RansomHub Breaches 3 Companies
The RansomHub hackers announced 3 new victims recently from the US, Italy, and Brazil. Neither of the victims have commented on the breaches which apparently resulted in significant data leak.
- The target companies lost between 4 GB and 294 GB of data, according to RansomHub’s leak post
- The 3 targets are Smic USA, Novabit Italy, and Hospital Adventista de Manaus from Brazil
- RansomHub has been under scrutiny over the past month after an anonymous hacker leaked its code
- Recent informational breakthroughs have linked RansomHub to the now-defunct Knight ransomware gang
RansomHub is also linked to ALPHV after the latter attacked Change Healthcare in February of the current year. According to the victim itself, Change Healthcare was forced to pay $22 million in ransom to Notchy (ALPHV’s affiliate who conducted the hit.)
Most importantly, this was not the end of it because RansomHub got involved. The gang began extorting Change Healthcare again in May, using the exact same data that was stolen by ALPHV. Theoretically, RansomHub shouldn’t have had that.
This led many to the assumptions that RansomHub was either working with ALPHV, that an ALPHV member fled the gang and joined RansomHub, or that RansomHub is ALPHV. Nothing has been confirmed so far.
It’s common practice for ransomware gangs to redirect their resources and rebrand themselves when being targeted by law enforcement agencies. The original theory was that that’s exactly what was happening with ALPHV and RansomHub.
However, the latest developments have put that theory to rest, as another came through.
What’s Going on With RansomHub?
The first incident occurred recently when an anonymous forum user posted RansomHub’s code for sale. This immediately sparked immense interest, as people started suspecting that RansomHub was selling its code.
The gang remained silent and didn’t comment on the rumors. Recently, the situation changed when Symantec, a Broadcom-trademarked security entity, looked into the gang’s malware. What it discovered was perplexing, to say the least.
It appears that RansomHub is closely linked to the defunct Knight, the latter itself being a rebranding of the old Cyclops. It’s unclear whether RansomHub is an actual successor of Knight or whether it’s simply influenced by it.
Symantec discovered code overlaps between RansomHub and Knight, and that’s not the only hint. The ransomware notes left behind by RansomHub also appear to be edited and updated versions of Knight’s original note. Despite these similarities, nothing is certain.
It’s possible that Knight only served as inspiration for RansomHub or that Knight redirected its resources and manpower to other groups. Which, eventually, leaked into RansomHub, as is typically the case.
As Symantec explains, ransomware gangs never go away truly. Instead, they dissolve when pressured and scatter their assets and manpower to other organizations. Some are already in use, while others are born from the defunct gang itself shortly after.
This makes it very difficult for law enforcement agencies to keep track of ransomware gangs and their members. Despite that, the war rages on with both sides adapting to each other’s moves and tactics.
Our Mission
We believe security online security matters and its our mission to make it a safer place.
