{"description": "Enterprise techniques used by RansomHub, ATT&CK software S1212 (v1.0)", "name": "RansomHub (S1212)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[RansomHub](https://attack.mitre.org/software/S1212) has created an autorun Registry key through the `-safeboot-instance -pass` command line argument.(Citation: Group-IB RansomHub FEB 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "[RansomHub](https://attack.mitre.org/software/S1212) can use PowerShell to delete volume shadow copies.(Citation: Group-IB RansomHub FEB 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[RansomHub](https://attack.mitre.org/software/S1212) can use `cmd.exe` to execute multiple commands on infected hosts.(Citation: Group-IB RansomHub FEB 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1486", "comment": "[RansomHub](https://attack.mitre.org/software/S1212) can use Elliptic Curve Encryption to encrypt files on targeted systems.(Citation: CISA RansomHub AUG 2024) [RansomHub](https://attack.mitre.org/software/S1212) can also skip content at regular intervals (ex. encrypt 1 MB, skip 3 MB) to optomize performance and enable faster encryption for large files.(Citation: Group-IB RansomHub FEB 2025) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1491", "showSubtechniques": true}, {"techniqueID": "T1491.001", "comment": "[RansomHub](https://attack.mitre.org/software/S1212) has placed a ransom note on comrpomised systems to warn victims and provide directions for how to retrieve data.(Citation: CISA RansomHub AUG 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1140", "comment": "[RansomHub](https://attack.mitre.org/software/S1212) can use a provided passphrase to decrypt its configuration file.(Citation: Group-IB RansomHub FEB 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1480", "comment": "[RansomHub](https://attack.mitre.org/software/S1212) will terminate without proceeding to encryption if the infected machine is on a list of allowlisted machines specified in its configuration.(Citation: Group-IB RansomHub FEB 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[RansomHub](https://attack.mitre.org/software/S1212) has the ability to only encrypt specific files.(Citation: Group-IB RansomHub FEB 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1562", "showSubtechniques": true}, {"techniqueID": "T1562.009", "comment": "[RansomHub](https://attack.mitre.org/software/S1212) can reboot targeted systems into Safe Mode prior to encryption.(Citation: Group-IB RansomHub FEB 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.001", "comment": "[RansomHub](https://attack.mitre.org/software/S1212) can delete events from the Security, System, and Application logs.(Citation: Group-IB RansomHub FEB 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[RansomHub](https://attack.mitre.org/software/S1212) has the ability to self-delete.(Citation: Group-IB RansomHub FEB 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1490", "comment": "[RansomHub](https://attack.mitre.org/software/S1212) has used `vssadmin.exe` to delete volume shadow copies.(Citation: CISA RansomHub AUG 2024)(Citation: Group-IB RansomHub FEB 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1135", "comment": "[RansomHub](https://attack.mitre.org/software/S1212) has the ability to target specific network shares for encryption.(Citation: Group-IB RansomHub FEB 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[RansomHub](https://attack.mitre.org/software/S1212) has an encrypted configuration file.(Citation: Group-IB RansomHub FEB 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[RansomHub](https://attack.mitre.org/software/S1212) can stop processes associated with files currently in use to maximize the impact of encryption.(Citation: CISA RansomHub AUG 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1090", "comment": "[RansomHub](https://attack.mitre.org/software/S1212) can use a proxy to connect to remote SFTP servers.(Citation: Group-IB RansomHub FEB 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1021", "showSubtechniques": true}, {"techniqueID": "T1021.002", "comment": "[RansomHub](https://attack.mitre.org/software/S1212) can use credentials provided in its configuration to move laterally from the infected machine over SMBv2.(Citation: Group-IB RansomHub FEB 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1018", "comment": "[RansomHub](https://attack.mitre.org/software/S1212) can enumerate all accessible machines from the infected system.(Citation: Group-IB RansomHub FEB 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1489", "comment": "[RansomHub](https://attack.mitre.org/software/S1212) has the ability to terminate specified services.(Citation: Group-IB RansomHub FEB 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1082", "comment": "[RansomHub](https://attack.mitre.org/software/S1212) can retrieve information about virtual machines.(Citation: Group-IB RansomHub FEB 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1497", "showSubtechniques": true}, {"techniqueID": "T1497.003", "comment": "[RansomHub](https://attack.mitre.org/software/S1212) can sleep for a set number of minutes before beginning execution.(Citation: Group-IB RansomHub FEB 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by RansomHub", "color": "#66b1ff"}]}