Threat profile: RansomHouse makes extortion work without ransomware
Jovi Umawing
Jovi Umawing
Cybersecurity is an industry known for many hats: white hats, black hats, and grey hats. White hats refer to âthe good peopleâ in the industry for those who are not in the know. They are malware analysts, security researchers, and penetration testers. Black hats are the opposite of white hats, and we collectively refer to them as cybercriminals.
The existence of a third hat is intriguing but not surprising. It denotes black hats have the potential to be and do good. On the other hand, white hats can put one foot on the dark side while leaving a reassuring foot in the light.
Security researchers have speculated that a new extortion group called RansomHouse is a collection of âfrustratedâ white hats who have collectively been pushed to the point of punishing organizations that continue to have lax security in their infrastructure.
RansomHouse 101
RansomHouseis a new extortion group that gets into victimsâ networks by exploiting vulnerabilities to steal data and coerces victims to pay up, lest their data is sold to the highest bidder. And if no criminal is interested in buying the data, the group leaks it on their leak site.
This group is also unique in the way it extorts money from victims. They appear to market themselves as penetration testers and bug bounty hunters more than your average online extortionist. After stealing data from targets, they offer to delete it and then provide a full report on what vulnerabilities they exploited and how.
Like ransomware groups, they also have channels in placeâa Telegram account and a leak siteâto communicate with victims, journalists, and those who want to track their activities.
RansomHouse is believed to have emerged in December 2021 and currently has four victims, the first of which was Canadaâs Saskatchewan Liquor and Gaming Authority (SLGA), a regulator of alcohol, cannabis, and most gambling in the province, which first reported a breachin that same month and year.
According to the âAboutâ page on RansomHouseâs Onion site, they call themselves âa professional mediators community.â
Below are reprints of sections from that page:
We have nothing to do with any breaches and don't produce or use any ransomware. Our primary goal is to minimize the damage that might be sustained by related parties.We believe that the culprits are not the ones who found the vulnerability or carried out the hack, but those who did not take proper care of security. The culprits are those who did not put a lock on the door leaving it wide open inviting everyone in.But evolution cannot be stopped, fitting structures emerge in every environment, and so groups of enthusiasts have emerged on the grounds of data negligence, eager to get paid honestly by streamlining this chaos through public punishment. These methods of making money and pointing out companies' mistakes may be controversial, and when you recall that we are talking about billion-dollar corporations on the opposing side, it becomes clear why the RansomHouse team is so important to engage in dialogue. That is what this project is all about - bringing conflicting parties together, helping them to set up a dialogue and make informed, balanced decisions. The team works hard to find a way out of even the most difficult situations and allow both parties to go forward without changing rules as they go along. Incompetence and fuss is unacceptable when dealing with such cases, which is exactly what happens most often. Here and now we are creating a new culture and streamlining this industry.
The âAboutâ page, which reads more like a manifesto, is telling. First, it openly declares that organizations, not the cybercriminals after their data, are the real âculpritsâ for certain types of cyberattacks. Second, the bug hunters who find flaws in systems or networks owned by organizations, which may not have a bounty program in place, must be recognized for the time and effort to find these flaws and be compensated appropriately.
Cyberintâs Shmuel Gihon indicatedthat RansomHouse is âpractically forcing âpenetration testing serviceâ on organizations that never used their services or rewarded bug bounties.â
Lastly, the group puts itself at the center as an entity thatâll make things right, calling this entire endeavor a âprojectâ instead of what it really is: an extortion scheme with the facade of a good samaritan. The groupâs actions benefit no one but them and their associates, embolden others to act out their frustration, andâif they are indeed white hats in a midlife crisisâslowly erode the foundations of trust and integrity the cybersecurity industry stands on.
Links with ransomware groups
RansomHouse has been firm about its non-use of ransomware in its exploits despite the groupâs name. They also reportedly do not encrypt files they stole from organizations. However, it is worth noting that the group has a history of collaborating with ransomware gangs, such as White Rabbit.
BleepingComputer pointed out the group was mentioned in one of White Rabbitâs ransom notes.
One can also see RansomHouseâs possible link to the Hive ransomware group.
Hagar Margolin, cyberanalyst for Webz.io, a company providing machine-defined web data, pointed out the uncanny similarities of Hiveâs leak site post to that of RansomHouseâs.
A side-by-side comparison of Hive ransomwareâs victim post versus a victim post from RansomHouseâs Tor site. (Source: Webz.io)
Are they really disgruntled bug bounty hunters?
Bug hunting could be a way of living. Much like many of the jobs within the cybersecurity industry, itâs not as glamorous as some people make it.
Of course, getting rich hunting for inherent flaws would depend on the severity of the bug found and the availability of a bounty program in an organization. Bug hunting wouldnât be as lucrative if one or both of these arenât fully satisfied.
Gihon assessed that RansomHouse âmight have a blue and red team background and might even be disgruntled bug bounty hunters looking to be taken more seriously by organizations.â In cybersecurity, a âblue teamâ plays the role of Defender in a cyberattack. In contrast, a âred teamâ plays the role of Adversary.
What led Cyberint to this theory is RansomHouseâs overall professional demeanor when communicating with others. They were seen as polite and focused, not easily swayed away into irrelevant conversations. The group also claimed theyâre âpro-freedom,â âvery liberal,â and wonât have anything to do with radical hacktivists or espionage groups.
Cyberint also touched on a known problem within the bug bounty community that is currently brewing.
âMany of the bug bounty hunter community members have been complaining for some time now about companies that do not want to pay the bounty for their hard labour while still enjoying its fruits,â Gihon said. âBug bounty programs also increase their commissions making the bug bounty hunter a very frustrating profession.â
The struggles with bug huntingmay be real, but according to one expert, even calling RansomHouse a group of bug hunters could be inaccurate.
In an interview with BleepingComputer, Emsisoft Threat Analyst Brett Callow said that actors behind the White Rabbit ransomware may be behind RansomHouse:
âThe RansomHouse platform is supposedly used by âclub membersâ who carry out attacks using their own toolsâand, according to them, those tools include ransomware such as White Rabbit. I suspect, however, that their claims are untrue and that the same individuals who carry out the attacks are also behind RansomHouse.â
Regardless of the groupâs origins, one thing is clear: they are going after organizations that they have decided are not doing enough to secure their clientsâ data. They pose a threat similar to ransomware groups. This should be enough reason for organizations of any size to work with their IT teams in strengthening the businessâs overall security posture.