Threat Actor Unknown origin
RansomHub
IoCs CSV
1 detection rule
RansomHub is a rapidly growing ransomware group believed to be an updated version of the older Knight ransomware. They have been linked to attacks exploiting the Zerologon vulnerability to gain initial access. RansomHub has attracted former affiliates of the ALPHV ransomware group and operates as a Ransomware-as-a-Service with a unique affiliate prepayment model. The group has been active in extorting victims and leaking sensitive data to pressure for ransom payments.
Detection Rules
RansomHub_SIGMA_Detection
sigma ai_generated
title: RansomHub Threat Actor Activity Detected via Identity-Based Lateral Movement and Rapid Privilege Escalation
id: 3a5f8b9d-4b2c-4f3a-9a1e-7d8c1a2b5f01
status: experimental
logsource:
category: process_creation
product: windows
detection:
selection:
- EventID: 4624
LogonType: 3
AuthenticationPackageName: NTLM
TargetUserName:
- '*$'
- '*admin*'
- EventID: 4670
AccessMask: '0x10'
ObjectTypeName: 'SAM_USER'
- EventID: 4648
ProcessName: '*\lsass.exe'
- EventID: 1
CommandLine|contains:
- 'mimikatz'
- 'sekurlsa::logonpasswords'
- 'sekurlsa::tickets'
- 'lsadump::sam'
- 'lsadump::dcsync'
time_window: 75m
condition: selection
falsepositives:
- Legitimate administrative activity using pass-the-hash or credential dumping tools in non-standard scenarios
- Automated scripts using NTLM for service authentication
level: critical ⚠ Rules are AI-generated and unvalidated. Test in a safe environment before production use.