The FBI, MS-ISAC, and the Department of Health and Human Services (HHS) in the US have issued a released a joint advisory to businesses about the ransomware-as-a-service collective ‘RansomHub’.

The joint advisory highlights how RansomHub (formerly known as Cyclops and Knight) has as established itself as an efficient and successful service model. The advisory highlights how, since its inception in February 2024, RansomHub has encrypted and stolen data from at least 210 victims across various critical infrastructure sectors, including water and wastewater systems.

RansomHub affiliates have been stealing data using a double-extortion strategy, encrypting systems, and stealing data to coerce victims into compliance. The data exfiltration methods vary by affiliate, and the ransom note usually omits initial payment demands or instructions although it typically gives victims between three and 90 days to pay. Instead, it provides a client ID and directs victims to contact the ransomware group via a specific .onion URL, accessible through the Tor browser.

The advice to defenders is to implement the recommendations in the Mitigations section of the advisory, which include installing updates for operating systems, software, and firmware as soon as they are released, using phishing-resistant multi-factor authentication (MFA), such as non-SMS text-based methods, for as many services as possible, and training users to recognise and report phishing attempts.