RansomHub emerged in February 2024 as a Ransomware-as-a-Service (RaaS) provider and has quickly become the second most active group worldwide.
When your systems are infected by RansomHub, you’ll typically receive a notification similar to the one displayed here. This alert signifies that a sophisticated cybercriminal group has breached your systems, taking both your data and access hostage while demanding a ransom, often paid in cryptocurrency like Bitcoin.
Imagine arriving at your office to discover a break-in. Your first instinct would be to contact the police and avoid touching anything, knowing that disturbing the scene could interfere with the investigation.
A cyberattack requires the same caution. It’s vital not to tamper with the affected environment. A Digital Forensics team will need to conduct a thorough investigation, and this isn’t a task for your internal IT staff or Managed Service Provider (MSP).
If you come across a "ReadMe" file containing ransom demands or similar details, it's likely you've fallen victim to a RansomHub attack.
Emerging in February 2024, RansomHub quickly made a name for itself in the ransomware landscape, first targeting an organisation in Brazil before claiming responsibility for attacks on hundreds of victims worldwide. The group claims to adhere to a self-imposed ethical code, which includes not attacking non-profits or re-targeting prior victims.
In contrast to most ransomware groups, RansomHub describes itself as a collective of global entities. However, an examination of their operations reveals strong similarities to Russian-based ransomware models. The group promotes its partnership with affiliates, suggesting the use of a Ransomware-as-a-Service (RaaS) model, highlighting rapid encryption as a key differentiator. The ransomware they deploy is coded in Golang and C++, with the ability to target Windows, Linux, and ESXi systems.
RansomHub employs a double extortion strategy, which first involves encrypting a victim’s data to make it inaccessible. Simultaneously, the attackers extract sensitive information such as personal or corporate data. They then demand payment to decrypt the files and prevent the stolen data from being released on the dark web.
This two-pronged approach places immense pressure on the victim to comply, even if backups are available, due to the risk of data exposure. The potential for reputational harm and legal repercussions further compels the victim to pay the ransom. This method has become increasingly popular among cybercriminals, as it boosts their likelihood of receiving payment.
RansomHub officially emerged in early 2024, although it is believed to be the continuation of a previously disbanded group, making its exact age hard to determine.
In a little over a year, RansomHub has targeted 844 victims.
With round-the-clock availability every day of the year, Solace Cyber has delivered Digital Forensic Incident Response services across hundreds of successful recovery operations in Australia.
“The number of active ransomware groups more than doubled year-over-year, increasing 55% from 29 distinct groups in Q1 2023 to 45 distinct groups in Q1 2024.”
Read more...
When a cyber incident occurs, take these immediate actions:
Solace Cyber acts as your specialist digital forensics partner in Australia, helping restore normal operations swiftly. Our response includes:
Recovery timelines typically range from 2 weeks to 2 months, depending on the incident's scope.
Solace Cyber delivers global risk and security services across Australia, specialising in travel, crisis support, and offshore risk management. The organisation runs a fully staffed security operations centre around the clock and maintains an internal intelligence unit that produces routine daily and weekly updates. The business is certified to ISO 27001, ISO 14001, ISO 45001, and ISO 9001 standards.
Founded in the UK in 2021, Solace Cyber has grown its presence throughout Australia, concentrating on cyber incident handling, including digital forensics, incident response, ransomware events, information security, and wider risk management, supported by managed security services. The senior leadership team has more than two decades of combined experience across security and IT.
s
%+
Specialist forensic investigation and secure restoration demand focused expertise that standard IT departments rarely possess. Your internal teams excel at day-to-day technology support, but ransomware response requires dedicated capabilities they typically lack.
Consider these key challenges facing in-house teams:
We created Solace Cyber specifically to address ransomware incidents through our structured 6-phase methodology:
Our comprehensive forensic investigation begins at phase 2, forming the foundation of your business continuity plan. This detailed analysis proves essential for:
We execute our evidence examination according to a carefully structured protocol designed to identify root causes quickly. This discovery directly informs our eradication strategy and recovery plan, while building the evidence base for potential legal action. Through legal proceedings, we can help secure court orders preventing criminals from publishing your data, effectively nullifying their ransom demands.
Throughout your incident response, our Digital Forensic and Incident Response specialists maintain continuous coordination. Your dedicated Incident Manager and technical leads deliver regular progress updates, manage risk documentation, and operate within your change control frameworks from initial triage through final recovery.
At Solace Cyber, our support extends beyond just recovery. After your business is operational again, we collaborate with you to strengthen your cybersecurity. Following our extensive process, we take a threat-informed approach to help safeguard your systems.
Yes, RansomHub operates on a Ransomware-as-a-Service (RaaS) model. Interestingly, it provides its affiliates with specific "guidelines" that emphasise the need for responsibility and ethical behaviour. Affiliates are expected to adhere to the terms agreed upon during initial negotiations, with non-compliance leading to the termination of their partnership.
The RansomHub ransomware infiltrated your system through:
To mitigate future risks, we recommend implementing policies to:
After recovering from a RansomHub attack, Solace Cyber advises updating your business continuity plan, incorporating lessons learned from the attack and recovery process.
Ransomware breaches typically cost around £500K, while smaller data breaches, such as email data leaks, can cost approximately £50K. There is often a tension between maintaining the environment for forensic analysis and swiftly recovering to minimise business disruption. The longer it takes to detect and resolve a breach, the higher the costs.
Cybersecurity insurance claims are complex and can cover the expenses involved in investigating and resolving an incident. This includes costs for legal issues, business interruption, criminal liability, employment claims, and ransom payments. However, the cyber insurance market is volatile, and many policies are not being validated properly.
Expertise is crucial when navigating this process, and that’s where Solace Cyber can assist.
Law enforcement advises against paying ransom demands. Even if you choose to pay, there is no guarantee of regaining access to your data or preventing its distribution on the dark web. A growing trend has seen ransomware affiliates profiting from stolen data outside of the original RaaS agreements.
Important Reminder: It is illegal to make payments to individuals or entities subject to financial sanctions, and these lists are constantly updated.
It is likely that some of the lost data includes "Personal Data" of your customers, which you are legally obligated to protect. As a result, the loss of this data due to a ransomware attack means you must inform your customers as part of your legal and ethical responsibility.
Fortunately, your insurance provider or legal team can guide you through the necessary steps. Alternatively, Solace Cyber has extensive experience working with insurers and legal professionals to help manage these situations during such challenging times.
A ransomware attack presents one of the greatest threats to your business by:
During a business interruption, identifying your position in the supply chain may be difficult. Resuming operations could be challenging, and if the disruption continues, your output will be impacted. Even after systems and data are restored, reconciling the work that occurred during the downtime will require meticulous planning for future tasks.
This is why ransomware is considered one of the most damaging threats to a business, second only to receivership.
Under Australian law, organisations experiencing ransomware attacks must report incidents to both the Australian Signals Directorate (ASD) and the Office of the Australian Information Commissioner (OAIC), particularly when personal information is compromised, ensuring regulatory compliance and coordinated national response.
Keep calm and step away from your systems.
Avoid restoring files or altering data in any way, as doing so may complicate recovery efforts.
Reach out to Solace Cyber now on +61 (0) 282 786100 or submit our contact form to have an expert return your call.
We’ll take swift action to minimise downtime and restore stability to your operations.
Solace Cyber helps companies across Australia recover from ransomware attacks and data breaches.
Ransomware Recovery
Ransomware Groups
BEC Recovery
About Us
Blog
News
SOLACE CYBER LTD is registered in England & Wales no. 08830710
Solace Cyber
Zensec Ltd,
60 Martin Place,
Sydney,
NSW 2000
Telephone
Please note that calls may be recorded for security and training purposes.
