RansomHub Actors Exploit ZeroLogon Vuln in Recent Ransomware Attacks

CVE-2020-1472 is a privilege escalation flaw that allows an attacker to take over an organization's domain controllers.

4 Min Read
A man on a laptop that is depicting a notification with skull and bones that reads "You've been hacked!"
Source: Vladimir Stanisic via Alamy Stock Photo

In recent attacks involving the ominously growing RansomHub ransomware, attackers have exploited the so-called ZeroLogon flaw in the Windows Netlogon Remote Protocol from 2020 (CVE-2020-1472) to gain initial access to a victim's environment.

Prior to deploying the ransomware, the attackers have used several dual-use tools, including remote access products from companies like Atera and Splashtop and network scanners from NetScan among others, researchers at Symantec by Broadcom said in a report this week.

"Atera and Splashtop were used to facilitate remote access, while NetScan was used to likely discover and retrieve information about network devices," Symantec said. "The RansomHub payload leveraged the iisreset.exe and iisrstas.exe command-line tools to stop all Internet Information Services (IIS) services."

ZeroLogon involves a privilege escalation condition that occurs when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol, says Adam Neel, senior threat detection engineer at Critical Start. "It will be very important for organizations to ensure that this vulnerability is patched and mitigated to help guard against attacks from RansomHub."

An Opportunistic Threat Actor

RansomHub is a ransomware-as-a-service (RaaS) operation and malware threat that has garnered considerable attention since first surfacing in February. Symantec currently ranks it as the fourth most prolific ransomware in terms of claimed victims, after Lockbit — recently taken down, Play, and Qilin.

BlackFog — among several security vendors tracking the threat — has listed more than five dozen organizations that RansomHub has victimized in the few months it's been operational. Many appear to be smaller and midsize firms, though there are a couple of recognizable names as well, most notably Christie's Auction House and UnitedHealth Group subsidiary Change Healthcare.

Dick O'Brien, principal intelligence analyst with Symantec's threat hunter team, says the group has publicly claimed 61 victims in the past three months. That compares to Lockbit's 489 victims, the Play group's 101, and Qilin's 92, he says.

RansomHub is among a small group of RaaS operators that have surfaced in the aftermath of the recent law enforcement takedowns of ransomware majors Lockbit and ALPHV/BlackCat. The group has tried to capitalize on some of the uncertainty and mistrust caused by the takedowns to try and attract new affiliates to its RaaS. One of its tactics is to offer affiliates the ability to collect ransoms directly from victims and then pay RansomHub a 10% cut. That's very different from the usual model where it is the RaaS operator that collects ransom payments from victims and later pays the affiliate a cut.

Extensive Code Overlaps With Knight Ransomware

According to Symantec, there are several code overlaps between RansomHub and an older, and now defunct, ransomware family called Knight. The code overlaps are so extensive that it is very hard to distinguish between the two threats. Both payloads are written in the Go programming language and use the same obfuscator, Gobfuscate. Both have nearly identical help menus; they encode important code strings in exactly the same way and decode them at runtime; they can restart a target endpoint in safe mode prior to encryption and have the same command execution flow. Even the ransom note associated with Knight and RansomHub are nearly the same, with many phrases from Knight appearing verbatim in RansomHub, Symantec said.

"[However], despite shared origins, it is unlikely that Knight's creators are now operating RansomHub," Symantec said. Rather, RansomHub operators purchased Knight source code when the operators of the latter put it up for sale earlier this year and are now simply reusing it, the security vendor said. "One of the main differences between the two ransomware families is the commands run through cmd.exe," the security vendor noted. "These commands may be configured when the payload is built or during configuration."

Symantec's discovery that RansomHub is based on Knight code is unlikely to make much of a difference to victims or others that the group is targeting. But it does offer an additional layer of information around the group and its TTPs.

"The group is growing quickly and is on track to be one of the most prolific ransomware groups in 2024," Neel says. "It is also worth noting that due to their recent success and notoriety, they have been able to recruit old members of the Blackcat/ALPHV ransomware group. This allows them to utilize the knowledge and tools used by this group to enhance their capabilities even further," he notes.

About the Author(s)

Jai Vijayan, Contributing Writer

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights