GOLD HUBBARD

GOLD HUBBARD is a financially motivated cybercrime group that operates the RansomHub ransomware-as-a-service (RaaS) scheme. It uses the name-and-shame or double extortion model, meaning affiliates of the scheme steal data and hold it to ransom in addition to encrypting files and systems. The first victim was named on the RansomHub leak site on February 17, 2024. The number of listed victims steadily increased through 2024, likely as a result of the scheme's expansion thanks to affiliates switching from LockBit after it was was disrupted by law enforcement in February and from ALPHV/BlackCat following the shuttering of its operation in a likely exit scam in March.

According to Symantec, the RansomHub ransomware bears similarities to Cyclops and Knight variants that were used consecutively in name-and-shame ransomware operations in mid- to late-2023. It is possible that RansomHub represents a rebrand of Knight ransomware, although it is more likely the RansomHub developers used the Knight source code after it was sold on an underground forum around the same time RansomHub began operating.

The apparently large number of affiliates working with RansomHub means that a variety of tools and tactics, techniques and procedures (TTP) will be seen in deployments of the ransomware. CTU researchers have observed a Citrix account with single factor authentication abused for initial access, while the Cybersecurity and Infrastructure Security Agency (CISA) cite spear phishing, password spraying and the exploitation of vulnerabilities in internet-facing services as initial access vectors in RansomHub intrusions. Multiple such vulnerabilities have been exploited by affiliates and include flaws in FortiOS, Citrix ADC (NetScaler) and Confluence Data Center. The Zerologon vulnerability in Microsoft's Netlogon has also been exploited.

RansomHub affiliates use a range of off-the-shelf, freely available and cracked legitimate tools in support of their activities. These include the Mimikatz credential harvesting tool, the Cobalt Strike and Sliver adversary simulation frameworks, the AngryIPScanner network discovery tool and Rclone and WinSCP for data exfiltration. Both Trend Micro and Sophos have reported on the use of a custom tool called EDRShiftKiller in RansomHub attacks to disable endpoint detection and response (EDR) solutions for defense evasion. RansomHub ransomware has variants that its affiliates can use to encrypt files on both Microsoft Windows devices and VMware ESXi hosts.