RANSOMHOUSE Executive Summary
RansomHouse is a fairly new operation that focuses on breaching networks via vulnerabilities to steal their targets’ data. Although new threat actors emerge daily, there is something about RansomHouse that is different from what threat researchers are used to seeing. Despite their name, RansomHouse is not a ransomware operation but a data-extortion cybercrime operation.
Instead of encrypting systems and deploying ransomware, RansomHouse eliminates the encryption phase and simply requests payment for the data they steal. What’s more interesting is that the threat actors don’t take responsibility for their attacks, they instead point the finger at organizations (their victims) not having good security posture. Let’s take a look at RansomHouse attacks, their tactics and techniques, and how organizations can protect themselves from this kind of threat actor.
RansomHouse is thought to have debuted in December 2021, with their first victim allegedly being the Saskatchewan Liquor and Gaming Authority. The origins of RansomHouse are murky but Brett Callow of Emsisoft spoke with a representative of RansomHouse who spoke English with an Eastern European accent.
Image 1: White Rabbit
After the attack on the Saskatchewan Liquor and Gaming Authority, the group listed the organization on their extortion site, along with three other victims, including the Swedish rail company Dellner Couplers, the German airline support service provider AHS group, and Jefferson Credit Union.
Image 2: RansomHouse Naming Victim on Extortion Site
Source: Bleeping Computer
In June 2022, RansomHouse compromised Advanced Micro Devices (AMD) – a multinational semiconductor manufacturer. The threat actors stole 450GB of financial data and research, including a CSV file containing a list of over 70k devices belonging to AMD’s internal network.
Initially, AMD claimed that RansomHouse stole their data on January 5, 2022. However, the threat actors denied the claims and stated that January 5, 2022, is when the threat actors lost access to AMD’s network. A spokesperson from RansomHouse stated that access was provided by a partner organization, implying that the group used an access broker or corporate insiders to gain access to AMD’s network.
During the same month, AMD was added to the RansomHouse extortion site, not because they didn’t pay a demanded ransom, but because RansomHouse finds ransom negotiations time consuming. It appears the threat actors believe selling data to other threat actors is more profitable than attempting to negotiate a ransom payment.
By November 2022, Keralty, a multinational healthcare organization, was breached by RansomHouse. The attack disrupted the organization’s website and operations, as well as the operations of its subsidiaries. The Columbian healthcare provider operates an international network of 12 hospitals and 371 medical centers in the U.S, Spain, Latin America, and Asia. The group provides healthcare for over 6 million patients.
The attack on Keralty impacted the organization’s IT operations, scheduling of medical appointments, and the functionality of various websites. Patients were seen waiting in line for over twelve hours to receive medical care, some even fainting due to lack of medical attention.
Image 3: RansomHouse Note for Keralty After Stealing Data
Source: Bleeping Computer
In December 2022, one day before Christmas, RansomHouse added the government of Vanuatu to their leak site. Vanuatu is a small archipelago of the South Pacific Ocean. As a result, the threat actors exfiltrated 3.2TB of data and crippled Vanuatu’s government. The attack also disabled websites of the island’s parliament, police, and prime minister’s office – taking down the database of hospitals and schools. The RansomHouse attack brought Vanuatu to a standstill and the island still has not fully recovered.
Many of RansomHouse’s tactics are similar to the data extortion group, Lapsus$. Like Lapsus$, some have classified RansomHouse as a ransomware group. This is a mistake due to both groups not encrypting data on target networks. As previously stated, researchers have yet to confirm RansomHouse’s origins. White Rabbit’s (a ransomware strain with possible ties to the financial crime ring, FIN8) ransom notes were among the first to mention RansomHouse. However, RansomHouse insists that they only partnered with White Rabbit. However, Brett Callow suspects that RansomHouse is being operated by the same threat actors who operate White Rabbit.
As previously stated, RansomHouse campaigns focus on data exfiltration without encryption modules. Their goal is financial gain, and the threat actors operate manually, focusing on one victim at a time. RansomHouse keeps their actions simple and precise, investing resources in data exfiltration and vulnerability research. This model makes their attacks less complex than encrypting their victim’s assets.
If a victim refuses to pay the ransom, RansomHouse will shame them by publishing a portion of the victim’s data on their site. The public shaming casts a negative light on the breached organization with customers and shareholders watching. Within the site, RansomHouse lists URLs to media posts for victims who are actively being extorted. They do this to highlight the publicity of their attacks as a secondary extortion method. If victims still don’t pay the demanded ransom, their data is offered for sale on the dark web. If cyber criminals are not interested in buying the stolen data, then all the data is published on the RansomHouse Tor site.
RansomHouse also has a Telegram channel where they have been seen communicating with other threat actors on other channels. According to an analysis by Cyberint, the conversations are professional and “pro-freedom”. They also state in their channel that they don’t want to “mix business with politics or work with radical hacktivists/espionage groups.”
The threat actors also stated that many organizations refuse to invest the money required to secure their infrastructures and they don’t institute enough bug bounty plans. These statements led Cyberint to believe that RansomHouse is being run by disgruntled red-team pen-testers who are not happy with organizations’ low bounty payments and poor cyber security hygiene. Also, RansomHouse may have a connection to Lapsus$, as the group’s activities were seen advertised on the Lapsus$ Telegram channel.
While RansomHouse is clearly motivated by money, the group has also criticized AMD's poor security practices. After attacking AMD, the group stated that it was shameful that a high-profile technological entity like AMD allowed its employees to use weak credentials. This reinforces Cyberint’s belief that RansomHouse is a group of disgruntled white hat hackers looking to draw attention to its victims' lax security practices.
After an attack, RansomHouse conducts negotiations with their victims. They try to help the organization protect itself from future attacks by providing a full report on how they were breached and what vulnerabilities were exploited. Furthermore, they promise to delete stolen data, as well as evidence of the breached organization being on the group’s victims list. RansomHouse will also delete backdoors on the victim’s network.
Image 4: RansomHouse Commitment List
Until extortion attacks like data extortion become too difficult or extensive carry out, they won’t disappear from the cyber threat landscape. While it may be tempting to dismiss threat groups like RansomHouse due to their unsophisticated tactics, any disruption to an organization’s operations can have serious consequences.
When it comes to data extortion, backups are still important, but they won’t be enough to keep your organization from losing valuable data. Due to RansomHouse bypassing file encryption and focusing on data exfiltration, your security focus should be based on cyber security best practices and keeping threat actors out of your systems and networks.
Of course, backups are necessary and there will never be a time when they are not needed but focusing on keeping intruders out of your cyber environment in the first place will give you more leverage over data extortion groups. Implementing an intrusion prevention system (IPS) is a cyber security best practice that will help keep your organization safe.
An IPS is an intrusion prevention system that offers protection for networks by detecting and preventing threats. The system constantly monitors the network for intrusion prevention mechanisms and also checks for potential malicious events. Once incidents are found, the IPS reports those incidents to system administrators and takes measures to prevent possible attacks.
How does an IPS prevent attacks from succeeding? The IPS prevents attacks by using different response strategies including altering the security environment, stopping an attack itself, or altering the content of an attack.
The IPS operates by scanning traffic on a network, avoiding different risks such as:
Also, the IPS inspects any packet that passes through a network via real-time packet inspection. If a potential threat is observed, the IPS does one of the following:
If your organization implements an IPS strategy, there will be several benefits, including:
Avertium has advanced services that can help keep your organization safe:
This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.
Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Avertium) is ultimately responsible for assessing and meeting Client's own compliance responsibilities. This report does not constitute a guarantee or assurance of Client's compliance with any law, regulation or standard.
COPYRIGHT: Copyright © Avertium, LLC and/or Avertium Tennessee, Inc. | All rights reserved.