Knight ransomware is linked to Ransom Hub extortion gang

Security researchers have discovered that the emergent RansomHub ransomware, which operates by pilfering and auctioning off data, is likely an evolution of the Knight ransomware.

Knight (aka Cyclops 2.0) ransomware first arrived in May 2023, employing double extortion tactics to steal and encrypt victims’ data for financial gain. RansomHub gained notoriety by leaking data from Change Healthcare and threatening with data exposure.

Knight, known for targeting multiple operating systems and providing affiliates with info-stealer tools, went dormant in early 2024.

The similarities in coding and operational techniques between Knight and RansomHub indicate a shared lineage, suggesting RansomHub may have purchased and repurposed Knight’s source code.

Knight ransomware, which operated across various platforms including Windows, Linux, macOS, ESXi, and Android, leveraged phishing and spear-phishing campaigns for distribution.

In February 2024, the source code for version 3.0 of Knight ransomware put up for sale on hacker forums, the victims extortion portal went offline, and the RaaS operation went silent.

The overlaps between Knight and RansomHub also extend to the obfuscation technique used to encode strings, the ransom notes dropped after encrypting files, and their ability to restart a host in safe mode before starting encryption.

One of the main differences between the two ransomware families is the commands run through cmd.exe. These commands may be configured when the payload is built or during configuration.

Since it emerged, RansomHub has grown to become one of the most prolific RaaS operations, which Symantec attributes to the gang attracting former affiliates of  the ALPHV operation, such as Notchy and Scattered Spider.

According to statistics shared by Malwarebytes, the ransomware family has been linked to 26 confirmed attacks in the month of April 2024 alone, putting it behind Play, Hunters International, Black Basta, and LockBit.

The speed at which RansomHub has established its business suggests that the group may consist of veteran operators with experience and contacts in the cyber underground.

The development comes amid an increase in ransomware activity in 2023 compared to a “slight dip” in 2022, even as approximately one-third of 50 new families observed in the year have been found to be variants of previously identified ransomware families.

The attackers used several dual-use tools before deploying the ransomware. Atera and Splashtop were used to facilitate remote access, while NetScan was used to likely discover and retrieve information about network devices.

While RansomHub has a short history and operated mainly as a data theft and extortion group that sells stolen files to the highest bidder.

A unique feature present in both Knight and RansomHub is the ability to restart an endpoint in safe mode before starting encryption. This technique was previously employed by Snatch ransomware in 2019 and allows encryption to progress unhindered by operating system or other security processes.

Recently Mandiant, published a report this week, revealed that RansomHub is attempting to recruit affiliates that have been impacted by recent shutdowns.

Healthcare Giants are the main target nowadays some weeks ago Eight drug companies information stolen due to Cencora data breach.

The rebranding of Knight ransomware to RansomHub signifies a relentless pursuit of financial gain by cybercriminals through sophisticated and evolving tactics. As ransomware attacks become more frequent and complex, organizations must bolster their cybersecurity measures to defend against these pervasive threats.