RansomHub Linked To Now Defunct Knight Ransomware

The relatively new ransomware gang RansomHub has been quick to cause waves amongst ransomware researchers. With increased attention comes increased analysis by researchers, who have now discovered possible links to the somewhat out-of-action Knight ransomware.

RansomHub Linked To Now Defunct Knight Ransomware

According to a recently published article by security firm Symantec, researchers stated,

RansomHub, a new Ransomware-as-a-Service (RaaS) that has rapidly become one of the largest ransomware groups currently operating, is very likely an updated and rebranded version of the older Knight ransomware…Despite shared origins, it is unlikely that Knight’s creators are now operating RansomHub. Source code for Knight (originally known as Cyclops) was offered for sale on underground forums in February 2024 after Knight’s developers decided to shut down their operation. It is possible that other actors bought the Knight source code and updated it before launching RansomHub.

Security researchers stated that the degree of code overlap between the two variants. Such an overlap is further determined to be significant, making it very difficult to differentiate between them. In many cases, researchers could only decide and subsequent confirmation by checking the embedded link to the data leak site.

Secondly, regarding similarities, the two variants have virtually identical help menus available on the command line. The sole difference is the addition of a sleep command in RansomHub's code base.

Thirdly, both threats employ a unique obfuscation technique, where important strings are each encoded with a unique key and decoded at runtime.

While not strictly code-related, there are significant similarities between the ransom notes left by both payloads, with many phrases used by Knight appearing precisely as in the RansomHub note; this suggests that the developers simply edited and updated the original note.

One of the significant similarities was highlighted by researchers stating,

A unique feature present in both Knight and RansomHub is the ability to restart an endpoint in safe mode before starting encryption. This technique was previously employed by Snatch ransomware in 2019 and allows encryption to progress unhindered by operating system or other security processes. Snatch is also written in Go and has many similar features, suggesting it could be another fork of the same original source code used to develop Knight and RansomHub. However, Snatch contains significant differences, including an apparent lack of configurable commands or any sort of obfuscation.

While the similarities appear to be abundant, there are differences. One such being between the two ransomware families is the commands run through cmd.exe.

These commands may be configured when the payload is built or during configuration. Although the commands are different, the way and order they are called relative to other operations is the same.

The Rise of RansomHub

The cyber incident that made the infosec community take note of RansomHub occurred in May 2024. The well-regarded auctioneer Christie's announced that it had suffered a cyber incident.

Christie's is a prominent auction house with a history spanning 2.5 centuries. It operates in 46 countries and specializes in selling art, luxury items, and high-valued collectibles often associated with highly successful individuals.

Christie's has handled numerous notable auctions such as Leonardo da Vinci's Salvator Mundi for 450 million USD in 2017, the Yves Saint Laurent and Pierre Bergé collection for 370 million EUR in 2009, and Paul Allen's art collection that surpassed 1.5 billion USD in 2022.

RansomHub affiliates claimed responsibility for the attack and added Christie's to its dark web, which is used to announce successful attacks.

The ransomware gang also claimed it had breached the company and stole sensitive client data, as is typical of the now common double extortion tactic.

The cybercriminals claim to have access to the full names, physical addresses, ID document details, and other sensitive information of approximately 500,000 Christie's clients.

RansomHub uses reputation loss and heavy GDPR fines as a lever of pressure in its announcement of Christie's. The attackers also allege that they attempted to negotiate a resolution with the auction house, but the former abandoned negotiations at some point.

Like with many such attacks, Christie's did not mention who attacked them. Instead, company representatives stated,

Earlier this month Christie's experienced a technology security incident. We took swift action to protect our systems, including taking our website offline. Our investigations determined there was unauthorized access by a third party to parts of Christie's network. They also determined that the group behind the incident took some limited amount of personal data relating to some of our clients.

One reason given for RansomHub's rather dramatic rise is that the ransomware's admins have successfully attracted some large former affiliates of the ALPHV ransomware gang, which ceased operations earlier this year.

A former infamous ALPHV affiliate, Notchy, is now on RansomHub's payroll. In addition, tools previously associated with another infamous ALPHV affiliate, Scattered Spider, were used in a recent RansomHub attack.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal