Куда я попал?

SECURITM это SGRC система, автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Подробнее

RansomHub

RansomHub is a ransomware-as-a-service (RaaS) offering with Windows, ESXi, Linux, and FreeBSD versions that has been in use since at least 2024 to target organizations in multiple sectors globally. RansomHub operators may have purchased and rebranded resources from Knight (formerly Cyclops) Ransomware which shares infrastructure, feature, and code overlaps with RansomHub.(Citation: CISA RansomHub AUG 2024)(Citation: Group-IB RansomHub FEB 2025)

ID: S1212

Type: MALWARE

Platforms: Windows

Created: 17 Mar 2025

Last Modified: 27 Mar 2025

Domain	ID		Name	Use
Techniques Used
Enterprise	T1547	.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	RansomHub has created an autorun Registry key through the `-safeboot-instance -pass` command line argument.(Citation: Group-IB RansomHub FEB 2025)
Enterprise	T1059	.001	Command and Scripting Interpreter: PowerShell	RansomHub can use PowerShell to delete volume shadow copies.(Citation: Group-IB RansomHub FEB 2025)
		.003	Command and Scripting Interpreter: Windows Command Shell	RansomHub can use `cmd.exe` to execute multiple commands on infected hosts.(Citation: Group-IB RansomHub FEB 2025)
Enterprise	T1491	.001	Defacement: Internal Defacement	RansomHub has placed a ransom note on comrpomised systems to warn victims and provide directions for how to retrieve data.(Citation: CISA RansomHub AUG 2024)
Enterprise	T1562	.009	Impair Defenses: Safe Mode Boot	RansomHub can reboot targeted systems into Safe Mode prior to encryption.(Citation: Group-IB RansomHub FEB 2025)
Enterprise	T1070	.001	Indicator Removal: Clear Windows Event Logs	RansomHub can delete events from the Security, System, and Application logs.(Citation: Group-IB RansomHub FEB 2025)
		.004	Indicator Removal: File Deletion	RansomHub has the ability to self-delete.(Citation: Group-IB RansomHub FEB 2025)
Enterprise	T1027	.013	Obfuscated Files or Information: Encrypted/Encoded File	RansomHub has an encrypted configuration file.(Citation: Group-IB RansomHub FEB 2025)
Enterprise	T1021	.002	Remote Services: SMB/Windows Admin Shares	RansomHub can use credentials provided in its configuration to move laterally from the infected machine over SMBv2.(Citation: Group-IB RansomHub FEB 2025)
Enterprise	T1497	.003	Virtualization/Sandbox Evasion: Time Based Evasion	RansomHub can sleep for a set number of minutes before beginning execution.(Citation: Group-IB RansomHub FEB 2025)

References

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.

RansomHub

Techniques Used

References