Forescout details RansomHub group emerges as latest cyber threat post-Change Healthcare attack
Researchers at Forescout‘s Vedere Labs revealed that a new prominent threat actor, named ‘RansomHub,’ has surfaced in the aftermath of the Change Healthcare cyber attack and ransomware incident. This group, considered new in the threat landscape, has been targeting additional victims following the significant ransomware and data breach attack in February.
“ALPHV’s cyber attack on Change Healthcare is one of the most impactful in history. Change Healthcare is one of the largest health payment processing companies in the world – and is a subsidiary of United Healthcare. As a clearing house for 15 billion medical claims a year, it makes up nearly 40% of all claims,” Forescout’s Vedere Labs said in a blog post. “The attack has had severe implications for the affected organization and its customers. It has also put a new spotlight on the ransomware scene.”
The researchers also pointed out that RansomHub is recruiting former ALPHV affiliates after the former group’s ‘exit scam’.
“On February 12, ALPHV ransomware affiliate ‘Notchy’ compromised Change Healthcare, a large payment management company connecting more than 1.6 million health professionals, 70,000 pharmacies, and 8,000 healthcare facilities in the US healthcare system,” according to Vedere Labs. “The attackers leveraged compromised credentials on Citrix remote-access software that did not have multi-factor authentication enabled.”
Following lateral movement and data exfiltration, they deployed the ransomware nine days later. It had a reported financial impact of $872 million and included the exfiltration of 6TB of sensitive data. It has taken months to restore systems and the company has had at least two congressional testimonies.
Furthermore, Vedere said that Change Healthcare paid $22 million in ransom to ALPHV which then appeared to not share the payment with Notchy. “Notchy and several other former ALPHV affiliates then moved over to a new ransomware operation: RansomHub — which has been growing very quickly ever since. RansomHub started leaking Change Healthcare files on April 15 and extorted the company a second time — claiming that the original payment did not go to the right people,” the post added.
RansomHub was announced as a new ransomware-as-a-service (RaaS) affiliate program on the well-known RAMP cybercriminal forum on February 2 by ‘koley.’ The forum message (shown in the figure below) had details on the ‘locker’ encrypting malware developed by the group and leased to affiliates; the ‘panel’ used by affiliates to manage negotiations with victims; the ‘ticket’ conditions to join their program; and the ‘rules’ that affiliates must follow when in the program.
As a modern ransomware, Vedere Labs identified that RansomHub is written in Golang and C++. “It supports Windows, Linux, ESXi, and devices running on MIPS architectures. An interesting characteristic is that the program pays the affiliates first, who then pay RansomHub itself – a very different model from ALPHV and probably what attracted many disgruntled affiliates from other programs.”
The researchers also said that the group claimed their first victim on Feb. 10 – YKP LTDA which is a financial consulting company from Brazil. “They claimed 27 other victims between February 10 and April 8 when they first added Change Healthcare to their list. There have been in total 45 victims between February and April 30. A majority of victims, 13, were in the US, followed by six victims in Brazil and three victims each in the UK, Italy, and Spain,” they added.
Vedere Labs detailed that the group scaled activities by claiming four victims in February, 18 in March, and 23 in April. “RansomHub was the fifth most active ransomware group in April but had a similar number of incidents as LockBit, 8base, Play, and Hunters – who are the most active groups in the month. If they keep growing at this pace, they are set to soon become the most active ransomware group,” the post added.
Forescout researchers point to the timing of ALPHV’s disappearance and RansomHub’s appearance, with a new affiliate prepayment model, is very close. “This leads many researchers to suspect that RansomHub could be just a rebrand of ALPHV and all the ‘Notchy’/Change Healthcare drama could be staged,” they added.
“This would not be the first rebrand of a major ransomware group after a massive attack,” according to Forescout. “ALPHV itself appeared in November 2021 as a rebrand of DarkSide — the group responsible for the Colonial Pipeline hack – and BlackMatter.”
“In the incident we observed, the actors used variations of the same tools (STONESTOP and POORTRY) known to be used by SCATTERED SPIDER to deploy ALPHV in the past,” according to Forescout. “However, the technical analysis of the RansomHub encryptor shows that it is significantly different to the ALPHV encryptor used until very recently. Although it bears many similarities, such as modes of operation, strings in config files, and ransom notes, these similarities are now common to several ransomware families.”
From this one isolated incident, Forescout assesses that it is difficult to conclude whether RansomHub is a rebrand of ALPHV or a ‘spiritual successor’ taking many of the former group’s affiliates. Regardless of the specific tools used in an attack or the affiliate that perpetrates it, the good news for defenders is that most ransomware incidents boil down to the same TTPs.
The researchers recommend Basic cyber hygiene recommendations are still effective against these ransomware TTPs. These recommendations typically include identifying and patching vulnerable devices in the network; segmenting the network to avoid spreading an infection; and monitoring network traffic to detect signs of intrusion, lateral movement, or payload execution.
Last week, Vedere Labs researchers uncovered 90,000 unknown vulnerabilities and blind spots in standard vulnerability guidance, posing potential risks for cyber adversaries to exploit. These vulnerabilities, not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, highlighted inconsistencies in vulnerability scoring across databases, typically assessed using CVSS scores within the CVE ecosystem. The research, titled ‘Exposing the Exploited,’ identified 28 vulnerabilities affecting thousands of devices not tracked by CISA, with 83 percent of exploited vulnerabilities having high or critical CVSS scores.
Related
