Ransomhub Attacking Industrial Control Systems To Encrypt And Exfiltrate Data

Ransomhub, a new ransomware group, has targeted the SCADA system of a Spanish bioenergy plant, Matadero de Gijón, which highlights the critical security risks associated with Industrial Control Systems (ICS) across various industries. 

Since 2022, numerous cyberattacks have exploited vulnerabilities in ICS, causing significant disruptions to operations and infrastructure. This highlights the need for robust security measures to safeguard ICS environments. 

 Ransomhub posts on their DLS 
 Ransomhub posts on their DLS 

The Ransomhub ransomware group claimed unauthorized access to Gijón’s Bio-Energy Plant’s Supervisory Control and Data Acquisition (SCADA) system, which is critical for industrial process control. 

ANYRUN malware sandbox’s 8th Birthday Special Offer: Grab 6 Months of Free Service

The group provided screenshots as evidence, showcasing their ability to manipulate the plant’s Digester and Heating system controls.

While the exact size of the data breach remains unclear (varying between 15 GB and 400 GB), the compromised SCADA system poses a significant risk to the plant’s operations. 

SCADA system allegedly controlling the Heating Systems of Digestor Tank 
SCADA system allegedly controlling the Heating Systems of Digestor Tank 

Ransomhub, a RaaS operation first advertised in February 2024, utilizes Golang and C++ for its locker component and leverages asymmetric cryptography (x25519) and a combination of symmetric algorithms (aes256, chacha20, and xchacha20) to encrypt victim data while achieving faster encryption speeds. 

Notably, Ransomhub restricts attacks on CIS countries, Cuba, North Korea, and China, possibly reflecting pro-Russian leanings.

Since its emergence, they have claimed responsibility for 68 attacks, primarily targeting the IT & ITES sector and organizations within the United States. 

TA koley’s RaaS advertisement thread on the RAMP forum 
TA koley’s RaaS advertisement thread on the RAMP forum 

According to CRIL, they have been actively trying to expand their reach, as they attempted to recruit affiliates left behind by ALPHV/BlackCat’s exit scam by listing their targets on their DLS. 

However, the affiliates’ lack of interest led them to remove the targets.

To gain notoriety, Ransomhub has tried to capitalize on high-profile incidents like the Change Healthcare ransomware attack and is now making unsubstantiated claims of attacking SCADA systems. 

Ransomhub’s claims of possessing Change Healthcare data in a post that was deleted later 
Ransomhub’s claims of possessing Change Healthcare data in a post that was deleted later 

They are targeting SCADA systems using stolen credentials that they bought on Russian forums from Initial Access Brokers, which shows that ransomware groups are becoming more interested in Industrial Control Systems (ICS) environments, especially those with connected Virtual Network Computing (VNC) devices. 

Security researchers warn that such setups significantly amplify the risk of similar attacks and urge a critical reassessment of cybersecurity strategies to protect these critical infrastructures.

The anticipation is that ransomware groups will increasingly target OT environments and their components in the future. 

Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers

Guru Baran
https://cybersecuritynews.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.