[ /report/536 // public // by @Unknown ]

Attacks and breaches

Generated 2026-05-17 · 6 TTPs · 9 IOCs · 1 actors

report_id: #536

// 01Executive summary

This week, the RansomHub ransomware group is actively targeting electronics manufacturers, claiming data exfiltration of sensitive engineering documents, necessitating immediate endpoint protection and incident response. Critical vulnerabilities in Fortinet, Zoom, and Anthropic's Git server are under active exploitation or enable remote code execution, demanding urgent patching and log review for compromise. Furthermore, recent data breaches, such as Under Armour and Raaga, expose millions of customer records, escalating credential stuffing and phishing risks. Organizations must implement strong password policies, monitor for suspicious login attempts, and educate users on evolving AI-driven phishing techniques. AI-generated exploits for zero-days also highlight the need for robust vulnerability management and secure coding practices.

// 02Key metrics

// ttps
6
ATT&CK techniques
// iocs
9
indicators
// actors
1
threat groups
// kwords
10
keywords

// 03MITRE ATT&CK

// 04Threat actors

RansomHub

// 05Indicators of compromise

// ips0

none

// domains3

  • ransomware.wins.ransomhub.ta
  • ransomware.win.ransomhub
  • calendar.create

// urls0

none

// sha2560

none

// md50

none

// emails0

none

// cves6

  • CVE-2025-68143
  • CVE-2025-68144
  • CVE-2025-68145
  • CVE-2026-22844
  • CVE-2025-59718
  • CVE-2025-59719

// 06Geographic coverage

// 07YARA rule

```yara
rule RansomHub_Ransomware_Group_202402 {
    meta:
        author = "YARA Rule Expert"
        date = "2024-02-28"
        description = "Detects indicators associated with the RansomHub ransomware group, including specific domains and textual mentions of their activities, victims, and stolen data types."
        reference = "OSINT reports, Check Point Threat Emulation, Harmony Endpoint"
        tlp = "white"
        // MITRE ATT&CK Mapping (example, adjust as needed based on specific TTPs)
        // attack_tactic = "Impact"
        // attack_technique = "T1486 - Data Encrypted for Impact"
        // attack_tactic = "Exfiltration"
        // attack_technique = "T1041 - Exfiltration Over C2 Channel"
        // attack_technique = "T1567.001 - Exfiltration Over Web Service: Exfiltration to Cloud Storage"

    strings:
        // --- Network Indicators (Domains) ---
        // Domains identified as used by RansomHub for C2 or data exfiltration.
        $network_domain1_ascii = "ransomware.wins.ransomhub.ta" ascii
        $network_domain1_wide = "r\x00a\x00n\x00s\x00o\x00m\x00w\x00a\x00r\x00e\x00.\x00w\x00i\x00n\x00s\x00.\x00r\x00a\x00n\x00s\x00o\x00m\x00h\x00u\x00b\x00.\x00t\x00a" wide
        $network_domain2_ascii = "ransomware.win.ransomhub" ascii
        $network_domain2_wide = "r\x00a\x00n\x00s\x00o\x00m\x00w\x00a\x00r\x00e\x00.\x00w\x00i\x00n\x00.\x00r\x00a\x00n\x00s\x00o\x00m\x00h\x00u\x00b" wide
        $network_domain3_ascii = "calendar.create" ascii
        $network_domain3_wide = "c\x00a\x00l\x00e\x00n\x00d\x00a\x00r\x00.\x00c\x00r\x00e\x00a\x00t\x00e" wide

        // --- Unique Text Patterns ---
        // Specific textual mentions from intelligence reports related to the RansomHub group,
        // their claimed victims, or the types of data they target/exfiltrate.
        $string_group_name1 = "RansomHub ransomware group" ascii wide nocase
        $string_victim1 = "Luxshare" ascii wide nocase
        $string_victim_products1 = "Apple, Nvidia, LG, Tesla" ascii wide nocase
        $string_data_type1 = "3D CAD models" ascii wide nocase
        $string_data_type2 = "circuit board designs" ascii wide nocase
        $string_data_type3 = "engineering documentation" ascii wide nocase
        // Protection IDs mentioned in the context, which can also appear in logs or reports
        $string_protection_id1 = "Ransomware.Wins.Ransomhub.ta" ascii wide nocase
        $string_protection_id2 = "Ransomware.Win.RansomHub" ascii wide nocase

        // --- Placeholder for future IOCs (currently none provided in context) ---
        // $hash_md5_sample1 = "d41d8cd98f00b204e9800998ecf8427e" // Example MD5 hash
        // $hash_sha256_sample1 = "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855" // Example SHA256 hash

        // $api_create_remote_thread = "CreateRemoteThread" ascii wide // Example Windows API call
        // $api_nt_write_virtual_memory = "NtWriteVirtualMemory" ascii wide // Example Windows API call

        // $registry_run_key = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Malware" ascii wide // Example Registry Key for persistence
        // $registry_persistence_key = "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run" ascii wide // Example Registry Key for persistence

    condition:
        // Detection logic:
        // This rule triggers if at least one network indicator (domain) is found AND
        // at least two distinct textual patterns related to RansomHub's activities or victims are found.
        // This combination aims to reduce false positives by requiring both network communication
        // and specific content context, making it suitable for threat hunting in logs, memory, or documents.
        (1 of ($network_domain*)) and (2 of ($string_*))
}
```

// 08Keywords

{'keyword': 'confirmed', 'score': 3.2531} {'keyword': 'threat', 'score': 2.3484} {'keyword': 'data', 'score': 2.2262} {'keyword': 'access', 'score': 2.0319} {'keyword': 'researchers', 'score': 2.003} {'keyword': 'attack', 'score': 1.9493} {'keyword': '2025', 'score': 1.9471} {'keyword': 'based', 'score': 1.9342} {'keyword': 'check', 'score': 1.9212} {'keyword': 'check point', 'score': 1.9212}

// 09Attack chain

// 10Technical mitigations

// 12Export

// format: // sign in to export ./sign_in