Rebranded Knight Ransomware Targets Global Healthcare and Businesses

A new ransomware strain called RansomHub has been identified as an updated and rebranded version of the Knight ransomware, which itself evolved from Cyclops.

Knight ransomware, also known as Cyclops 2.0, emerged in May 2023, using double extortion tactics to steal and encrypt data for financial gain. It targets multiple platforms, including Windows, Linux, macOS, ESXi, and Android.

Initially sold on the RAMP cybercrime forum, Knight ransomware attacks often used phishing and spear-phishing campaigns to distribute malicious attachments. The ransomware-as-a-service (RaaS) operation was discontinued in February 2024 when its source code was sold. This likely led to its relaunch under the RansomHub brand.

RansomHub launched its first attack in February 2024 and has since been linked to numerous ransomware incidents, including those involving Change Healthcare, Christie’s, and Frontier Communications. The group has stated it will not target entities in CIS countries, Cuba, North Korea, and China.

Both Knight and RansomHub payloads are written in Go and obfuscated with Gobfuscate. The significant code overlap between the two makes them difficult to distinguish. Both ransomware families share similar command-line help menus, with RansomHub adding a “sleep” option to delay execution.

The similarities extend to their obfuscation techniques, ransom notes, and ability to restart a host in safe mode before encryption. The main difference lies in the specific commands executed via cmd.exe, although the sequence and method remain consistent.

RansomHub attacks exploit known security flaws, such as ZeroLogon, to gain initial access and install remote desktop software like Atera and Splashtop before deploying the ransomware. RansomHub was responsible for 26 confirmed attacks in April 2024, ranking it behind Play, Hunters International, Black Basta, and LockBit.

RansomHub is recruiting affiliates affected by recent shutdowns or exit scams, including those from LockBit and BlackCat. One former Noberus affiliate, Notchy, is now working with RansomHub, and tools associated with another Noberus affiliate, Scattered Spider, were used in recent RansomHub attacks.

The rapid establishment of RansomHub suggests that experienced operators with significant cyber underground contacts are behind it. Ransomware activity surged in 2023, with about one-third of new ransomware families being variants of previously identified ones, indicating prevalent code reuse and actor overlaps.

Attackers increasingly use legitimate remote desktop tools instead of custom tools like Cobalt Strike to evade detection and reduce development time. The rise of new ransomware variants, such as BlackSuit, Fog, and ShrinkLocker, has contributed to this trend.

To defend against RansomHub ransomware, ensure your systems are patched and up-to-date. Implement robust email security measures to filter out phishing and spear-phishing attempts. Use endpoint detection and response (EDR) tools to monitor and respond to suspicious activities.