Newcomer RansomHub produced another victim today. The target in question is the National Autonomous University of Mexico, which reportedly got a 10-day countdown until their data leaks publicly.
The growing trend of ransomware hits is worrying, as is the surge of new ransomware gangs ready to make a statement. 2023 has been quite a profitable one for ransomware groups, both in terms of successful hits and paid ransoms.
It’s only natural that newcomers are also trying to get a slice of the pie.
An even more pressing and glaring problem is the adaptability and resourcefulness shown by some of these cybercriminal organizations. According to specialists, ransomware gangs appear to be more well-funded and adaptable than ever.
The groups use increasingly more modern and complex tactics and tools. This allows them to target medium and high-value targets easier and more effectively. The same appears to be the case with RansomHub.
The gang is still very new, so not much is known about it. But there are some things worth mentioning. The most important one is that RansomHub appears to be a decentralized gang. The group relies on a workforce located all over the globe.
It doesn’t have a clear hierarchical structure, or at least one hasn’t been determined yet. The members work more as affiliates, and they’re all motivated by one thing: the prospect of massive financial gains.
Aside from the gang’s work profile, there’s another peculiar feature that most cybercriminal gangs lack: the apparent “fairness.” The hackers appear to have a strict policy regarding their victims and the primary MO.
On the one hand, RansomHub has a list of several states that they won’t hit. These include Cuba, China, North Korea, and CIS (Commonwealth of Independent States). The latter include the following countries:
On the other hand, the hackers have stated explicitly that they will not attack the same target twice. Moreover, their Right Protection clause mentions:
“Affiliates must comply with the agreements reached during negotiations. If they don’t, contact us, and we will ban them. If a second attack occurs after payment, contact us and we will provide you with the decryptor immediately.
If you’re the target of an attack that we have not allowed, contact us, and we will ban the affiliate and provide you with the decryptor.”
The hackers also appear to have a customer support line where victims can submit complaints based on RansomHub’s internal regulations. As analysts explain, this approach is just a façade meant to give the hackers legitimacy.
In reality, they’re nothing more than a typical ransomware gang with standard MOs driven by nothing more than profit.
We believe security online security matters and its our mission to make it a safer place.