Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

RansomHub

RansomHub is a ransomware-as-a-service (RaaS) offering with Windows, ESXi, Linux, and FreeBSD versions that has been in use since at least 2024 to target organizations in multiple sectors globally. RansomHub operators may have purchased and rebranded resources from Knight (formerly Cyclops) Ransomware which shares infrastructure, feature, and code overlaps with RansomHub.(Citation: CISA RansomHub AUG 2024)(Citation: Group-IB RansomHub FEB 2025)
ID: S1212
Type: MALWARE
Platforms: Windows
Created: 17 Mar 2025
Last Modified: 27 Mar 2025

Techniques Used

Domain ID Name Use
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

RansomHub has created an autorun Registry key through the `-safeboot-instance -pass` command line argument.(Citation: Group-IB RansomHub FEB 2025)

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

RansomHub can use PowerShell to delete volume shadow copies.(Citation: Group-IB RansomHub FEB 2025)

.003 Command and Scripting Interpreter: Windows Command Shell

RansomHub can use `cmd.exe` to execute multiple commands on infected hosts.(Citation: Group-IB RansomHub FEB 2025)

Enterprise T1491 .001 Defacement: Internal Defacement

RansomHub has placed a ransom note on comrpomised systems to warn victims and provide directions for how to retrieve data.(Citation: CISA RansomHub AUG 2024)

Enterprise T1562 .009 Impair Defenses: Safe Mode Boot

RansomHub can reboot targeted systems into Safe Mode prior to encryption.(Citation: Group-IB RansomHub FEB 2025)

Enterprise T1070 .001 Indicator Removal: Clear Windows Event Logs

RansomHub can delete events from the Security, System, and Application logs.(Citation: Group-IB RansomHub FEB 2025)

.004 Indicator Removal: File Deletion

RansomHub has the ability to self-delete.(Citation: Group-IB RansomHub FEB 2025)

Enterprise T1027 .013 Obfuscated Files or Information: Encrypted/Encoded File

RansomHub has an encrypted configuration file.(Citation: Group-IB RansomHub FEB 2025)

Enterprise T1021 .002 Remote Services: SMB/Windows Admin Shares

RansomHub can use credentials provided in its configuration to move laterally from the infected machine over SMBv2.(Citation: Group-IB RansomHub FEB 2025)

Enterprise T1497 .003 Virtualization/Sandbox Evasion: Time Based Evasion

RansomHub can sleep for a set number of minutes before beginning execution.(Citation: Group-IB RansomHub FEB 2025)

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.