The FBI, along with other federal agencies, has issued a joint advisory regarding a ransomware service and website that has targeted 210 organizations in recent months. In a bulletin released on August 29th, the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services revealed that RansomHub, a ransomware gang, has been responsible for at least 210 successful cyberattacks since February. The group targets various industry sectors such as water, wastewater, information technology, healthcare, government services, and more.
According to the agencies’ bulletin, RansomHub employs a “double-extortion model” by encrypting systems and extracting data to demand ransom payments from victims. Instead of sending traditional ransom notes or payment instructions to victims directly, RansomHub instructs them to contact via a unique dark web URL.
If victims fail to comply with the ransom demands within three to 90 days after the cyberattack occurs, their data is published on RansomHub’s leak website accessible via Tor. The FBI strongly advises all organizations to take this threat seriously. They recommend network administrators install updates for operating systems promptly as well as firmware and software updates. Recognizing and reporting phishing attempts is also crucial along with implementing phishing-resistant multi-factor authentication.
RansomHub is identified as a variant of ransomware-as-a-service previously known as Cyclops and Knight. It has recently attracted high-profile affiliates from other prominent variants like LockBit and ALPHV.
An investigation by Epoch Times into RansomHub’s dark web site reveals that they claim responsibility for breaching systems belonging to Frontier Communications, Rite Aid Pharmacy chain store company in America; Florida Department of Health; Spandex; Christie’s auction house; Rainier Arms gun company; Patelco Credit Union not-for-profit organization; Headwater Companies groundwater distribution company; Bedford City School District website in Ohio among others.
Internationally targeted entities include Saudi Arabia’s general secretariat of military service council; Polish police department’s website; Coca-Cola’s Myanmar division among many others listed on their site with ticking countdown timers indicating when data will be published unless ransoms are paid.
Frontier Communications confirmed being hacked earlier this year resulting in shutting down some systems due to containment measures taken during response efforts while Halliburton acknowledged cybersecurity breach without mentioning involvement of RansomHub specifically.