"RansomHub Extortion Gang Linked to Now-Defunct Knight Ransomware"

Security researchers at Symantec have started analyzing the relatively new RansomHub ransomware-as-a-service and believe it has evolved from the currently defunct Knight ransomware project.  Knight ransomware launched in late July 2023 as a re-brand of the Cyclops operation and started breaching Windows, macOS, and Linux/ESXi machines to steal data and demand a ransom.  The researchers noted that in February 2024, the source code for version 3.0 of Knight ransomware was put up for sale on hacker forums, the victim's extortion portal went offline, and the RaaS operation went silent.  The researchers found multiple similarities between the two ransomware families, including both ransomware families are written in Go and use Gobfuscate for obfuscation, there are extensive code overlaps in the two malware payloads, both use a unique obfuscation technique where important strings are encoded with unique keys, and the ransom notes used by the two ransomware families are similar, with minor updates added on RansomHub.  The researchers noted that the similarities suggest that RansomHub was likely derived from Knight and confirms that the extortion group indeed uses a data encryptor.  According to the researchers, it is unlikely that RansomHub is run by Knight ransomware creators.  They believe another actor purchased the Knight source code and started using it in attacks.

 

BleepingComputer reports: "RansomHub Extortion Gang Linked to Now-Defunct Knight Ransomware"

Submitted by Adam Ekwall on