RansomHub Ransomware Attack Uncovered Through CPU Spike Analysis

A recent ransomware attack attributed to RansomHub affiliates was uncovered following a significant spike in CPU activity on a server, according to Varonis. The incident began when a user unknowingly executed a malicious JavaScript payload disguised as a legitimate browser update.

This triggered automated reconnaissance and command and control activities, where the attacker enumerated Active Directory users, queried system information, and hunted for credentials. Within minutes, the attacker deployed second-stage malware as a recurring Scheduled Task for persistence.

They downloaded a legitimate Python distribution along with an encrypted script that functioned as a SOCKS proxy, exposing the corporate network. The malware used multiple layers of encryption and anti-analysis techniques to avoid detection.

Varonis developed an unpacking routine to retrieve the payload, which was intended to facilitate communication between attacker endpoints and the internal network. The threat actor manipulated email signatures to embed malicious image references, potentially leading to credential harvesting.

Initial credential hunting efforts included scanning network shares for sensitive files and attempting to decrypt stored browser passwords using the Data Protection API. Privilege escalation occurred within four hours post-compromise, granting the attacker access to a Domain Admin account, likely exploiting misconfigured settings in Active Directory Certificate Services.

The attacker further targeted domain admin laptops and enabled Remote Desktop Protocol for unauthorized access. After deploying additional scripts for data gathering, they orchestrated data exfiltration using AzCopy, resulting in a significant increase in file access events.

This activity triggered the CPU spike that alerted the customer. Varonis' swift intervention allowed them to sever the attacker's access, preventing the incident from evolving into a full-blown ransomware attack.

Their analysis linked this incident to RansomHub affiliates utilizing SocGhoulish malware for initial access activities. Thanks to Varonis' remediation efforts, the customer experienced zero business downtime, averting potential disaster.