The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS) released an advisory about RansomHub, a group that became well-known after it stole data from UnitedHealth Group in April.1 Since February, over 210 organizations have been hit by Ransomware attacks from the RansomHub group.2
The advisory’s findings include how RansomHub operates, and which sectors are hit the hardest. With such a huge impact, organizations need to know how they’re being attacked and what they can do to stay safe.
RansomHub’s Rising Influence & Its Impact on Key Sectors
The advisory mentions that RansomHub has been targeting victims in many areas, such as water, IT, healthcare, emergency services, agriculture, finance, manufacturing, transportation, communications, and government.
RansomHub’s rise came after two major Ransomware groups, LockBit and AlphV, were taken down. The advisory states that RansomHub is now drawing in key members from both of these groups.
The UnitedHealth Group attack, which affected personally identifiable information (PII) or protected health information (PHI) covering a “substantial proportion of people in America,” was carried out by hackers working for AlphV. After AlphV was shut down, these hackers moved to RansomHub, which sold the stolen data.
Since then, RansomHub has become a major player in Ransomware. They claimed responsibility for attacks on major companies and institutions like telecom giant Frontier, Rite Aid, British auction house Christie’s, the city of Columbus, Ohio, and one of the oldest credit unions in the U.S.
The advisory says that RansomHub comes from earlier Ransomware groups called Cyclops (rebranded as Knight) but has now become a very effective and successful operation.
How RansomHub Operates & What Victims Should Know
The findings in the advisory are based on several investigations by CISA, the FBI, and other federal Cybersecurity officials.
The agencies found that RansomHub affiliates first lock up systems and steal data before trying to extort money from victims. Victims usually don’t get a ransom demand; instead, they receive a link to contact the hackers.
According to the advisory, victims have between three and 90 days to pay before their data is published, depending on the affiliate. Most victims are targeted through online systems, phishing emails, or vulnerabilities in their software.
The advisory lists many vulnerabilities that RansomHub exploits, including issues in products from Citrix, Fortinet, Apache, BIG-IP, Microsoft, and Atlassian. The exploits for these vulnerabilities are often bought or stolen. RansomHub affiliates also use remote access software like Anydesk.
As part of government’s crackdowns against Ransomware, all agencies behind the advisory recommend that victims immediately report these incidents. The advisory was released on the same day CISA launched a new cyber incident reporting portal to make it easier to notify authorities.
How Can Organizations Better Protect Themselves From These Escalating Threats?
Ransomware attacks are becoming more common and sophisticated. Here are some tips to help you defend against these growing threats:
1. Regularly Patch Your Systems & Software
The 2Secure team often advises to apply patches and updates as soon as they become available. According to a Sophos report, 32% of Ransomware attacks started with an unpatched vulnerability. These attacks exploit known vulnerabilities in outdated software, so keeping everything up-to-date helps close off many of these potential entry points.
2. Use Strong Passwords & Multi-Factor Authentication (MFA)
Protect your accounts with strong, unique passwords. Consider using a password manager to keep track of them. Enable multi-factor authentication (MFA) wherever possible. This adds an extra layer of security by requiring a second form of verification in addition to your password.
3. Backup Your Data Separately and Offline
Regularly backup your important data and store it in a secure, separate location and offline. If you get hit by Ransomware, you can restore your files from these backups without paying a ransom. Make sure your backups are also protected with strong security measures.
4. Train Your Team
Train your employees on how to spot phishing emails and other common attack methods. They should be cautious about clicking on links or downloading attachments from unknown sources. Regular training helps prevent accidental infections.
5. Report Incidents Promptly
As advised by CISA and other government agencies, if you do experience a Ransomware attack, report it to the relevant government agency. They can offer support, help you understand the situation better, and assist you in dealing with such attacks.
6. Seek Expert Help
If you’re unsure about your current security measures or need assistance, ask for help from Cybersecurity experts. They can set an endpoint detection and response (EDR) plan if a Ransomware attack does occur. This should include containing the attack, communicating with stakeholders, and recovering your data.
| Check out our webinar, “Ransomware Readiness,” which covers strategies on how to protect your organization from Ransomware’s common entry points and tackle the challenges that defenders often face. |
FAQ
What US Agency Is Responsible For Cyber Threats?
The Cybersecurity and Infrastructure Security Agency (CISA) is the main U.S. agency responsible for handling cyber threats. They work to protect the nation’s critical infrastructure and help organizations improve their Cybersecurity.
What Is The Most Concerning Cybersecurity Threat To Organizations Today?
Today, organizations face several big Cybersecurity threats, including social engineering, phishing, Ransomware, AI-enabled attacks, and even insider threats. It’s not just one issue but a mix of threats that can impact businesses. Cybercrime is expected to cost companies worldwide around $10.5 trillion annually by 2025 so it’s critical to address all these threats to keep your organization safe.
How Can Organizations Can Stop Ransomware?
To stop Ransomware, organizations should be aware of these attacks in the first place. They must keep systems updated, use strong security measures, and educate staff. 2Secure can help by running Ransomware attack simulations and penetration testing to find and close vulnerabilities in your security before attackers can exploit them.
Source:
- Cyberattack on Change Healthcare | HHS. (2024, March 13). Department of Health and Human Services. https://www.hhs.gov/sites/default/files/cyberattack-change-healthcare.pdf
- #StopRansomware: RansomHub Ransomware | CISA. (2024, August 29). Cybersecurity and Infrastructure Security Agency CISA. https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-242a
