RansomHub Ransomware Exploits Zerologon Vulnerability To Encrypt Files

RansomHub a new and rapidly growing Ransomware-as-a-Service (RaaS) is likely an updated version of the older Knight ransomware. Analysis revealed significant similarities between the two suggesting RansomHub originated from Knight. Despite this it is unlikely that Knights original creators are behind RansomHub. Knights source code originally known as Cyclops was sold on underground forums in February 2024 after its developers shut down their operation potentially allowing others to update and launch it as RansomHub. Both RansomHub and Knight are written in Go and most variants are obfuscated with Gobfuscate except for some early Knight versions. The code overlap is substantial making differentiation difficult without checking the embedded link to the data leak site. Both have nearly identical command-line help menus with RansomHub adding only a sleep command.