RansomHub Rides High on Knight Ransomware Source Code Security Boulevard

pThe Home of the Security Bloggers NetworkppHome Cybersecurity Network Security RansomHub Rides High on Knight Ransomware Source CodeppRansomHub the ransomware gang that this month claimed responsibility for the attack in April of telecommunications company Frontier has had a meteoric rise since first appearing on the scene in FebruaryppAlong with the Frontier intrusion RansomHub has also taken credit for additional highprofile ransomware attacks including targeting international auction house Christies and putting up information stolen from Change Healthcare onto its leak siteppAccording to researchers with Broadcoms Symantec business between March and May RansomHub grew into the fourth mostactive ransomware operation in terms of the number of attacks theyve claimed responsibility for The notorious LockBit threat group was by far the most prolific with almost 500 such claims followed at a distance by Play and Qilin RansomHub came in with fewer than 100 the Symantec Threat Hunter Team wrote in a report WednesdayppInvestigations by Symantec into recent RansomHub attacks found the bad actors were exploiting the Zerologon vulnerability in Microsofts Netlogon processes to gain initial access into victims networks The flaw tracked as CVE20201472 lets an attacker get domain administrator privileges and seize control of a domainppThe attackers used several dualuse tools before deploying the ransomware Symantec researchers wrote Atera a remote monitoring and management RMM tool and Splashtop remote access and remote support software were used to facilitate remote access while NetScan was likely used to discover and retrieve information about network devicesppThey wrote that the bad actors behind the RansomHub ransomwareasaservice RaaS likely are using an updated and rebranded variant of the Knight ransomware which itself was probably an evolution of another ransomware strain called Cyclops The developers of Knight which had been around since June 2023 decided to shut down their operation and put their source code up for sale on a hacking site in February making version 30 an exclusive offer for a single buyer to maintain its value as a proprietary tool according to cybersecurity firm SOC PrimeppAnalysis revealed a high degree of similarity between the two threats suggesting that Knight was the starting point for RansomHub the Symantec researchers wrote Despite its shared origins it is unlikely that Knights creators are now operating RansomHub It is possible that other actors bought the Knight source code and updated it before launching RansomHubppThere is an array of similarities between RansomHubs malware and that from Knight they wrote Both payloads are written in the Go programming language which like Rust has become increasingly popular with malware writers over the past several years because of its crossplatform capabilities simplicity and ease of use Most of the variants of each family with the exception of some early versions of Knight are obfuscated with Gobfuscate a legitimate software tool used to obfuscate Go binaries and packagesppIn addition both RansomHub and Knight have virtually identical help menus on the command line though there also is a sleep command in RansomHubppBoth threats employ a unique obfuscation technique where important strings are each encoded with a unique key and decoded at runtime the researchers wroteppThey added that the degree of code overlap between the two families is significant making it very difficult to differentiate between them In many cases a determination could only be confirmed by checking the embedded link to the data leak siteppThere also are a number of similarities in the ransom notes left by each malware strain with a number of phrases that were used by Knight bad actors appearing verbatim in the RansomHub note which they wrote suggested that the RansomHub developers edited and updated the original Knight noteppThat said there are differences with a key one being the commands run through cmdexe which can be configured when the payload is built or during configuration Still while the commands are difference they way and order that theyre called in relation to other operations is the same they wroteppAnother feature used by both Knight and RansomHub is the ability to restart an infected endpoint in safe mode between starting the encryption of files This technique was used by the Snatch ransomware operation in 2019 and that malware also was written in Go and has similar features which may indicate that the Knight and RansomHub ransomware could be a fork of the Snatch source code though the researchers seem doubtful arguing that there were significant differences in Snatchs code vs that of RansomHub and KnightppHowever Noberus is another ransomware group that restarts an infected computer in safe mode before encryption and the encryptor stores its configuration in a JSON with keywords that match was has been seen in RansomHub the Symantec researchers wrote Noberus a onetime affiliate of the prolific BlackCat RaaS operation and other ransomware groups likely are another contributing factor to RansomHubs riseppEarlier this year US and international law enforcement agencies seized LockBits publicfacing websites and took control of its servers in a move to disrupt the RaaS groups operations That came after a similar operation against BlackCat also known as ALPHV late last year In a report in March GuidePoint Security reported that in the wake of the law enforcement actions smaller RaaS groups including RansomHub began recruiting disenchanted LockBit and BlackCat affiliates that were looking for new homesppOne former Noberus affiliate known as Notchy is now reportedly working with RansomHub the researchers wrote In addition to this tools previously associated with another Noberus affiliate known as Scattered Spider were used in a recent RansomHub attackppThey added that the speed at which RansomHub has established its business suggests that the group may consist of veteran operators with experience and contacts in the cyber undergroundppJeffrey Burt has been a journalist for more than three decades writing about technology since 2000 Hes written for a variety of outlets including eWEEK The Next Platform The Register The New Stack eSecurity Planet and Channel Insiderppjeffreyburt has 313 posts and countingSee all posts by jeffreyburtppppp