Cyber999 Advisories

1.0 Introduction

The Cyber999 Incident Response Centre has been receiving several incident reports of businesses impacted by ransomware this year. As of writing this advisory, we have received less than 10 incidents of RansomHub infection affecting businesses, including a private educational institution. It should be noted that these are only reported incidents, while those unreported could be more. Though the number may not be significant, the impacts could be devastating. The incidents may seriously impact businesses in terms of disruption to operations and potential data leaks.

The Federal Bureau of Investigation (FBI), together with the Cybersecurity and Infrastructure Security Agency (CISA), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Department of Health and Human Services (HHS), has released a joint advisory to share RansomHub ransomware IOCs and TTP. The IOCs and TTP are essential for organisations and businesses to mitigate RansomHub ransomware.

2.0 Impact

The RansomHub encrypts files and exfiltrates data from the infected systems. It leverages a double-extortion model by encrypting systems and exfiltrating data to extort victims. The ransom note dropped during encryption provides victims a client ID and instructs them to contact the ransomware group via a unique .onion URL (reachable through the Tor browser). Victims are typically given three to 90 days to pay the ransom (depending on the affiliate) before the ransomware group publishes their data on the RansomHub Tor data leak site.

3.0 Technical Details

3.1 Leveraged Tools

See Table 1 for publicly available tools and applications used by RansomHub affiliates. This includes legitimate tools repurposed for their operations.

Disclaimer: These tools and applications should not be attributed malicious without analytical evidence to support threat actor use and/or control.

Table 1: Tools Used by RansomHub Affiliates

3.2 Indicators of Compromise (IOCs)

Disclaimer: Several IP addresses were first observed as early as 2020, although most date from 2022 or 2023 and have been historically linked to QakBot. The Federal Bureau of Investigation (FBI), together with the Cybersecurity and Infrastructure Security Agency (CISA), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Department of Health and Human Services (HHS), recommend organisations investigate or vet these IP addresses before taking action (such as blocking).

See Table 2–Table 5 for IOCs obtained from the FBI investigations.

Table 2: Directory Structure TTPs

Disclaimer: The Federal Bureau of Investigation (FBI), together with the Cybersecurity and Infrastructure Security Agency (CISA), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Department of Health and Human Services (HHS), recommend network defenders investigate or vet IP addresses before taking action, such as blocking. Many cyber actors are known to change IP addresses, sometimes daily, and some IP addresses may host valid domains.

Table 3: Known IPs Related to Malicious Activity (2023-2024)

Table 4: Known URLs Related to Malicious Activity (2023-2024)

4.0 Recommendations

CyberSecurity Malaysia recommends that system administrators review this advisory and implement the mitigations recommended below for immediate protection against RansomHub and other ransomware incidents. 

4.1 Recommendations for System Administrators:

1. Implement recovery plan to maintain and retain multiple copies of sensitive and proprietary data and servers in a physically separate, segmented and securelocation.
2. Organisations must proactively monitor and screen for compromised credentials potentially due to RansomHub infection. Hence, compromised credentials must be immediately rectified by changing the passwords to strong passwords. 
3. Implementing password revocation to enforce password changing.
4. Encourage employees to use secure password managers and longer passphrases, avoid using the same password for multiple accounts and set reminders to change passwords after several months.
5. Use multi-factor authentication to identify and protect the businesses' critical assets and access to critical information systems.
6. Restrict access authorisations according to user roles and develop authorisation policy to secure idle accounts; automatically lock accounts and alert IT staff after several failed login attempts.
7. Review Active Directory (AD) to locate and close existing backdoors, such as compromised service accounts, which often have administrative privileges and are often targeted by attackers who aim to steal credentials.
8. Keep all operating systems, software and firmware up-to-date and patched regularly.
9. Perform Data backups daily and test regularly. Place backup copies in a remote location.
10. Enforce phishing-resistant multifactor authentication to administrator accounts.
11. Segment networks to prevent the spread of ransomware, which helps to restrict adversary lateral movement.
12. Install, regularly update and enable real-time detection for anti-virus software on all hosts.
13. Review domain controllers, servers, workstations, and active directories for new and/or unrecognised accounts.
14. Maintain offline backups of data and regularly maintain backup and restoration. Ensure all backup data is encrypted
15. IS awareness training should be conducted for all staff at least once a year.
16. Do not download suspicious files from an unknown sender.
17. Conduct Disaster Recovery Plan review and update, if necessary.
18. Conduct Business Continuity Plan review and update, if necessary.

4.2 Recommendations for Internet Users:

1. Users should use strong and unique passwords.
2. Users should use secure passwords for the network.
3. Users should be wary of phishing attempts and not simply click on any links or executables they receive via social media and other messaging applications.
4. Users should practice safe browsing and regularly back up data.
5. Users should download software or applications from reputable sources.
6. Users should be wary and suspicious of applications circulated on social media for downloads.
7. Enable and use up-to-date anti-virus software.
8. Do regular security updates and patches.
9. Contact relevant authorities such as CyberSecurity Malaysia for inquiries and assistance related to cyber threats or suspicious activities users observe online
10. Users are also encouraged to report to the Service Providers or the social media platform concerning the circulation of posts or ads with suspicious links.

Generally, CyberSecurity Malaysia advises the users of these devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

To report an incident and for further enquiries, please contact the Cyber999 Incident Response Centre through the following channels:

E-mail: cyber999[at]cybersecurity.my 

Phone: 1-300-88-2999 (monitored during business hours)  

Mobile: +60 19 2665850 (24x7 call incident reporting) 

Business Hours: Mon - Fri 08:30 -17:30 MYT 

Web: https://www.mycert.org.my 

5.0 References

• https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-242a
• https://www.mycert.org.my/portal/advisory?id=MA-1034.022024
• https://thehackernews.com/2024/09/ransomhub-ransomware-group-targets-210.html