RansomHub Ransomware Expands Attacks on Windows, Linux, and ESXi

RansomHub

The RansomHub ransomware group has rapidly emerged as one of the most prolific cybercrime syndicates of 2024–2025. Expanding its operations, the group now targets Windows, VMware ESXi, Linux, and FreeBSD, compromising over 600 organizations in critical sectors like healthcare, finance, and infrastructure.

Multi-OS Encryption Capabilities

RansomHub’s ransomware variants are tailored for multiple operating systems, featuring unique command-line arguments and encryption techniques for each platform.

Windows Variant

The Windows ransomware variant leverages PowerShell commands for execution and evasion:

powershell
 
powershell RansomHub.exe -pass <SHA256> -fast -disable-net -skip-vm "VM1"
 

A JSON configuration file, decrypted at runtime, defines:

  • Allowed directories
  • Kill lists for processes/services
  • Credentials for lateral movement

ESXi Encryptor

The ESXi variant (C++-based) disrupts virtual machines using vim-cmd commands and encrypts VM files (.vmdk, .vmx) using ChaCha20 and Curve25519 algorithms.

A notable flaw in the ransomware’s /tmp/app.pid check allows defenders to prevent encryption by forcing an infinite loop:

// Code snippet from ESXi encryptor
if (access("/tmp/app.pid", F_OK) == 0) {
pid_t pid = read_pid();
if (kill(pid, 0) == 0) {
kill(pid, SIGKILL);
exit(0);
}
}
 

Linux Variant

  • Uses intermittent encryption (1MB chunks)
  • Terminates key services like syslog to evade detection

FreeBSD Variant

  • Avoids critical directories (/boot, /etc)
  • Appends .interlock to encrypted files
  • Detected as Ransom.FreeBSD.INTERLOCK.THJBBBD

 

Initial Access: Exploiting Critical Vulnerabilities

RansomHub affiliates gain access using exploited vulnerabilities, including:

  • CVE-2024-3400Palo Alto Networks firewalls
  • CVE-2021-42278 & CVE-2020-1472Active Directory flaws (Zerologon)

Post-Compromise Actions

Once inside a network, RansomHub deploys various tools to disable security defenses and exfiltrate data:

  • PCHunter – Terminates EDR processes and deletes logs
  • FileZilla – Transfers stolen data to C2 servers
  • BYOVD Attacks – Uses vulnerable drivers (POORTRY.sys) to disable security tools

Additionally, RansomHub’s affiliate panel—acquired from the now-defunct Knight ransomware—allows custom ransom note customization and leak site integrations.

Mitigation Strategies

Recommended Actions:

  • Patch CVE-2024-3400 immediately
  • Audit remote services for unauthorized access
  • Monitor PowerShell activity (e.g., suspicious commands like Get-CimInstance Win32_ShadowCopy | Remove-CimInstance)
  • Deploy YARA rules for RansomHub binaries
  • Block known IoCs, such as IP 10.10.10.10:22 and TOR URLs

Final Thoughts

With RansomHub actively exploiting zero-day vulnerabilities and recruiting displaced affiliates from ALPHV/LockBit, organizations must:

  • Strengthen endpoint security
  • Ensure backup isolation
  • Implement multi-layered defenses to mitigate ransomware threats

As cybercriminals evolve, proactive detection, patching, and network monitoring are essential to preventing ransomware attacks.

Click here for more articles…………

Click below and ‘share’ this article!