New research provides insight into RansomHub

Despite first appearing earlier this year, RansomHub is already considered one of the most prolific ransomware groups in existence.

 

It operates a ransomware-as-a-service (RaaS) operation, meaning that a central core of the group creates and maintains the ransomware code and infrastructure, and rents it out to other cybercriminals who act as affiliates.

 

RansomHub has emerged as the most prevalent ransomware group in June 2024, overtaking the long-standing leader LockBit3, according to the latest Global Threat Index released by Check Point Software.

 

The report reveals that RansomHub, a relative newcomer believed to be a reincarnation of the Knight ransomware, was responsible for 21% of published ransomware attacks last month. This surge comes in the wake of law enforcement action against LockBit3 in February, which caused the group to lose loyalty among its affiliates.

https://kashmirpatriot.com/2023/01/05/protect-yourself-online-healthy-digital-habits-for-safer-internet/

Meanwhile, FakeUpdates (also known as SocGholish) has become the most widespread malware globally.

In India, the malware has seen a particular surge, with Indian organisations facing an average of 2,924 attacks per week over the past six months – more than double the global average of 1,401 attacks.

 

FakeUpdates the most prevalent malware last month with an impact of 7% worldwide organizations, followed byAndroxgh0st with a global impact of 6%, and AgentTesla with a global impact of 3%.

 

 

Top malware families

 

FakeUpdates – FakeUpdates (AKA SocGholish) is a downloader written in JavaScript. It writes the payloads to disk prior to launching them. FakeUpdates led to further compromise via many additional malwares, including GootLoader, Dridex, NetSupport, DoppelPaymer, and AZORult.

 

 

Androxgh0st – Androxgh0st is a botnet that targets Windows, Mac, and Linux platforms. For initial infection, Androxgh0st exploits multiple vulnerabilities, specifically targeting- the PHPUnit, Laravel Framework, and Apache Web Server. The malware steals sensitive information such as Twilio account information, SMTP credentials, AWS key, etc. It uses Laravel files to collect the required information. It has different variants which scan for different information.

 

 

AgentTesla – AgentTesla is an advanced RAT functioning as a keylogger and information stealer, which is capable of monitoring and collecting the victim’s keyboard input, system keyboard, taking screenshots, and exfiltrating credentials to a variety of software installed on a victim’s machine (including Google Chrome, Mozilla Firefox and the Microsoft Outlook email client).