RansomHub Targets Patchable Bugs in Microsoft Active Directory and Netlogon

The RansomHub group has been exploiting patchable vulnerabilities in Microsoft Active Directory and the Netlogon protocol to escalate privileges and gain unauthorized access to domain controllers within victim networks, The Hacker News reports.

These vulnerabilities, identified as CVE-2021-42278 (noPac) and CVE-2020-1472 (ZeroLogon), allow attackers to impersonate domain controllers and achieve full privileged access, facilitating lateral movement across compromised networks.  

In a documented incident, RansomHub attempted to exploit a critical vulnerability in Palo Alto Networks PAN-OS devices (CVE-2024-3400) using a publicly available proof-of-concept (PoC). After this attempt failed, they successfully breached the victim's network through a brute-force attack against the VPN service, utilizing a dictionary of over 5,000 usernames and passwords.  

Access was eventually gained through a default account commonly used in data backup solutions. Following initial access, the attackers exploited the noPac and ZeroLogon vulnerabilities to gain full control over the domain controller.  

Within 24 hours, they executed data encryption and exfiltration, rendering company data on various Network Attached Storage (NAS) devices unreadable and inaccessible, thereby pressuring the victim to pay the ransom.  

RansomHub's operations highlight a robust cybercrime ecosystem characterized by the sharing, reusing, and rebranding of tools and source codes, contributing to a thriving underground market where high-profile victims and substantial financial gains are central.  

Takeaway: According to the Power Rankings: Ransomware Malicious Quartile report, RansomHub RaaS platform that emerged in early 2024. Initially suspected of connections to LockBit due to operational similarities, its code closely resembles that of the now-defunct Knight group. RansomHub offers affiliates up to 90% of ransom payments, attracting numerous partners. The platform enforces strict policies within its affiliate network, requiring adherence to agreements made with victims during negotiations; non-compliance can result in permanent bans.  

RansomHub has advanced its platform by incorporating sophisticated techniques and capitalizing on the decline of other major ransomware groups. The platform has attracted affiliates from these disbanded operations, leveraging their expertise to enhance its capabilities. RansomHub's code is derived from Knight ransomware, written in Golang, enabling attacks on both Windows and Linux operating systems. In February 2024, the Knight group reportedly put its code up for sale, likely facilitating RansomHub’s rapid development and operational efficiency.  

RansomHub employs various methods to gain unauthorized access, including exploiting unpatched vulnerabilities in critical systems such as Citrix NetScaler ADC and NetScaler Gateway, Fortinet FortiOS and FortiProxy SSL-VPN, and the ZeroLogon vulnerability, which allows attackers to seize control of domain controllers.

Additionally, they conduct brute-force attacks to guess weak passwords on services like Remote Desktop Protocol (RDP) and Virtual Private Networks (VPNs). Once inside a network, RansomHub deploys tools to disable Endpoint Detection and Response (EDR) solutions, utilizes PowerShell and Windows Management Instrumentation (WMI) for executing malicious scripts and commands, and creates or reactivates user accounts to maintain persistent access and escalate privileges.  

To expand their reach within compromised networks, RansomHub employs tools such as Nmap and AngryIPScanner for network reconnaissance and exploits utilities like PsExec and RDP to facilitate lateral movement. They harvest credentials using tools like Mimikatz, enabling deeper system access and broadening the attack's scope. RansomHub encrypts data using algorithms such as Curve25519, ChaCha20, and AES, rendering it inaccessible without a decryption key, and deletes volume shadow copies and backups to obstruct recovery efforts, leaving victims at the mercy of their demands.  

Operating on a RaaS subscription model, RansomHub offers affiliates up to 90% commission, attracting high-profile affiliates from other prominent variants such as LockBit and ALPHV. The group actively recruits former affiliates from disbanded ransomware operations and maintains a versatile, regularly updated codebase, indicating a well-funded operation with a clear focus on growth and long-term sustainability.  

Like many modern ransomware groups, RansomHub engages in double extortion tactics, not only encrypting data but also stealing sensitive information, which they threaten to leak if the ransom is not paid. Initially focusing on the healthcare sector, RansomHub’s approach indicates strategic target selection due to the high value and sensitive nature of healthcare data.  

Since its emergence in early 2024, RansomHub has rapidly grown to become one of the most active ransomware groups. Attack volume in Q4 2024 positioned RansomHub as the most prolific among currently tracked RaaS groups. The group has made substantial ransom demands, evidenced by the $22 million demanded from Change Healthcare, indicating their focus on targeting large organizations with the capacity to pay significant ransoms.

Halcyon.ai eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more, and check out our quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.