RansomHub, a ransomware-as-a-service (RaaS) operation that emerged in February 2024, has breached more than 200 victims across various critical U.S. infrastructure sectors.
This includes major entities such as Patelco Credit Union, Rite Aid, Christie’s auction house, and Frontier Communications. Frontier later reported that over 750,000 customers had their personal information exposed in the breach.
RansomHub’s strategy revolves around data-theft-based extortion, threatening to leak stolen files unless a ransom is paid. If negotiations fail, the group auctions the documents to the highest bidder. While primarily focused on data theft, RansomHub has also shown interest in acquiring ransomware source code, such as that of Knight ransomware.
A joint advisory issued today by the FBI, CISA, the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Department of Health and Human Services (HHS) highlights RansomHub’s impact. The advisory confirms that RansomHub, formerly known as Cyclops and Knight, has effectively positioned itself within the cybercrime landscape, attracting affiliates from other notorious ransomware variants like LockBit and ALPHV.
The advisory notes that RansomHub has targeted a wide range of critical infrastructure sectors, including water and wastewater, information technology, government services, healthcare, emergency services, food and agriculture, financial services, and more. Since its inception, the group has both encrypted and exfiltrated data from at least 210 victims within these sectors.
To mitigate the risks posed by RansomHub, federal agencies recommend network defenders patch known vulnerabilities, implement strong passwords and multifactor authentication (MFA) for critical systems, keep software updated, and conduct regular vulnerability assessments. The advisory also provides detailed indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) used by RansomHub affiliates, based on FBI investigations conducted as recently as August 2024.
The agencies discourage paying ransoms, warning that doing so may not guarantee the recovery of stolen files and could embolden cybercriminals to target additional organizations, further fueling the ransomware ecosystem.
