The RansomHub ransomware is believed to be a rebranded version of Knight ransomware that came into evolution last year.
Knight ransomware target is multiple platforms, including Windows, Linux, macOS, ESXi, and Android. The operators used a double extortion model for their RaaS operation. The abrupt shutdown of the RaaS earlier this year and the malware’s source code was likely sold to the threat actor who relaunched the RansomHub operation.
Symantec researchers found multiple similarities between the RansomHub and Knight ransomware families, suggesting a common origin:
- Both are written in Go and use Gobfuscate for obfuscation.
- They share extensive code overlaps.
- The command-line help menus used by the two malware are identical, except for a ‘sleep’ command on RansomHub.
- Both employ a unique obfuscation technique with uniquely encoded important strings.
- The ransom notes from both Knight and RansomHub show significant similarities, with many phrases from Knight’s note appearing verbatim in RansomHub’s, indicating that the developers likely edited and updated the original note.
- Both payloads restart endpoints in safe mode before encryption.
- The sequence and method of command execution are the same, though RansomHub now uses cmd.exe for execution.
RansomHub only emerged in February 2024, it has rapidly grown and, over the past three months, has become the fourth most prolific ransomware operator based on the number of publicly claimed attacks.
The report states that one factor contributing to RansomHub growth is its success in attracting some large former affiliates of the Noberus ransomware group, which closed earlier this year. One former Noberus affiliate known as Notchy is now reportedly working with RansomHub. In addition to this, tools previously associated with another Noberus affiliate known as Scattered Spider were used in a recent RansomHub attack.
Reference- Security Affiars
