RansomHub: New Ransomware has Origins in Older Knight

RansomHub, a new Ransomware-as-a-Service (RaaS) that has rapidly become one of the largest ransomware groups currently operating, is very likely an updated and rebranded version of the older Knight ransomware. 

Analysis of the RansomHub payload by Symantec, part of Broadcom, revealed a high degree of similarity between the two threats, suggesting that Knight was the starting point for RansomHub. 

Despite shared origins, it is unlikely that Knight’s creators are now operating RansomHub. Source code for Knight (originally known as Cyclops) was offered for sale on underground forums in February 2024 after Knight’s developers decided to shut down their operation. It is possible that other actors bought the Knight source code and updated it before launching RansomHub. 

RansomHub and Knight compared

Both payloads are written in Go and most variants of each family are obfuscated with Gobfuscate.  Only some early versions of Knight are not obfuscated. 

The degree of code overlap between the two families is significant, making it very difficult to differentiate between them.  In many cases, a determination could only be confirmed by checking the embedded link to the data leak site.

The two families have virtually identical help menus available on the command line. The sole difference is the addition of a sleep command in RansomHub.

Both threats employ a unique obfuscation technique, where important strings are each encoded with a unique key and decoded at runtime. For example, in the command “cmd.exe /c iisreset.exe /stop”, only the iisrest.exe string is encrypted with a unique key.

There are significant similarities between the ransom notes left by both payloads, with many phrases used by Knight appearing verbatim in the RansomHub note, suggesting that the developers simply edited and updated the original note.

One of the main differences between the two ransomware families is the commands run through cmd.exe. These commands may be configured when the payload is built or during configuration.  Although the commands themselves are different, the way and order in which they are called relative to other operations is the same.  

A unique feature present in both Knight and RansomHub is the ability to restart an endpoint in safe mode before starting encryption. This technique was previously employed by Snatch ransomware in 2019 and allows encryption to progress unhindered by operating system or other security processes. Snatch is also written in Go and has many similar features, suggesting it could be another fork of the same original source code used to develop Knight and RansomHub. However, Snatch contains significant differences, including an apparent lack of configurable commands or any sort of obfuscation.

Another ransomware family that restarts the affected computer in safe mode before encryption is Noberus Interestingly, the encryptor stores its configuration in a JSON where keywords match what was observed in RansomHub.

RansomHub attacks

In recent RansomHub attacks investigated by Symantec, the attackers gained initial access by exploiting the Zerologon vulnerability (CVE-2020-1472), which can allow an attacker to gain domain administrator privileges and take control of the entire domain.

The attackers used several dual-use tools before deploying the ransomware. Atera and Splashtop were used to facilitate remote access, while NetScan was used to likely discover and retrieve information about network devices. The RansomHub payload leveraged the iisreset.exe and iisrstas.exe command-line tools to stop all Internet Information Services (IIS) services. 

Rapid growth

Despite only first appearing in February 2024, RansomHub has managed to grow very quickly and, over the past three months, was the fourth most prolific ransomware operator in terms of numbers of attacks publicly claimed. The group last week claimed responsibility for an attack on UK auction house Christies. 

One factor contributing to RansomHub’s growth may be the group’s success in attracting some large former affiliates of the Noberus (aka ALPHV, Blackcat) ransomware group, which closed earlier this year. One former Noberus affiliate known as Notchy is now reportedly working with RansomHub. In addition to this, tools previously associated with another Noberus affiliate known as Scattered Spider, were used in a recent RansomHub attack.

The speed at which RansomHub has established its business suggests that the group may consist of veteran operators with experience and contacts in the cyber underground.

Protection/Mitigation

For the latest protection updates, please visit the Symantec Protection Bulletin.

Indicators of Compromise

If an IOC is malicious and the file is available to us, Symantec Endpoint products will detect and block that file.