Full Report
The threat actors behind the RansomHub ransomware-as-a-service (RaaS) scheme have been observed leveraging now-patched security flaws in Microsoft Active Directory and the Netlogon protocol to escalate privileges and gain unauthorized access to a victim network's domain controller as part of their post-compromise strategy. "RansomHub has targeted over 600 organizations globally, spanning sectors
Analysis Summary
# Threat Actor: RansomHub (RaaS Operator)
## Attribution & Identity
The threat actors operating the RansomHub ransomware-as-a-service (RaaS) scheme. No specific nation-state or definitive criminal organization attribution is provided in this summary.
## Activity Summary
RansomHub has rapidly become a top ransomware group in 2024, reportedly hitting over 600 organizations globally. A key part of their post-compromise strategy involves exploiting known vulnerabilities within Microsoft Active Directory and the Netlogon protocol to escalate privileges and achieve domain controller access.
## Tactics, Techniques & Procedures
- **Initial Access/Exploitation:** Leveraging known, though often patched, security flaws to gain a foothold.
- **Privilege Escalation:** Specifically exploiting vulnerabilities in Microsoft Active Directory and the Netlogon protocol to escalate privileges.
- **Post-Compromise:** Targeting and gaining unauthorized access to the victim network's domain controller.
- **Identified Exploits:**
- Targeting flaws related to CVE-2021-42278 (noPac)
- Targeting flaws related to CVE-2020-1472 (ZeroLogon)
## Targeting
- **Sectors:** Healthcare, finance, government, and critical infrastructure.
- **Geography:** Global (Implied by "600+ Organizations Globally").
- **Victims:** Over 600 organizations referenced in the scope of their 2024 activity.
## Tools & Infrastructure
- **Malware Families Used:** RansomHub (as part of the RaaS delivery model).
- **Infrastructure (C2, domains, IPs):** Not specified in the provided summary details.
## Implications
RansomHub poses a significant and rapidly evolving threat due to its high operational tempo (reaching 600+ victims) and its reliance on exploiting well-known but often unaddressed configuration weaknesses or infrastructure vulnerabilities, such as those found in Active Directory and Netlogon. Their choice of high-value sectors suggests a focus on impact and potential for high ransom payouts.
## Mitigations
- Immediately patch all systems against known vulnerabilities, specifically including CVE-2021-42278 (noPac) and CVE-2020-1472 (ZeroLogon).
- Harden Microsoft Active Directory and Netlogon configurations to prevent the abuse of these mechanisms for privilege escalation.
- Implement robust network segmentation to prevent lateral movement from initial compromise to the domain controller.