Knight Ransomware Rebranded and Targeting Healthcare and Businesses Globally


A new analysis has identified the emerging ransomware strain RansomHub as an updated and rebranded version of Knight ransomware, which itself evolved from Cyclops.

Knight ransomware, also known as Cyclops 2.0, first appeared in May 2023, employing double extortion tactics to steal and encrypt data for financial gain. It operates across multiple platforms, including Windows, Linux, macOS, ESXi, and Android.

Advertised on the RAMP cybercrime forum, Knight ransomware attacks typically use phishing and spear-phishing campaigns to distribute malicious attachments. The ransomware-as-a-service (RaaS) operation shut down in late February 2024, when its source code was put up for sale. This suggests it may have been acquired by a different actor, who then updated and relaunched it as RansomHub.

RansomHub's first victim was posted in February 2024, and it has since been linked to several ransomware attacks, including those on Change Healthcare, Christie's, and Frontier Communications. RansomHub has pledged not to target entities in the Commonwealth of Independent States (CIS) countries, Cuba, North Korea, and China.

Symantec, part of Broadcom, reported significant code overlap between Knight and RansomHub, making it difficult to differentiate between the two. Both payloads are written in Go, with variants obfuscated using Gobfuscate. They share identical command-line help menus, though RansomHub includes a new "sleep" option, similar to those seen in Chaos/Yashma and Trigona ransomware families. Other similarities include obfuscation techniques, ransom notes, and the ability to restart a host in safe mode before encryption. The primary difference lies in the specific commands executed via cmd.exe.

RansomHub attacks exploit known security flaws, such as ZeroLogon, to gain initial access and install remote desktop software like Atera and Splashtop before deploying the ransomware. According to Malwarebytes, RansomHub was linked to 26 confirmed attacks in April 2024, ranking it behind Play, Hunters International, Black Basta, and LockBit.

Mandiant, in a recent report, revealed that RansomHub is recruiting affiliates affected by the recent shutdowns of other ransomware groups like LockBit and BlackCat (aka ALPHV and Noberus). One former Noberus affiliate, known as Notchy, is reportedly working with RansomHub. Tools associated with another Noberus affiliate, Scattered Spider, were used in a recent RansomHub attack.

Mandiant noted the rapid establishment of RansomHub’s operations suggests the group includes experienced operators with extensive cyber underground contacts.

The resurgence of ransomware in 2023 follows a slight decline in 2022. Approximately one-third of the 50 new ransomware families observed in the year are variants of previously identified families, highlighting increasing code reuse, actor overlaps, and rebrands.

Mandiant researchers observed that in nearly one-third of incidents, ransomware was deployed within 48 hours of initial access, with 76% of deployments occurring outside work hours, predominantly in the early morning. These attacks often use legitimate remote desktop tools to facilitate intrusion, reducing reliance on custom tools and making detection more challenging.

New ransomware variants like BlackSuit, Fog, and ShrinkLocker have emerged. ShrinkLocker, notable for its use of Visual Basic Script (VBScript) to exploit Microsoft's BitLocker utility for unauthorized file encryption, has targeted Mexico, Indonesia, and Jordan. It creates a new boot partition by shrinking existing partitions, and turning the unallocated space into a new primary partition for reinstalling boot files, enabling recovery.

Kaspersky’s analysis of ShrinkLocker highlights the threat actor’s extensive knowledge of VBScript, Windows internals, and utilities like WMI, diskpart, and bcdboot, indicating full control of the target system when the script was executed.