RansomHub, a relatively new player in the ransomware ecosystem, targeted Frontier in a sophisticated cyber attack, the group has gained notoriety for its recent involvement in various high-profile ransomware attacks. The attack on Frontier took place in April 2024 and involved the exfiltration and encryption of sensitive data belonging to the company. RansomHub claims to have accessed and downloaded crucial information about Frontier’s products, clients and partners in file formats such as pdf, pptx, ppt, dwg, dxf, prt, sldprt, asm, sldasm, sdcpc, sdac, sdcc, sdwc, doc, dwt, dws, prt, and sdp.
Attack Overview
Victim: Frontier (telecommunications company)
Attack Date: April 2024
Threat Actor: RansomHub ransomware group
Attack Vector: Initial access was gained by exploiting the ZeroLogon vulnerability (CVE-2020-1472) in Microsoft's netlogon remote protocol.
Malware Used: RansomHub ransomware, based on the Knight ransomware source code.
TTPs: RansomHub deployed legitimate tools such as Atera and Splashtop for remote access and NetScan to gather information about network devices.
Attack Outcome: RansomHub successfully exfiltrated and encrypted Frontier's files, demanding a ransom for their release.
Attack Tactics, Techniques, and Procedures (TTPs)
RansomHub leveraged known security flaws, including the ZeroLogon vulnerability (CVE-2020-1472), to gain initial access to Frontier's network. The group then deployed remote desktop software, such as Atera and Splashtop, to establish persistent access and collect information about network devices using NetScan. These legitimate tools were abused by the attackers to maintain control and gather intelligence.
Once inside the network, RansomHub deployed a ransomware payload, encrypting files on infected Windows PCs. The group employed obfuscation techniques, including Gobfuscate, to cover their tracks and make detection and analysis more challenging. The ransom notes dropped after encryption were similar to those used by the Knight ransomware, indicating a significant code overlap between RansomHub and Knight.
Post-Attack Actions
After the attack on Frontier, RansomHub claimed responsibility and posted stolen data on their leak site. The group attempted to extort Frontier by threatening to sell or leak the stolen data if the ransom demand was not met. RansomHub also targeted other high-profile organizations, including Christie's auction house and Change Healthcare, further demonstrating their capabilities and willingness to exploit vulnerable targets.
Frontier’s Response and Impact
Frontier detected the attack through its security monitoring systems, which flagged suspicious activities and anomalies. Upon detection, Frontier's incident response team swiftly isolated affected systems to prevent further spread of the ransomware and initiated a thorough investigation to determine the extent of the breach, identify compromised systems, and assess the impact on sensitive data.
The company applied patches and updates to address the ZeroLogon vulnerability and implemented additional security measures to strengthen its defenses against future attacks. Relevant stakeholders were promptly notified, including customers and regulatory authorities, about the breach and the steps taken to mitigate its impact. Frontier also collaborated with law enforcement agencies to share information and aid in the investigation and potential prosecution of the attackers.
The company commenced communications with RansomHub to explore options for recovering their encrypted data without paying the ransom.
The impact of the attack on Frontier has been significant. The exfiltration and encryption of sensitive data have raised concerns about potential data leaks or sales to competitors if the ransom is not paid. This has put pressure on Frontier to make strategic decisions regarding the ransom payment and the protection of its reputation and customer trust.
About RansomHub
The RansomHub group has gained notoriety in recent months, with their attack on Frontier being one of several high-profile incidents. Their utilization of the Knight ransomware source code and recruitment of former members of the Blackcat/ALPHV ransomware group has enhanced their capabilities and contributed to their rapid growth. Their TTPs include:
Initial Access: RansomHub gains initial access to the victim's network by exploiting known security vulnerabilities, such as the ZeroLogon vulnerability (CVE-2020-1472), which allows for the elevation of privileges.
Remote Access: Once inside the network, the threat actors deploy legitimate remote access tools like Atera and Splashtop to maintain persistence and move laterally across the network.
Information Gathering: RansomHub utilizes tools like NetScan to collect information about network devices, aiding in their reconnaissance efforts.
Ransomware Deployment: After establishing a foothold, RansomHub deploys its ransomware payload, encrypting files on infected Windows PCs. They then demand a ransom payment in exchange for decrypting the files.
Data Exfiltration: To increase pressure on victims, RansomHub exfiltrates sensitive data before encrypting it. They threaten to leak or sell the stolen data if the ransom is not paid