US agencies warn against ransomware group behind hundreds of attacks in recent months The Record from Recorded Future News

pppLeadershipppCybercrimeppNationstateppElectionsppTechnologyppCyber DailyppClick Here Podcastpp Free Newsletterpp More than 210 organizations have dealt with ransomware attacks launched by the RansomHub group since February according to an advisory from several US cybersecurity agencies  pp The FBI joined the Cybersecurity and Infrastructure Security Agency CISA and Department of Health and Human Services HHS in publishing an advisory on Thursday about RansomHub which has gained prominence since hosting data stolen from UnitedHealth Group in April  pp The advisory from US agencies said the group has made a point of going after victims across several sectors including water IT healthcare emergency services agriculture financial services manufacturing transportation communications and government  pp RansomHubs emergence coincided with the takedown of two of the most prolific groups currently operating LockBit and AlphV The agencies said RansomHub is now attracting what they consider highprofile affiliates from both groups  pp The attack on UnitedHealth Group which involved information on nearly a third of all Americans according to the company was conducted by affiliates working for AlphV When that group folded due to law enforcement action the hackers turned to RansomHub which offered the data for sale pp Since the UnitedHealth incident the group has taken on a prominent role in the ransomware ecosystem claiming credit for several highprofile attacks on telecom giant Frontier Rite Aid British auction house Christies the city of Columbus Ohio and one of the oldest credit unions in the US pp The advisory notes that RansomHub is a descendant of previous ransomware operations called Cyclops and Knight but has now established itself as an efficient and successful service model pp Recorded Future ransomware expert Allan Liska previously said the ransomware Knight was considered a lowertier ransomware operation noting that its predecessor has been around since 2015 but that a new version of it has been active since August 2023 pp Last year there was some indication that more sophisticated cybercriminals had joined forces with those behind Knight pp The advisorys findings are based on several incident response engagements conducted by CISA the FBI and other cybersecurity officials within the federal government  pp As with most incidents the agencies found that affiliates of the group encrypt systems and exfiltrate data before attempting to extort victims Victims are typically not given any ransom demand and are instead given a link to communicate with the hackers  pp Depending on the affiliate victims have between 3 and 90 days to pay a ransom before data is published  pp Victims are typically compromised through internetfacing systems with phishing emails or vulnerabilities  pp The advisory lists dozens of vulnerabilities US agencies have seen RansomHub exploit including bugs in products from Citrix Fortinet Apache BIGIP Microsoft and Atlassian Exploits for the vulnerabilities are typically bought or stolen pp RansomHub affiliates have also been seen using remote access software from Anydesk pp All of the agencies behind the advisory urged victims to report incidents to the government The advisory was released on the same day that CISA unveiled a new cyber incident reporting portal as part of a larger effort to improve the notification process  pp Any organization experiencing a cyber attack or incident should report it for its own benefit and to help the broader community CISA and our government partners have unique resources and tools to aid with response and recovery but we cant help if we dont know about an incident said CISA Executive Assistant Director for Cybersecurity Jeff Greene  pp Sharing information allows us to work with our full breadth of partners so that the attackers cant use the same techniques on other victims and can provide insight into the scale of an adversarys campaign ppJonathan Greigppis a Breaking News Reporter at Recorded Future News Jonathan has worked across the globe as a journalist since 2014 Before moving back to New York City he worked for news outlets in South Africa Jordan and Cambodia He previously covered cybersecurity at ZDNet and TechRepublicppPrivacyppAboutppContact Uspp Copyright 2024 The Record from Recorded Future Newsp