RansomHub Ransomware Actors Exploit ZeroLogon Vulnerability in Recent Attacks

June 5, 2024

RansomHub, a ransomware-as-a-service (RaaS) operation, has been leveraging the ZeroLogon vulnerability (CVE-2020-1472) in recent attacks. This privilege escalation flaw allows an attacker to take control of an organization's domain controllers. RansomHub attackers have been using this flaw to gain initial access to a victim's environment.

The attackers have been using several dual-use tools before deploying the ransomware. These tools include remote access products from companies like Atera and Splashtop and network scanners from NetScan. As Symantec Broadcom researchers mentioned in a recent report, "Atera and Splashtop were used to facilitate remote access, while NetScan was used to likely discover and retrieve information about network devices."

The RansomHub payload has also been using the iisreset.exe and iisrstas.exe command-line tools to halt all Internet Information Services (IIS) services. Adam Neel, senior threat detection engineer at Critical Start, emphasized the importance of patching and mitigating this vulnerability to protect against attacks from RansomHub.

RansomHub has gained significant attention since it first surfaced in February. Symantec currently ranks it as the fourth most prolific ransomware in terms of claimed victims, following Lockbit, Play, and Qilin. BlackFog has listed over five dozen organizations that RansomHub has targeted in the few months it's been operational. Many of these are smaller and midsize firms, though some recognizable names have also been victimized, including Christie's Auction House and UnitedHealth Group subsidiary Change Healthcare.

RansomHub has publicly claimed 61 victims in the past three months. This is compared to Lockbit's 489 victims, the Play group's 101, and Qilin's 92. RansomHub is among a small group of RaaS operators that have surfaced following the recent law enforcement takedowns of ransomware majors Lockbit and ALPHV/BlackCat. The group has been trying to attract new affiliates to its RaaS, offering them the ability to collect ransoms directly from victims and then pay RansomHub a 10% cut.

There are several code overlaps between RansomHub and an older, now defunct, ransomware family called Knight. The code overlaps are so extensive that it is difficult to distinguish between the two threats. Both payloads are written in the Go programming language and use the same obfuscator, Gobfuscate. They have nearly identical help menus, encode important code strings in the same way, decode them at runtime, and can restart a target endpoint in safe mode prior to encryption. Even the ransom note associated with Knight and RansomHub are nearly the same.

However, Symantec mentioned that, "despite shared origins, it is unlikely that Knight's creators are now operating RansomHub." RansomHub operators likely purchased Knight source code when it was up for sale and are now simply reusing it. One of the main differences between the two ransomware families is the commands run through cmd.exe.

The group is growing rapidly and is on track to be one of the most prolific ransomware groups in 2024, according to Neel. He also noted that due to their recent success and notoriety, they have been able to recruit old members of the Blackcat/ALPHV ransomware group. This allows them to utilize the knowledge and tools used by this group to enhance their capabilities even further.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.