RansomHub Brings Scattered Spider Into Its RaaS Nest
The threat group behind breaches at Caesars and MGM moves its business over to a different ransomware-as-a-service operation.
June 12, 2024
Last spring's spectacular implosion of mainstay ransomware-as-a-service (RaaS) operation BlackCat/AlphV left its affiliates burned — gamed out of millions they were owed for past scams and left without infrastructure to support their future cybercrime aspirations. What ensued was a recruiting war for the best affiliates into the RaaS groups left standing.
The RansomHub RaaS group appears to have scored a major victory by attracting the Scattered Spider threat group into its affiliate ranks, according to new research from GuidePoint Security. A detailed analysis reveals that Scattered Spider, a notoriously aggressive threat group behind the 2023 ransomware attacks on Caesars Entertainment and MGM Resorts, has been carrying out ransomware attacks using RansomHub starting earlier this year.
RansomHub RaaS Recruiting Campaign
The timing jibes with ads posted on the Dark Web by RansomHub promising prospective affiliates juicy 90/10 ransom splits with the group, as well as the promise to allow the cybercriminals to get paid first and payout the group later, to avoid "exit scams" like the one BlackCat pulled last March, according to Jason Baker, senior threat consultant with GuidePoint Security.
"Scattered Spider affiliates may also have been attracted to RansomHub based on the movement of peers or positive word-of-mouth," Baker tells Dark Reading.
Since those ads began, RansomHub has seen remarkable growth, Baker adds.
"RansomHub began claiming victims publicly on its data leak site in February, and has since posted over 75 victims in an alarmingly quick rise to prominence amid its peers, who generally operate at a slower pace in early months of operations," he says. As the group continues to attract talented cybercriminals who can earn a dishonest buck with RansomHub, the RaaS outfit is likely to continue to expand its operation, Baker predicts.
"If RansomHub operations are enjoying some level of success in revenue generation, and/or if other sophisticated affiliates have begun working with RansomHub, it could make the group a more attractive destination amidst other options," Baker says.
About the Author
You May Also Like
Transform Your Security Operations And Move Beyond Legacy SIEM
Nov 6, 2024Unleashing AI to Assess Cyber Security Risk
Nov 12, 2024Securing Tomorrow, Today: How to Navigate Zero Trust
Nov 13, 2024The State of Attack Surface Management (ASM), Featuring Forrester
Nov 15, 2024Applying the Principle of Least Privilege to the Cloud
Nov 18, 2024