What is RansomHub? Looks like a Knight ransomware reboot

Malware code potentially sold off, tweaked, back at it infecting victims

RansomHub, a newish cyber-crime operation that has claimed to be behind the theft of data from Christie's auction house and others, is "very likely" some kind of rebrand of the Knight ransomware gang, according to threat hunters.

Emerging in February, RansomHub has been extremely active: It's bragged about stealing and then somewhat ironically auctioning off Christie's customer data, along with internal info swiped from US broadband telco Frontier Communications – and even Change Healthcare after an ALPHV affiliate had already made off with $22 million from successfully extorting the medical conglomerate with ransomware.

During the past three months, RansomHub has been the fourth most prolific ransomware crew in terms of numbers of claimed attacks, according to Symantec at least. For the record: LockBit remained No. 1 in Symantec's rankings, with a claimed 489 ransomware infections, followed by Play (101), Qilin (92), and RansomHub (61).

Symantec investigated some of RansomHub's recent attacks, and its intel team reports that the criminals frequently gained access into victims by abusing the ZeroLogon elevation-of-privilege vulnerability (CVE-2020-1472) in Microsoft's netlogon remote protocol. 

Once they have broken into an IT environment, the scumbags deploy a handful of legitimate tools including Atera and Splashtop for remote access, and NetScan to collect info about network devices.

Finally, the miscreants deploy a ransomware payload, which exfiltrates and encrypts infected Windows PCs' files. Failure to pay the demand will be followed by the stolen data being leaked or sold off. RansomHub even pressures victims by suggesting their business rivals may buy their internal documents if the ransom isn't paid.

The Broadcom-owned security shop analyzed the gang's malware, and found a high degree of code overlap between RansomHub and Knight, which itself is believed to be a rebrand of the original Cyclops ransomware. 

Both are written in Go, and most variants use Gobfuscate to cover their tracks. RansomHub and Knight's code is so similar that, "in many cases, a determination could only be confirmed by checking the embedded link to the data leak site," the Symantec team opined.

Plus, both have virtually the same help menus available on the command line, with the only difference being a sleep command in RansomHub. 

The ransom notes even share some of the same phrases, "suggesting that the developers simply edited and updated the original [Knight] note," Symantec opined.

After Knight shut down their operations and leak site, it appears the operators sold off the code. The Symantec team say it's "unlikely" that Knight's bosses are now running RansomHub — but it's probable that someone bought the source code and updated it before launching their own ransomware-as-a-service operation.

A former ALPHV affiliate who goes by Notchy, and claimed to be behind the February Change Healthcare intrusion, is reportedly working with RansomHub.

In fact, the cops' disruption of ALPHV in December 2023 may have something to do with RansomHub's success in attracting affiliates, Symantec suggested. "Tools previously associated with another [ALPHV] affiliate known as Scattered Spider, were used in a recent RansomHub attack," the threat intel firm noted.

This doesn't bode well for the plod's efforts to shut down major cyber-crime operations, which can increasingly appear to be a game of whack-a-mole, with new websites and ransomware reboots appearing shortly after police nuke earlier versions.

"The cyber-crime ecosystem has become very segmented, with lots of individuals and groups specializing in particular areas and collaborating to perform attacks," Dick O'Brien, Symantec's principal intelligence analyst, told The Register. "That certainly does make it more challenging for law enforcement, because if you shut down a ransomware group, their affiliates may migrate to other ransomware groups."

However, this doesn't mean it's a losing battle, he added. 

"That's not to say that law enforcement operations have no value," O'Brien said. "They can remove key figures from the underworld, disrupt the pace of attacks, and create suspicion and discord among cybercrime actors." ®

More about


Send us news

Other stories you might like