In recent years, ransomware attacks have increased significantly, affecting both government entities and private companies.
The growth of these attacks has not only affected private sectors, but has also had a notable impact on public administrations, such as the Legal Department of the Federal Executive. The trend reflects the growing sophistication of attackers, who are focusing on strategic targets, such as government data and critical infrastructure.
Among the most recent and dangerous groups, RansomHub stands out, an operation that has captured the attention of experts after its recent attack on the official website of a government, leaving millions of citizens vulnerable.
While details about its creators remain unclear, RansomHub appears to operate as an organized group of cybercriminals, adopting Ransomware-as-a-Service (RaaS) tactics to expand its reach and popularity, making it easy for the group to be hired to execute attacks in exchange for a share of the ransom obtained.
Ā
This group prioritizes government institutions and companies that handle sensitive data and has a focus on selling stolen information if the ransom is not paid.
RansomHub is made up of hackers from various parts of the world, united by the common goal of financial gain. The group explicitly mentions that it prohibits attacks on certain countries and non-profit organizations.
In November 2024 , RansomHub executed an attack against Mexico's Legal Counsel of the Federal Executive (CJEF) , stealing 313 GB of sensitive information. The compromised data includes contracts, administrative and financial information, emails, and personal details of officials.
The group set a deadline of November 25 for the ransom payment , threatening to leak the information if they did not comply. This incident highlights the urgent need to strengthen cybersecurity in government systems.
To become a partner of the group, RansomHub sets strict requirements and rules for those who wish to join. Interested parties must have an ID on well-known forums, preferably with a long track record or good reputation, and provide evidence of cooperation with other RaaS groups, such as screenshots of received payments or balances in receiving addresses. Additionally, the process can be expedited by an initial deposit that is refundable after receiving the first payment.
Ā
In terms of the scope of their behavior, different target countries have been identified, among which the following stand out:
Origins of RansomHub
RansomHub first gained attention in late 2018 with an attack targeting a hospital chain in Eastern Europe . This incident demonstrated the groupās ability to combine advanced tactics such as exploiting critical vulnerabilities in remote access servers (RDP), lateral movement with tools like Mimikatz, and deploying custom ransomware that encrypted critical data and crippled systems for weeks.
Ā
RansomHub takes inspiration from previous groups such as Conti or LockBit, but has innovated its tactics by implementing:
Ā
Ultra-fast encryption: Designed to cripple systems in minutes.
Double and triple extortion: Demanding ransoms not only for decryption, but also for non-disclosure and continued sabotage.
Modular infrastructure: Allows partners to customize attacks for different sectors or geographies.
Ā
How it works
RansomHub demonstrates an adaptive and modular capacity in its attacks, due to the use of already proven techniques, but refined and combined in innovative ways to increase their effectiveness.
Their Ransomware-as-a-Service (RaaS) model makes it easy for partners to leverage these TTPs, ensuring a constant presence in the global threat landscape.
RansomHub adds the ZeroLogon vulnerability to its arsenal where it has leveraged the older but critical ZeroLogon vulnerability ( CVE-2020-1472 ), which has a CVSS severity score of 10
Tactics and techniques
Initial Access
RansomHub attackers typically compromise Internet systems and user endpoints by using methods such as phishing emails [T1566], exploiting known vulnerabilities [T1190], and password spraying [T1110.003].
Password spraying targets accounts compromised via data breaches. Proof-of-concept exploits are obtained from sources such as ExploitDB and GitHub [T1588.005]. Exploits based on the following CVEs have been observed:
VULNERABILITY | DESCRIPTION |
CVE-2023-3519 | A vulnerability in Citrix ADC that allows an unauthenticated attacker without credentials to trigger a stack buffer overflow of the NSPPE process by making a specially crafted HTTP GET request, successful exploitation results in remote code execution as root. |
CVE-2023-27997 | Critical vulnerability affecting FortiOS and FortiProxy SSL-VPN. This vulnerability is a heap buffer overflow that could allow a remote attacker to execute arbitrary code or commands via specially crafted requests. |
CVE-2023-22515 | A vulnerability in publicly accessible Confluence Data Center and Server instances that allows unauthorized Confluence administrator accounts to be created and accessed to Confluence instances. |
CVE-2023-46747 | Critical vulnerability affecting F5 BIG-IP systems. This vulnerability allows unauthenticated attackers to bypass authentication and execute arbitrary commands on the system. |
CVE-2023-48788 | An improper neutralization of special elements used in a SQL command in Fortinet FortiClientEMS version 7.2.0 to 7.2.2 and FortiClientEMS 7.0.1 to 7.0.10 allows an attacker to execute unauthorized code or commands via specially crafted packets. |
CVE-2017-0144 | It is a critical vulnerability that affects SMBv1 servers in various Microsoft operating systems including Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012, Windows RT 8.1, Windows 10, and Windows Server 2016. It allows remote attackers to execute arbitrary code via crafted packets, aka "Windows SMB Remote Code Execution Vulnerability [T1210] |
CVE-2020-1472 | An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller using the Netlogon Remote Protocol (MS-NRPC). |
CVE-2020-0787 | It is an elevation of privilege vulnerability affecting Microsoft's Background Intelligent Transfer Service (BITS). This vulnerability is due to BITS improperly handling symbolic links, which allows an attacker to execute arbitrary code with system privileges. |
Discovery
RansomHub uses several tools and techniques to scan networks and identify potential targets, using different methods, such as:
AngryIPScanner: A tool that allows you to scan IP addresses and ports to identify active devices on a network.
Nmap: A powerful network scanning tool that can discover devices, services and vulnerabilities on a network.
PowerShell-based methods: These use built-in PowerShell commands to perform network scanning and reconnaissance without the need to install additional software.
Privilege escalation and lateral movement
After initial access, elevated privileges are sought to carry out the persistence process using the following techniques:
Create user accounts for persistence
Disabled accounts are reactivated
They use Mimikatz [S0002] to harvest credentials and escalate privileges to SYSTEM
They move laterally using RDP, PsExec [S0029], Anydesk, Connectwise, N-Able, Cobalt Strike, and Metasploit.
Data exfiltration
Data exfiltration by RansomHub varies by attacker with methods such as PuTTY, Amazon AWS S3, HTTP POST requests, WinSCP, Rclone, Cobalt Strike, and Metasploit observed.
Encryption
RansomHub uses Curve 25519 encryption algorithm to encrypt system files. This algorithm employs a unique public/private key for each victim.
To encrypt files in use, the ransomware attempts to stop the following processes on the system:
Process Discovery for Encryption | |||||
"vmms.exe" | "notepad.exe" | "onenote.exe" | "steam.exe" | "visio.exe" | "agntsvc.exe" |
"msaccess.exe" | "ocautoupds.exe" | "outlook.exe" | "synctime.exe" | "winword.exe" | "dbsnmp.exe" |
"mspub.exe" | "ocomm.exe" | "powerpnt.exe" | "vmwp.exe" | "wordpad.exe" | "dbeng50.exe" |
"svchost.exe" | "ocssd.exe" | "explorer.exe" | "thebat.exe" | "xfssvccon.exe" | "encsvc.exe" |
"vmcompute.exe" | "oracle.exe | "sql.exe" | "thunderbird.exeā | "TeamViewer.exe" |
Who is at risk and why?
RansomHub targets strategic sectors where it can maximize financial and operational impact, including:
Sector | Reason | Impact |
Health and Medical Care | Healthcare institutions have a low tolerance for disruption, making them prone to paying ransoms quickly. | They have led campaigns against hospitals, clinics and laboratories, targeting electronic medical records (EMR) and diagnostic systems. |
Education | Universities and schools handle large volumes of sensitive data, but lack robust cybersecurity budgets. | They attack university networks to encrypt systems and sometimes exfiltrate valuable research. |
Public Services and Energy | Disrupting essential services creates public pressure to pay the ransom. | Focused on critical infrastructure, they target SCADA systems and industrial control networks (ICS). |
Financial Services | Financial institutions handle sensitive data and funds, making them lucrative targets. | They steal customer data and encrypt payment systems to maximize pressure. |
Manufacture | Manufacturing companies rely on automated processes and IoT systems, which are vulnerable to critical disruptions. | Encryption of production systems can bring entire supply chains to a standstill. |
Government and Public Sector | Local and regional governments often have outdated systems, making attacks easier. | Essential services such as document issuance or public communications are interrupted. |
Technology and Telecommunications | Technology companies handle sensitive data and operate global networks, making them high-value targets. | They encrypt server systems and exfiltrate information for double extortion. |
Transport and Logistics | The interconnected nature of the sector makes it vulnerable to significant disruptions with domino effects. | They target route management, logistics and inventory control systems, causing operational paralysis. |
Victims
Legal Counsel of the Federal Executive Branch (CJEF) (November 2024)
The RansomHub ransomware group has included the Government of Mexico in its list of victims, specifically attacking the Legal Counsel of the Federal Executive Branch (CJEF) . According to data revealed on the dark web, the RansomHub group has hijacked 313 GB of confidential information from the CJEF. This leak of critical data could compromise both the operational security of the institution and the confidentiality of key government information.
The attack compromises highly sensitive information, including:
Administrative Contracts: Key documents related to government agreements and transactions.
Financial data: Information related to budgets, payments and fiscal resources.
Insurance Information : Critical details about insurance coverages and policies used by the government.
Lists of officials: Personal information of officials, including full name, photograph, RFC, institutional email, and work area.
As part of its modus operandi, RansomHub has published a real estate lease agreement used by the CJEF as evidence of the attack. This document highlights the attackers' access to crucial internal information, as the CJEF plays a key role in validating legal instruments and drafting bills for the President of the Republic.
The cybercriminal group has given the Mexican government a 10-day deadline to pay the ransom, although the amount requested has not been revealed.
If payment is not made, RansomHub threatens to release all the stolen information on the deep web, which would not only affect the CJEF's operations, but would also expose the security of officials and the confidentiality of key decisions of the Mexican government, with potentially devastating long-term effects.
Ā
Attack on Florida Department of Health (July 1, 2024)
RansomHub claimed responsibility for an attack on the Florida Department of Health, highlighting the healthcare sector as a recurring target due to the criticality of its operations and the sensitivity of its data. Additionally, the domain floridahealth[.]gov was identified in three theft records and seven alleged data breaches. This case reinforces the ongoing threat to medical institutions and demonstrates the sophistication of targeted attacks.
Rite Aid Customer Database Leak (August 3, 2024)
RansomHub was singled out for leaking a database of 12,316,882 Rite Aid customer records. The compromised data includes names, dates of birth, driverās license numbers, and other sensitive information. This attack underscores the groupās ability to handle and disclose large volumes of stolen data, creating a significant impact on victims.
Ransomware attack on Patelco Credit Union (June 29 - August 15, 2024)
Patelco Credit Union suffered a data breach that affected 726,000 customers and paralyzed operations for two weeks. RansomHub published the compromised data on its extortion portal after failed negotiations. The stolen information included full names, Social Security numbers, driverās licenses, birth dates, and emails. In response, Patelco offered credit monitoring and warnings about potential phishing scams targeting those affected.
Other Victims in Mexico
RansomHub is not an isolated group; it has attacked several high-profile Mexican entities, among the most relevant victims are:
Grupo Aeroportuario del Centro Norte (OMA), with more than 2.2 terabytes of leaked data, including confidential information on airport audits and security.
National Autonomous University of Mexico (UNAM), where more than 37,000 users were affected by the exposure of personal information.
Mabe, which suffered the threat of a leak of the banking and personal data of thousands of customers.
On the data breach site, the posts appear to be handled by the partners themselves, the way victims are listed varies, including differences in the presentation of evidence for each attack and the language used.
Some posts include links to hosting services for sharing documents as proof of the hack, while others include screenshots directly in the leaked post.
Immediate Actions Against Ransomware Attacks
Isolate the affected system: Disconnect the infected computer from the network (Wi-Fi, Ethernet, Bluetooth) to prevent the ransomware from spreading to other devices.
Ā
Stop the spread across the network: Identify and take down other systems suspected of being compromised, including servers and shared devices on the network.
Ā
Contact the cybersecurity team: Immediately notify the internal team or external experts to coordinate an appropriate response.
Ā
Do not pay the ransom: Although tempting, paying the ransom does not guarantee access to the data and could fund future criminal activities.
Ā
Preserve evidence: Do not format or reboot affected systems. Make forensic copies of disks for future investigations and technical analysis.
Ā
Identify the ransomware type ā Analyze the ransom message and encrypted files to determine which ransomware family is involved. Use tools like [ID Ransomware]( https://www.nomoreransom.org ) for this task.
Ā
Activate the incident response plan: If your organization has a predefined plan, follow it closely to coordinate containment, analysis, and recovery.
Ā
Change compromised credentials: Change passwords for affected accounts, especially if the ransomware was spread via stolen credentials.
Ā
Notify relevant parties: Communicate the incident to regulators, partners or customers if sensitive data has been compromised, complying with applicable regulations (e.g. GDPR or CCPA).
Ā
Consult external resources: Access initiatives such as [No More Ransom]( https://www.nomoreransom.org ) for free decryption tools, if available for the ransomware type in question.
Ā
Ransomware Mitigation
Data Backup: Implement a robust regular backup strategy to ensure the availability of critical data in the event of an attack.
Security training: Educate employees about ransomware threats, phishing tactics, and cybersecurity best practices to reduce risk.
Update management: Keep systems, software and applications up to date with security patches to close known vulnerabilities.
Network segmentation: Separate critical systems and sensitive data from less secure areas to limit the impact of infections.
Access control: Apply the principle of least privilege to restrict access and minimize the scope of attacks.
Email and Web Security: Use advanced filters to detect and block malicious files, links, and phishing.
Endpoint protection: Use security solutions such as antivirus, intrusion detection systems (IDS), and EDR tools to mitigate threats on devices.
Incident Response Plan: Design and regularly test a response plan focused on ransomware attacks that includes identification, containment, mitigation, and recovery.
Security Audits: Perform audits, vulnerability assessments, and penetration tests to identify and correct security flaws.
Backup Verification: Regularly test backed up data to ensure its integrity and functionality, and store it securely against unauthorized access.
Conclusion
The attack on CJEF is a reminder of the growing threat posed by ransomware , not just to governments, but to all sectors of society.
The rapid evolution of attackers' tactics requires an equally rapid and effective response from institutions and companies. It is essential that Mexico and its entities reinforce their cybersecurity measures and work together with international allies to protect their critical infrastructure from these dangers.
Strengthening cybersecurity is now more important than ever to ensure the stability and development of the country, as RansomHub has proven to be a significant player in the ransomware ecosystem, attacking critical sectors and exploiting the vulnerability of large organizations.
The human factor remains one of the weakest points in cybersecurity.
Ongoing cybersecurity training, particularly in recognizing phishing emails, suspicious links, and unsafe practices, is critical to reducing the risk of infection. Employees should be trained to spot signs of a ransomware attack and follow safety procedures, such as not clicking on unknown links and reporting suspicious activity immediately.
In addition to training employees, organizations should form well-trained incident response teams that are up to date on the latest ransomware tactics to ensure a quick and effective response in the event of an attack.
ėźø