RansomHub Never Sleeps Episode 1: The evolution of modern ransomware

Group-IB presents a technical analysis of RansomHub, a 2024 Ransomware-as-a-Service operation that recruited displaced affiliates, acquired rebranded source code, and has targeted 600+ organizations (including many in healthcare). The report details a DFIR case showing initial access via CVE-2024-3400 and brute-forced VPN credentials, lateral movement leveraging CVE-2021-42278 and CVE-2020-1472 (ZeroLogon), data exfiltration via FileZilla, EDR disabling using PCHunter and a vulnerable kernel driver, and multi-platform ransomware variants (Windows, Linux/FreeBSD, ESXi, SFTP), plus YARA rules and MITRE mappings.