EncryptHub A Emerging Threat Group Behind 618 Attacks

Since 2024

An active threat actor tracked as EncryptHub (aka Larva-208) has been targeting organizations since June 2024, with ties to prominent ransomware gangs, including RansomHub and BlackSuit. Research from Prodaft reveals that EncryptHub has "compromised 618 different victim organizations" and demonstrates "clear financial motivations." The group’s operational links to other ransomware groups are concerning, as evidence suggests they have deployed both RansomHub and BlackSuit ransomware variants. EncryptHub primarily relies on a PowerShell encryptor for ransomware execution, with their intrusions focused on social engineering tactics.

EncryptHub's attack chain begins with phishing campaigns incorporating SMS (smishing), voice-based deception, and fraudulent login pages designed to harvest credentials. One of their most effective tactics involves masquerading as an organization's IT support team, convincing victims to enter their credentials into fake VPN login pages. The attackers then use these stolen credentials and multi-factor authentication (MFA) tokens to gain unauthorized access to corporate environments. Once access is obtained, the group deploys remote monitoring and management (RMM) tools, allowing them to maintain persistence and conduct further malicious activities. Specific RMM software identified in their operations includes AnyDesk, Atera, GoTo Resolve, ScreenConnect, Splashtop, and TeamViewer.

After establishing access, EncryptHub conducts reconnaissance using PowerShell scripts to identify security software, weak points in the network, and high-value targets. Multiple information-stealing malware strains were observed by Prodaft in EncryptHub's campaigns, including Stealc, Rhadamanthys, and Fickle Stealer. These tools enable the extraction of sensitive data, including credentials from cryptocurrency wallets such as MetaMask, Coinbase Wallet, Trust Wallet, and Trezor Wallet. Additionally, the attackers target configuration data from VPN clients like Cisco VPN Client, FortiClient, and Palo Alto Networks GlobalProtect, as well as password managers including 1Password, Bitwarden, DashLane, and LastPass. Files containing specific keywords such as "password," "account," "wallet," and "seedphrase" are also actively sought out and exfiltrated.

The group's infrastructure also plays a critical role in its success. Prodaft reports that EncryptHub has "purchased 70 domain names that imitate VPN products, including those from Cisco, Palo Alto, and Fortinet, and have used these domains in their attacks." These domains are used to host phishing sites that facilitate credential harvesting and further network compromise. Following data theft, EncryptHub shifts to ransomware deployment, encrypting victim systems using a PowerShell-based encryptor and demanding payment in cryptocurrency. As EncryptHub continues to evolve its tactics, its ability to leverage social engineering for ransomware deployment reinforces the persistent threat it poses to enterprises worldwide, as evidenced by the large number of organizations it has compromised.