The rapid growth of Ransomware-as-a-Service (RaaS) is primarily fueled by its profitable business model and user-friendly operations. Threat actors are embracing RaaS because it removes the technical hurdles, providing them with ready-to-use ransomware tools and necessary infrastructure. Consequently, even those with minimal technical skills can launch complex attacks, leading to a surge in ransomware incidents and gains.
RansomHub RaaS, a rebranded and enhanced version of the previous Knight ransomware operation, has emerged as the largest ransomware group in operation. Symantec’s cybersecurity experts have identified significant similarities in the codebases of RansomHub and Knight, suggesting that the latter served as the foundation for the new group. Despite these similarities, the original creators of Knight are unlikely to be behind RansomHub, as they made Knight’s source code publicly available before shutting down.
Ransomware-as-a-Service (RaaS) offers a platform that enables cybercriminals to launch ransomware attacks without needing extensive technical knowledge. Launched in recent years, these platforms provide ready-made ransomware tools and infrastructure, allowing even low-skilled actors to execute sophisticated attacks. RansomHub, an updated version of Knight ransomware, has quickly gained prominence in this market, leveraging its advanced features and rebranded image.
RansomHub’s rise can be attributed to the acquisition and modification of Knight’s publicly leaked codebase by new actors. Both malware families share a substantial portion of their source code, written in Go, making them difficult to distinguish. The command line options for RansomHub resemble those of Knight, with only minor differences. The similarity extends to ransom notes, execution orders, and even the approach to configuration storage, indicating that RansomHub has reused and updated Knight’s original code.
RansomHub’s growth also benefited from recruiting former associates of other ransomware groups like Noberus, as well as utilizing tools from Scattered Spider. This consolidation of experience and resources has allowed RansomHub to quickly establish itself as a significant player in the ransomware landscape. Reports from earlier this year indicated that RansomHub had become the fourth most prominent ransomware operator within just three months of its emergence, underscoring its rapid ascent and effectiveness.
RansomHub’s Operational Tactics
The operational similarities between RansomHub and Knight are evident in their use of Go language and specific techniques like string obfuscation. RansomHub has adopted and modified Knight’s original ransom notes and execution commands. Both families restart victims’ systems in safe mode before encryption, a method previously employed by Snatch ransomware. Additionally, RansomHub’s configuration storage approach is similar to Noberus’ JSON-based method, suggesting shared or derived codebases.
Indicators of Compromise (IOCs)
– RansomHub and Knight share significant portions of their codebase, making differentiation challenging.
– RansomHub employs similar command-line help options with minor modifications.
– Ransom notes and execution orders show substantial overlap between RansomHub and Knight.
RansomHub’s rapid growth and operational efficiency can be attributed to the reuse of Knight’s codebase and the experience of its new operators. Its emergence highlights the evolving landscape of ransomware, where RaaS platforms enable even less skilled actors to launch sophisticated attacks. The similarities between RansomHub and Knight underscore the trend of code reuse and adaptation in the ransomware community, allowing new groups to quickly establish themselves by building on existing knowledge and tools.
