RansomHub Actors Exploit ZeroLogon Vuln in Recent Ransomware Attacks

CVE-2020-1472 is a privilege escalation flaw that allows an attacker to take over an organizations domain controllers.

In recent attacks involving the ominously growing RansomHub ransomware, attackers have exploited the so-called ZeroLogon flaw in the Windows Netlogon Remote Protocol from 2020 (
CVE-2020-1472
) to gain initial access to a victims environment.
Prior to deploying the ransomware, the attackers have used several dual-use tools, including remote access products from companies like Atera and Splashtop and network scanners from NetScan among others, researchers at
Symantec by Broadcom
said in a report this week.
Atera and Splashtop were used to facilitate remote access, while NetScan was used to likely discover and retrieve information about network devices, Symantec said. The RansomHub payload leveraged the iisreset.exe and iisrstas.exe command-line tools to stop all Internet Information Services (IIS) services.
ZeroLogon
involves a privilege escalation condition that occurs when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol, says Adam Neel, senior threat detection engineer at Critical Start. It will be very important for organizations to ensure that this vulnerability is patched and mitigated to help guard against attacks from RansomHub.
RansomHub is a ransomware-as-a-service (RaaS) operation and malware threat that has garnered considerable attention since first surfacing in February. Symantec currently ranks it as the fourth most prolific ransomware in terms of claimed victims, after Lockbit —
recently taken down
, Play, and Qilin.
BlackFog — among several security vendors tracking the threat — has
listed more than five dozen organizations
that RansomHub has victimized in the few months its been operational. Many appear to be smaller and midsize firms, though there are a couple of recognizable names as well, most notably Christies Auction House and
UnitedHealth Group
subsidiary Change Healthcare.
Dick OBrien, principal intelligence analyst with Symantecs threat hunter team, says the group has publicly claimed 61 victims in the past three months. That compares to Lockbits 489 victims, the Play groups 101, and Qilins 92, he says.
RansomHub is among a small group of RaaS operators that have surfaced in the aftermath of the recent law enforcement takedowns of ransomware majors Lockbit and
ALPHV/BlackCat
. The group has tried to capitalize on some of the uncertainty and mistrust caused by the takedowns to try and
attract new affiliates to its RaaS
. One of its tactics is to offer affiliates the ability to collect ransoms directly from victims and then pay RansomHub a 10% cut. Thats very different from the usual model where it is the RaaS operator that collects ransom payments from victims and later pays the affiliate a cut.
According to Symantec, there are several code overlaps between RansomHub and an older, and now defunct, ransomware family called Knight. The code overlaps are so extensive that it is very hard to distinguish between the two threats. Both payloads are written in the Go programming language and use the same obfuscator, Gobfuscate. Both have nearly identical help menus; they encode important code strings in exactly the same way and decode them at runtime; they can restart a target endpoint in safe mode prior to encryption and have the same command execution flow. Even the ransom note associated with Knight and RansomHub are nearly the same, with many phrases from Knight appearing verbatim in RansomHub, Symantec said.
[However], despite shared origins, it is unlikely that Knights creators are now operating RansomHub, Symantec said. Rather, RansomHub operators purchased Knight source code when the operators of the latter put it up for sale earlier this year and are now simply reusing it, the security vendor said. One of the main differences between the two ransomware families is the commands run through cmd.exe, the security vendor noted. These commands may be configured when the payload is built or during configuration.
Symantecs discovery that RansomHub is based on Knight code is unlikely to make much of a difference to victims or others that the group is targeting. But it does offer an additional layer of information around the group and its TTPs.
The group is growing quickly and is on track to be one of the most prolific ransomware groups in 2024, Neel says. It is also worth noting that due to their recent success and notoriety, they have been able to recruit old members of the Blackcat/ALPHV ransomware group. This allows them to utilize the knowledge and tools used by this group to enhance their capabilities even further, he notes.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
RansomHub Actors Exploit ZeroLogon Vuln in Recent Ransomware Attacks