RansomHub, the ransomware gang that this month claimed responsibility for the attack in April of telecommunications company Frontier, has had a meteoric rise since first appearing on the scene in February.

Along with the Frontier intrusion, RansomHub also has taken credit for several other high-profile ransomware attacks, including targeting international auction house Christie’s and putting up information stolen from Change Healthcare onto its leak site.

According to researchers with Broadcom’s Symantec business, between March and May, RansomHub grew into the fourth most-active ransomware operation in terms of the number of attacks they’ve claimed responsibility for. The notorious LockBit threat group was by far the most prolific, with almost 500 such claims, followed at a distance by Play and Qilin. RansomHub came in with fewer than 100, the Symantec Threat Hunter Team wrote in a report Wednesday.

Investigations by Symantec into recent RansomHub attacks found the bad actors were exploiting the Zerologon vulnerability in Microsoft’s Netlogon processes to gain initial access into victims’ networks. The flaw – tracked as CVE-2020-1472 – lets an attacker get domain administrator privileges and seized control of a domain.

“The attackers used several dual-use tools before deploying the ransomware,” Symantec researchers wrote. Atera [a remote monitoring and management (RMM) tool] and Splashtop [remote access and remote support software] were used to facilitate remote access, while NetScan was used to likely discover and retrieve information about network devices.”

Knight Turns into RansomHub

They wrote that the bad actors behind the RansomHub ransomware-as-a-service (RaaS) likely are using an updated and rebranded variant of the Knight ransomware, which itself was probably an evolution of another ransomware strain called Cyclops. The developers of Knight, which had been around since June 2023, decided to shut down their operation and put their source code up for sale on a hacking site in February, making version 3.0 an exclusive offer for a single buyer to maintain its value as a proprietary tool, according to cybersecurity firm SOC Prime.

“Analysis … revealed a high degree of similarity between the two threats, suggesting that Knight was the starting point for RansomHub,” the Symantec researchers wrote. “Despite its shared origins, it is unlikely that Knight’s creators are now operating RansomHub. … It is possible that other actors bought the Knight source code and updated it before launching RansomHub.”

There is an array of similarities between RansomHub’s malware and that from Knight, they wrote. Both payloads are written in the Go programming language, which like Rust has become increasingly popular with malware writers over the past several years because of its cross-platform capabilities, simplicity, and ease of use. Most of the variants of each family – with the exception of some early versions of Knight – are obfuscated with Gobfuscate, a legitimate software tool used to obfuscate Go binaries and packages.

In addition, both RansomHub and Knight have “virtually identical help menus” on the command line, though there also is a sleep command in RansomHub.

“Both threats employ a unique obfuscation technique, where important strings are each encoded with a unique key and decoded at runtime,” the researchers wrote.

Significant Overlap

They added that the “degree of code overlap between the two families is significant, making it very difficult to differentiate between them. In many cases, a determination could only be confirmed by checking the embedded link to the data leak site.”

There also are a number of similarities in the ransom notes left by each malware strain, with a number of phrases that were used by Knight bad actors appearing verbatim in the RansomHub note, which they wrote suggested that the RansomHub developers edited and updated the original Knight note.

That said, there are differences, with a key one being the commands run through cmd[.]exe, which can be configured when the payload is built or during configuration. Still, while the commands are difference, they way and order that they’re called in relation to other operations is the same, they wrote.

Another feature used by both Knight and RansomHub is the ability to restart an infected endpoint in safe mode between starting the encryption of files. This technique was used by the Snatch ransomware operation in 2019, and that malware also was written in Go and has similar features, which may indicate that the Knight and RansomHub ransomware could be a fork of the Snatch source code, though the researchers seem doubtful, arguing that there were significant differences in Snatch’s code vs. that of RansomHub and Knight.

Noberus’ Role in RansomHub’s Rise

However, Noberus is another ransomware group that restarts an infected computer in safe mode before encryption and the encryptor stores its configuration in a JSON with keywords that match was has been seen in RansomHub, the Symantec researchers wrote. Noberus, a one-time affiliate of the prolific BlackCat RaaS operation, and other ransomware groups likely are another contributing factor to RansomHub’s rise.

Earlier this year, U.S. and international law enforcement agencies seized LockBit’s public-facing websites and took control of its servers in a move to disrupt the RaaS group’s operations. That came after a similar operation against BlackCat – also known as ALPHV – late last year. In a report in March, GuidePoint Security reported that in the wake of the law enforcement actions, smaller RaaS groups – including RansomHub – began recruiting disenchanted LockBit and BlackCat affiliates that were looking for new homes.

“One former Noberus affiliate known as Notchy is now reportedly working with RansomHub,” the researchers wrote. “In addition to this, tools previously associated with another Noberus affiliate known as Scattered Spider were used in a recent RansomHub attack.”

They added that the “speed at which RansomHub has established its business suggests that the group may consist of veteran operators with experience and contacts in the cyber underground.”