RansomHub Claims Attack on Government of Mexico

The ransomware group RansomHub, linked to Russian actors, has claimed responsibility for a cyberattack on Mexico's gob.mx website, alleging the exfiltration of 313 GB of sensitive data.  

‍

Early Friday, the group announced the breach on its dark web blog, stating it will release the stolen files in ten days unless an undisclosed ransom is paid, CyberNews reports.

‍

The leaked data includes over 50 sample files, featuring a database of federal employees’ personal information, such as names, job titles, headshots, work locations, email addresses, phone extensions, and ID numbers.

‍

Additionally, the cache contains signed government documents from 2023, including a transportation contract valued at $100,000 and a document addressed to Mario Gavina Morales, Mexico's Director of IT and Communications.  

‍

The Palacio Nacional, which houses the offices of the Mexican president and Federal Treasury, is listed as many of the employees' workplace in the samples. The breach underscores significant cybersecurity vulnerabilities within Mexico's federal systems.

‍

Takeaway: According to the Power Rankings: Ransomware Malicious Quartile report, RansomHub is a ransomware-as-a-service (RaaS) platform that emerged in early 2024, has quickly established itself as a significant player in the cybercrime ecosystem.  

‍

Initially suspected of ties to LockBit due to operational similarities, closer analysis links its ransomware code to the now-defunct Knight group.  

‍

Written in Golang, Knight's code was reportedly sold in February 2024, a move that likely accelerated RansomHub’s development and enabled rapid integration of advanced features.

‍

RansomHub distinguishes itself by offering affiliates up to 90% of ransom payments, making it highly appealing to partners.  

‍

The platform enforces strict compliance among affiliates, requiring adherence to victim agreements during negotiations, with violators facing permanent bans. This policy reflects RansomHub’s structured and reliable operational model, positioning it as a well-organized and professionalized RaaS platform.

‍

The group has actively recruited affiliates from disbanded operations, leveraging their expertise to refine its capabilities.  

‍

This recruitment strategy, coupled with a regularly updated and versatile codebase, underscores a well-funded and growth-focused operation. Its use of double extortion tactics—encrypting data while threatening to leak stolen information—has proven effective, particularly in high-value industries like healthcare.

‍

Strategic target selection has been a hallmark of RansomHub’s approach, initially focusing on healthcare due to the sensitive and lucrative nature of its data. The group’s reputation for high-impact attacks is evident in its demand for a $22 million ransom from Change Healthcare, demonstrating a preference for large, financially capable organizations.  

‍

By Q3 2024, RansomHub had become one of the most active ransomware groups, leveraging advanced techniques and the decline of other major players to cement its position in the ransomware landscape.

‍

Notable victims include Change Healthcare, Kovra, Computan, Scadea Solutions, Christie’s Auction House, NRS Healthcare, Frontier Communications, and more.

‍

‍

Halcyon.ai eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.