RansomHub Ransomware Attack Compromises Removal.AI User Data
Incident Date:
September 2, 2024
Overview
Title
RansomHub Ransomware Attack Compromises Removal.AI User Data
Victim
Removal.AI
Attacker
Ransomhub
Location
First Reported
September 2, 2024
RansomHub Ransomware Attack on Removal.AI
Removal.AI, a technology company specializing in automated image editing solutions, has recently fallen victim to a ransomware attack orchestrated by the cybercriminal group RansomHub. Known for its advanced AI algorithms that provide services such as background removal, image enhancement, and object manipulation, Removal.AI primarily serves e-commerce, photography, and graphic design professionals.
Company Profile and Vulnerabilities
Founded in 2020 by Eric Le, Removal.AI operates with a small team of 2 to 10 employees. The company has carved out a niche in the competitive landscape of image editing tools by leveraging AI technology to simplify and enhance the background removal process. This makes high-quality image editing accessible to a wide range of users, from startups to established brands. However, the company's reliance on advanced AI and cloud-based storage makes it a lucrative target for threat actors.
Attack Overview
The ransomware attack has compromised a comprehensive and up-to-date database containing sensitive information, including clients' payment details, IP addresses, full personal details, email addresses, API tokens, and passwords. This breach affects over 14 million users and involves 70 million database lines. Despite the severity of the situation, Removal.AI has chosen to remain silent, prompting RansomHub to threaten the public release of the stolen data unless negotiations are initiated.
RansomHub: A Formidable Threat
RansomHub, a Ransomware-as-a-Service (RaaS) group, first appeared in February 2024. It quickly established itself by adopting a highly adaptable and aggressive affiliate model. The group is known for its speed and efficiency, using advanced data exfiltration techniques and intermittent encryption to minimize encryption time while maintaining impact. RansomHub affiliates primarily use phishing campaigns, vulnerability exploitation, and password spraying to gain initial access to target systems.
Penetration Methods
RansomHub's affiliates likely exploited vulnerabilities in Removal.AI's systems, such as unpatched software or weak password policies. The group is known for leveraging zero-day vulnerabilities and using tools like Mimikatz and PsExec for lateral movement and privilege escalation. By combining encryption with data theft, RansomHub increases pressure on victims to pay ransoms, making it a formidable threat to organizations worldwide.
Recent Ransomware Attacks
The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.
The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.