Ransomware, Threat Intelligence

RansomHub ransomware’s origins uncovered

A hacker offers a key to unlock encrypted data for money.

Emergent RansomHub ransomware — which was leveraged in attacks against Change Healthcare, Frontier Communications, and Christie's auction house — was discovered by Symantec researchers to be an evolved iteration of the Knight ransomware, also known as Cyclops 2.0, reports The Hacker News.

Only a new "sleep" option within the command-line help menu and distinct commands executed by cmd.exe differentiated RansomHub from Knight ransomware, both of which were based on the Go programming language and had the same obfuscation approach, ransom notes, and safe mode restarts prior to encryption, according to the Symantec report.

The findings also showed that both Notchy and Scattered Spider, which were previously affiliated with the ALPHV/BlackCat ransomware operation, have entered a partnership with RansomHub, echoing a recent report from Mandiant.

"The speed at which RansomHub has established its business suggests that the group may consist of veteran operators with experience and contacts in the cyber underground," said researchers.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.