Cybersecurity

Edit: removed hyperlink from gob[dot]mx and replaced . -> [dot]

The Mexican government’s gob[dot]mx website address was posted on the ransomware group’s dark leak blog early morning on Friday.

The Russian-linked cartel claims to have exfiltrated 313 gigabyte of information from the website’s servers.

The gang has set a deadline of ten days for the Mexico’s government to pay an undisclosed ransom demand before publishing the alleged stolen files,which according to the criminals include “Contracts, insurance, financials, confidential files.”

The database sample contains personal information on each employe including the employe’s full name, job title, an color headshot, which government building the employee works at, their email address, phone number extension, and some sort of ID reference number.

RansomHub is a relatively new player in the ransomware ecosystem, having posted its first victim on February 26th, 2024.

The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI released a joint advisory about the RansomHub gang on August 30th, triggered by its accelerated climb as one of the most active ransomware groups so far this year.

Threat intelligence researchers at Searchlight Cyber say RansomHub is now ”ranked third among the most prolific ransomware groups of H1 2024” and that the gang’s rapid rise suggests “possible connections to established players like BlackCat,” according to the firm's newly released ransomware report.

According to the CISA advisory, which provides a full list of known IOCs, including IP addresses, tools, known URLs, email addresses, and more, the cybercrooks are said to have breached at least 210 victims since February, almost at a rate of one victim per day.

RansomHub victims include various organizations, from critical infrastructure to private corporations in the US, including the oilfield servicing company Halliburton, allegedly breached by the gang in early August, as well as the US drug store chain Rite Aid in July.

RansomHub – thought to be one of the main affiliates connected to ALPHV/BlackCat at the time – claimed to have published a swath of files allegedly part of what was obtained during the Change Healthcare hack.

“Its representatives have been spotted recruiting affiliates on dark web forums, offering a fixed 10 percent fee and the option to collect ransom payments directly from victims before paying the core group.” SearchLight Cyber researchers said.

The Russian-linked ALPHV/BlackCat perpetrated its "exit scam" back in March by “taking the entire [$22 million] ransom payment from Change Healthcare without properly compensating the [RansomHub] affiliate responsible for the attack,” researchers explained.

It's been shown that the group’s setup closely resembles that of a traditional Russian ransomware setup, with the gang avoiding targets in Russia, CIS countries, Cuba, North Korea, and China – typical of Kremlin-backed gangs.

RansomHub breach victims in the first half of 2024 include gaming laptop-maker Clevo, the high-profile Christie’s auction house, and Frontier, the 4th largest high-speed internet provider in the US covering 25 states.