New RansomHub ransomware gang has ties to older Knight group

One of the most active ransomware groups this year, which operates under the name RansomHub, may have its origins in an older and now defunct ransomware group called Knight, which was itself a rebrand of an older operation known as Cyclops.

The links discovered by researchers from Symantec showcase that the ransomware ecosystem is an ever-revolving door for many of the same people and malware.

RansomHub first appeared back in February and quickly rose to top 4 ransomware threats by number of victims this year. Moreover, it has attracted many collaborators from other groups by offering a 90% commission on victim payments and the possibility for affiliates — the third-party hackers who compromise organizations and deploy the program — to negotiate with victims directly without RansomHub’s supervision.

One of the affiliates that switched over to RansomHub after another group, called BlackCat or ALPHV, shut down is named Notchy. He claimed responsibility for the compromise of UnitedHealth Group subsidiary Change Healthcare in February when he was working for BlackCat and accused the group’s operators of running away with the ransom money. After Notchy joined RansomHub, the group posted the Change Healthcare data which, was probably still in Notchy’s possession, for sale on its website.

Selling stolen data and not just publicly releasing it is another aspect that differentiates RansomHub from other ransomware-as-a-service (RaaS) groups that practice double extortion. Last month, the group threatened to release customer data stolen from British auction house Christie’s.

RansomHub has strong code links to Knight ransomware

According to Symantec’s analysis, the file encryption malware used by RansomHub seems to be a modified variant of the Knight ransomware, which was known as Cyclops in the past. This wouldn’t be surprising since the Knight source code was put up for sale on underground forums in February after the Knight group decided to shut down.

The two malware programs are so similar that it’s hard to tell their code apart, the Symantec researchers said, noting that the only differences are an added sleep command to RansomHub’s variant and the commands that are available to execute through the Windows command line shell cmd.exe. However, these commands are configurable in the malware builder when the payload is generated, so it’s not hard to change them.

Even the text of the ransom note is copied almost word for word from Knight’s with only the contact links changed and other small edits. It’s also possible that Knight/Cyclops itself was derived from other ransomware programs from the past.

“A unique feature present in both Knight and RansomHub is the ability to restart an endpoint in safe mode before starting encryption,” the Symantec researchers said. “This technique was previously employed by Snatch ransomware in 2019 and allows encryption to progress unhindered by operating system or other security processes. Snatch is also written in Go and has many similar features, suggesting it could be another fork of the same original source code used to develop Knight and RansomHub.”

Recent tactics include exploiting a Microsoft Netlogon protocol

In recent attacks that Symantec investigated, the attackers who deployed RansomHub gained access by exploiting a vulnerability in Microsoft’s Netlogon protocol (CVE-2020-1472) that was patched in August 2020. This flaw, also known as Zerologon, allows attackers to spoof domain controller accounts and steal credentials that could then allow them to take control of the whole network domain.

Before deploying the ransomware program, the attackers perform lateral movement and establish persistence in the network using various third-party tools such as Atera and Spalshtop for remote access and NetScan for network reconnaissance. The iisreset.exe and iisrstas.exe command-line tools were used to stop all Internet Information Services (IIS) services — IIS is Microsoft’s web server for Windows servers.

While the Symantec researchers don’t think RansomHub is necessarily run by the same people behind Knight, the service certainly attracted some veterans from the cybercriminal underground with experience and contacts. The Symantec report includes multiple indicators of compromise associated with RansomHub that can be used for threat hunting and to build detections.

More by Lucian Constantin:

• Python GitHub token leak shows binary files can burn developers too
• MD5 attack puts RADIUS networks everywhere at risk
• New Intel CPU side-channel attack Indirector can leak sensitive data