Affiliates of the RansomHub ransomware gang have carried out attacks on at least 210 organisations since February, US officials have warned.
They said the group has grown rapidly in part by picking up affiliates from two other ransomware groups that disappeared ealier this year.
RansomHub operates on an infrastructure-as-a-service model, where affiliates use its infrastructure to compromise a target and encrypt its systems, demanding a ransom to provide a decryption key.
As is increasingly common, RansomHub affiliates also exfiltrate data and threaten to release it publicly if the ransom is not paid.
Different affiliates use various methods for exfiltrating data, said the FBI, Cybersecurity and Infrastructure Security Agency (CISA) and two other agencies in a co-authored advisory.
Affiliates have targeted a wide range of sectors, including water, IT, government, healthcare, emergency services, agriculture, financial services, critical manufacturing, transportation and critical communications infrastructure, the advisory said.
Targets have included credit union Patelco, drugstore chain Rite Aid, auction house Christie’s, telecom provider Frontier Communications and oil services giant Halliburton, which disclosed in an SEC filing that it was compromised on 21 August.
The gang, formerly known as Cyclops and Knight, “has established itself as an efficient and successful service model,” the agencies said.
RansomHub’s quick growth is in part due to the disappearance of two major groups earlier this year, they said – LockBit, which was disrupted by an international law enforcement action in February, and AlphV, also known as BlackCat, which shut down in March.
Ransomware infrastructure providers normally receive payment before sending the portion due to the affiliate who carried out the attack, but affiliates must trust the provider to send them their cut.
In March this system took a blow with the disappearance of the gang AlphV, also known as BlackCat, which is believed to have received a $22 million (£17m) payment from dominant US healthcare payments provider Change Healthcare before disappearing without paying its affiliate.
A notice was displayed on the AlphV website claiming the gang was taken down by law enforcement groups including the FBI and the UK’s National Crime Agency, but the NCA said it was not involved in any such action, which along with other factors led security researchers to conclude AlphV’s departure was an “exit scam”.
RansomHub allows affiliates to collect payments themselves, making it all the more attractive to former AlphV affiliates, security experts have said.
The US agencies recommended mitigation measures including patching vulnerabilities that have already been exploited in the wild and use of two-factor authentication.
They advised against paying ransoms as it does not guarantee files will be recovered and “payment may also embolden adversaries to target additional organisations”.
Landmark ruling finds NSO Group liable on hacking charges in US federal court, after Pegasus…
Microsoft reportedly adding internal and third-party AI models to enterprise 365 Copilot offering as it…
Albania to ban access to TikTok for one year after schoolboy stabbed to death, as…
Shipments of foldable smartphones show dramatic slowdown in world's biggest smartphone market amidst broader growth…
Google proposes modest remedies to restore search competition, while decrying government overreach and planning appeal
Sega 'evaluating' starting its own game subscription service, as on-demand business model makes headway in…