Entities

February 14, 2025

RansomHub, a ransomware-as-a-service operation, has risen to prominence in 2024, affecting over 600 organizations around the globe. The group has been found exploiting patched security vulnerabilities in Microsoft Active Directory and the Netlogon protocol to escalate privileges and gain unauthorized access to victim networks. This has been part of their strategy following a successful compromise.

RansomHub first appeared on the scene in February 2024 when it acquired the source code of the now-defunct Knight RaaS gang from the RAMP cybercrime forum to accelerate its operations. In about five months, an upgraded version of the locker was advertised on the black market with the ability to remotely encrypt data via the SFTP protocol. This ransomware comes in different versions capable of encrypting files on Windows, VMware ESXi, and SFTP servers.

The group has also been seen actively recruiting affiliates from LockBit and BlackCat groups as part of a partnership program, suggesting a move to capitalize on the law enforcement actions targeting its competitors. In a case studied by a Singapore-based cybersecurity company, the threat actor reportedly tried and failed to exploit a critical flaw affecting Palo Alto Networks PAN-OS devices (CVE-2024-3400) using a publicly available proof-of-concept. The attacker eventually breached the victim network via a brute-force attack against the VPN service.

The initial access was then exploited to carry out the ransomware attack, with both data encryption and exfiltration happening within 24 hours of the compromise. Specifically, it involved the weaponization of two known security flaws in Active Directory (CVE-2021-42278 aka noPac) and the Netlogon protocol (CVE-2020-1472 aka ZeroLogon) to gain control of the domain controller and perform lateral movement across the network.

Another noteworthy aspect of the attack is the use of PCHunter to disable and bypass endpoint security solutions, as well as Filezilla for data exfiltration. The researchers noted the existence of a vibrant cybercrime ecosystem, characterized by the sharing, reusing, and rebranding of tools and source codes. This ecosystem fuels a robust underground market where high-profile victims, infamous groups, and large sums of money play crucial roles.

The cybersecurity firm also detailed the operations of a formidable RaaS operator known as Lynx, shedding light on their affiliate workflow, their cross-platform ransomware arsenal for Windows, Linux, and ESXi environments, and customizable encryption modes. An analysis of the ransomware's Windows and Linux versions shows that it closely resembles INC ransomware, indicating that the threat actors likely acquired the latter's source code.

In recent weeks, financially motivated attacks have also been observed using the Phorpiex botnet malware propagated via phishing emails to deliver the LockBit ransomware. Another significant initial infection vector involves the exploitation of unpatched VPN appliances (e.g., CVE-2021-20038) to gain access to internal network devices and hosts and ultimately deploy Abyss Locker ransomware. The attacks also feature the use of tunneling tools to maintain persistence, as well as leveraging Bring Your Own Vulnerable Driver (BYOVD) techniques to disable endpoint protection controls.

The ransomware landscape continues to evolve, with attacks shifting from traditional encryption to data theft and extortion, even as victims increasingly refuse to pay, leading to a decline in payments in 2024. Groups like RansomHub and Akira now incentivize stolen data with big rewards, making these tactics quite lucrative.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.