Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware.

CISA, the FBI, MS-ISAC, and the Department of Health and Human Services (HHS) are releasing this joint advisory to disseminate known RansomwHub ransomware IOCs and TTPs. These have been identified through FBI threat response activities and third-party reporting as recently as August 2024. RansomHub is a ransomware-as-a-service variant—formerly known as Cyclops and Knight—that has established itself as an efficient and successful service model (recently attracting high-profile affiliates from other prominent variants such as LockBit and ALPHV).

Since its inception in February 2024, RansomHub has successfully encrypted and stolen data from at least 210 victims across various critical infrastructure sectors, including water and wastewater systems. The affiliates utilize a double-extortion strategy by encrypting systems and stealing data to force victims to comply. It's important to note that the methods of data exfiltration vary depending on the affiliate responsible for the network breach. The ransom note generated during encryption typically lacks an initial demand for payment or instructions. Instead, it includes a client ID and directs victims to reach out to the ransomware group via a specific .onion URL accessible through the Tor browser.

Network defenders are encouraged to implement the recommendations in the Mitigations section of the advisory to reduce the likelihood and impact of ransomware incidents. Access the full joint CSA at CISA.