Table of Contents
CISA recently published an advisory highlighting the threat of the new Ransomware-as-a-Service (RaaS) variant called RansomHub. RansomHub ransomware has encrypted and exfiltrated data from at least 210 organizations since its inception in February 2024, making it crucial for organizations to have robust defenses, incident response plans, and recovery solutions.
Let’s look at how RansomHub ransomware works and how it bypasses many defenses, such as Endpoint Detection and Response (EDRs) – and then our three major takeaways from CISA’s report on how to defend or mitigate against this cyberattack.
What Is RansomHub Ransomware?
Ransomware as a Service is provided by RansomHub to a variety of ‘affiliates’. These affiliates then use it to infiltrate organizations, and encrypt and exfiltrate the victim’s data.
Once struck by ransomware, this can have widespread repercussions for any organization. Other than the dilemma of paying any ransom, it can cause disruption of operations and damage to reputation.
RansomHub’s ransomware has encrypted and exfiltrated data from at least 210 organizations across several industries, including:
- Information Technology
- Government Services and Facilities
- Healthcare
- Emergency Services
- Food and Agriculture
- Financial Services
However, ransomware can be stopped before it gets to this stage. To do that we have to understand how RansomHub ransomware attacks and spreads through your network.
RansomHub Ransomware is Designed to Get Past Your Defenses
RansomHub affiliates have to, firstly, gain initial access to your network. They typically use methods such as phishing emails, exploitation of known vulnerabilities, and password spraying (trying predictable passwords across a number of user IDs).
They then evade cybersecurity defenses by renaming the ransomware executable with innocuous file names, such as Windows.exe, left on the user’s desktop or downloads.
Once the RansomHub affiliates have access, they are known to use Windows Management Instrumentation to disable antivirus products. In some instances, RansomHub-specific tools are deployed to disable Endpoint Detection and Response (EDRs).
They then escalate privileges and move laterally within the network and begin to exfiltrate and encrypt data.
How is RansomHub Evading EDRs?
According to CISA, RansomHub is executing MITRE ATT&CK Tactic: T1562.001 Impair Defenses: Disable or Modify Tools to execute this evasion strategy. This tactic evades detection in a few different ways.
Tampering with or Disabling Security Tools
This can involve several strategies, such as shutting down security software processes, altering configuration files, or stopping updates to prevent the latest patches from being applied. By disabling these tools, attackers can avoid detection and continue their malicious activities undetected.
Tampering with System Components
Some security products modify system modules to track specific events, but attackers can unhook or alter these modifications to evade detection. They might also target specific applications like Sysmon, manipulating registry keys to disable logging and making it more challenging to track their actions.
Attackers may also bypass firmware verification on network devices, disable cloud monitoring tools, or even abuse legitimate security tools to disable or bypass security mechanisms. By exploiting these vulnerabilities, adversaries effectively neutralize the defenses in place, allowing them to avoid detection by EDRs and similar endpoint tools.
3 Ways to Defend Against RansomHub Ransomware
There are three essential takeaways from the report about how to defend and mitigate against RansomHub ransomware.
CISA emphasizes that security starts with good password protocols and multi-factor authentication. This will go a long way to ensuring that attackers have a much harder time gaining initial access. However, if we presume that RansomHub ransomware has breached the first line of defense, how can you detect and stop them before it’s too late?
The Network Is The Ultimate Source of Truth
As noted above, RansomHub Ransomware has been seen to bypass end-point defenses, such as EDRs. Because of this, it is essential to identify, detect, and investigate abnormal activity and potential anomalies with a networking monitoring tool.
To detect ransomware, implement a tool that logs and reports all network traffic, including lateral movement activity on a network and can integrate with your security stack for an instant response to threats.
Real-Time Detection Is Key
Given the evolving tactics of ransomware actors, organizations should continuously update their security postures to stay ahead of these threats. In particular, CISA advises us to “install, regularly update, and enable real-time detection for antivirus software on all hosts”.
Mobilize MITRE ATT&CK Tactics and Techniques
MITRE ATT&CK Tactics and Techniques can be invaluable in understanding and responding to ransomware attacks. By mapping the attacker’s behavior to known tactics and techniques, security teams can gain insights into the attack’s methodology, identify compromised systems, and prioritize mitigation strategies.
Defend Against RansomHub Ransomware
Many organizations have increasingly relied on EDRs for cybersecurity, but we see in advisories such as this one that cybercriminals find ways to work around them. While EDRs play a crucial role in an organization’s cyber-stack, if there isn’t a robust and multilayered security architecture in place, over-reliance on EDRs can leave the door open to ransomware.
As a critical component of a ransomware defense strategy, NDR will provide necessary threat visibility across your network. Pairing this visibility with real-time action through response tools like EDRs and perimeter defenses will significantly reduce the risk of falling victim to a similar attack.
You can find out more about RansomHub Ransomware and how to defend your organization by accessing the full CISA advisory.
