The FBI and several other federal agencies issued a joint advisory on a ransomware service and website that has targeted 210 organizations in recent months.
The group uses what the agencies called a “double-extortion model by encrypting systems and exfiltrating data” to extract a ransom payment from their victims, the bulletin said.
Instead of sending victims a note with a ransom demand or payment instructions, RansomHub asks victims to contact it via a unique dark web URL, according to the bulletin.
The victims are then told to pay the ransom between three and 90 days after the cyberattack. If they do not comply, the data is then published on the RansomHub leak website that is accessible via Tor, according to the agencies.
The FBI advised all organizations to take the RansomHub attack threat very seriously. The agencies said that network administrators should adopt their “recommended mitigations” by installing updates for operating systems, firmware, and software as soon as possible. They should also try to recognize and report phishing attempts, and they should also mandate phishing-resistant, multi-factor authentication, the bulletin added.
“RansomHub is a ransomware-as-a-service variant—formerly known as Cyclops and Knight—which has recently attracted high-profile affiliates from other prominent variants such as LockBit and ALPHV,” the agencies said.
According to an Epoch Times review of RansomHub’s dark web site, the group is claiming responsibility for breaching the systems with Frontier Communications, Rite Aid, the Florida Department of Health, Spandex, Christie’s auction house, the Rainier Arms gun company, the not-for-profit Patelco Credit Union, a groundwater distribution company called Headwater Companies, the website for Bedford City School District in Ohio, and others.
Outside the United States, the group also targeted Saudi Arabia’s general secretariat of the military service council, a Polish police department’s website, and Coca-Cola’s Myanmar division, among many others.
On the site, different organizations’ URLs are listed with a ticking countdown timer, showing when the data will get published—unless the victims pay up. The websites that apparently fail to comply will be listed with the word “PUBLISHED” under them.
“Our team members are from different countries and we are not interested in anything else, we are only interested in dollars,” the group says, adding that it doesn’t target Cuba, North Korea, and China in attacks, without explaining why.
“As part of this process, the containment measures, which included shutting down certain of the company’s systems, resulted in an operational disruption that could be considered material,” Frontier said in its filing.
“The Company’s response efforts included proactively taking certain systems offline to help protect them and notifying law enforcement. The Company’s ongoing investigation and response include restoration of its systems and assessment of materiality,” Halliburton said.
