ZeroLogon Vuln Targeted by RansomHub Actors in Recent Ransomware Attack
In the latest series of attacks by the rapidly expanding RansomHub ransomware, cybercriminals have taken advantage of the critical ZeroLogon vulnerability in the Windows Netlogon Remote Protocol (CVE-2020-1472), first identified in 2020, to gain initial access to victims’ systems.
According to a report by Symantec Broadcom this week, before deploying the ransomware, these attackers employed several dual-purpose tools. These include remote access software from companies like Atera and Splashtop, as well as network scanning utilities such as NetScan, among others.
“Atera and Splashtop were utilized to enable remote access, while NetScan was likely employed to discover and gather information about network devices,” Symantec explained. “The RansomHub malware then used the iisreset.exe and iisrstas.exe command-line tools to halt all Internet Information Services (IIS) operations.”
According to Adam Neel, a senior threat detection engineer at Critical Start, the ZeroLogon vulnerability allows attackers to escalate privileges by creating a compromised Netlogon secure channel connection to a domain controller using the Netlogon Remote Protocol. “It’s crucial for organizations to ensure this vulnerability is patched and mitigated to defend against RansomHub attacks,” Neel emphasized.
A Tactical Opportunist
RansomHub, a ransomware-as-a-service (RaaS) operation, has rapidly become a significant malware threat since its emergence in February. According to Symantec, it is currently the fourth most active ransomware based on the number of reported victims, trailing behind Lockbit — which was recently dismantled, Play, and Qilin.
BlackFog, one of several security vendors monitoring RansomHub, has identified over 60 organizations targeted by this ransomware group within its brief period of activity. While many of these victims are small to mid-sized companies, a few high-profile names stand out, such as Christie’s Auction House and Change Healthcare, a subsidiary of UnitedHealth Group.
Dick O’Brien, principal intelligence analyst with Symantec’s threat hunter team, noted that RansomHub has publicly claimed responsibility for 61 attacks in the last three months. This number is dwarfed by Lockbit’s 489 victims, but is significant compared to the Play group’s 101 and Qilin’s 92.
RansomHub has emerged as a prominent player among the new wave of ransomware-as-a-service (RaaS) operators following recent law enforcement actions against major ransomware groups like Lockbit and ALPHV/BlackCat. The group is attempting to leverage the confusion and distrust resulting from these takedowns to recruit new affiliates. Uniquely, RansomHub offers affiliates the ability to collect ransom payments directly from victims and then remit a 10% fee to RansomHub. This approach contrasts with the traditional RaaS model, where the operator handles the ransom collection and subsequently distributes a portion to the affiliates.
Significant Code Overlaps with Knight Ransomware
Symantec reports significant code similarities between RansomHub and an older ransomware variant named Knight, which is now obsolete. These overlaps are so extensive that distinguishing between the two threats becomes challenging. Both malware strains are coded in the Go programming language and utilize the same obfuscator, Gobfuscate. They feature nearly identical help menus, encode crucial code strings in identical fashion, decode them at runtime, possess the capability to initiate a target endpoint restart in safe mode before encryption, and exhibit the same command execution flow. Even the ransom notes associated with Knight and RansomHub closely resemble each other, with numerous phrases directly borrowed from Knight verbatim, according to Symantec.
“However, despite their shared origins, Symantec suggests it’s improbable that the creators of Knight are now behind RansomHub. Instead, the operators of RansomHub reportedly acquired the Knight source code when its creators offered it for sale earlier this year and are now reusing it,” the security vendor stated. “One notable difference between the two ransomware families lies in the commands executed through cmd.exe,” the security vendor highlighted. “These commands may be set during payload construction or configuration.”
Symantec’s revelation regarding RansomHub’s basis in Knight code is unlikely to significantly impact victims or other targets of the group. Nonetheless, it provides an additional layer of insight into the group and its tactics, techniques, and procedures (TTPs).
“The group’s rapid expansion suggests it is poised to become one of the most active ransomware groups in 2024,” Neel comments. “Furthermore, their recent success and growing reputation have enabled them to attract former members of the Blackcat/ALPHV ransomware group. This enables them to leverage the expertise and tools previously utilized by this group, further enhancing their capabilities,” he observes.