Although RansomHub is a relatively new Ransomware-as-a-Service (RaaS), it has quickly grown into one of the most prolific ransomware groups currently active. New research suggests that RansomHub may be a rebranded version of an older ransomware known as Knight.
The research notes similarities between RansomHub and Knight. These similarities include:
- Payloads are written in Go, and the ransom notes left are similar in verbatim.
- Most variants are obfuscated with Gobfuscate. Furthermore, both operations deploy a unique obfuscation technique in which important strings are encoded with unique keys then decoded at runtime.
- Code overlap is so great that it can be challenging to differentiate between them.
- The help menus on the command line are almost identical, with the sole difference being RansomHub’s addition of a sleep command.
The research also noted a difference between RansomHub and Knight, which is the commands run through cmd.exe. Still, while the commands are different, the manner in which they are called is the same.
Despite their similarities, the research suggests that it is unlikely that RansomHub is being run by Knight’s creators. Instead, the research believes that Knight's source code was purchased and updated for use with RansomHub.