We have a new cybercrime outfit that goes by the name of RansomHouse. As discovered by Cyberint, the ransomware group is not what it seems to be. It is a data extortion gang that is targeting organizations, exfiltrating their data, and offering to delete it - all for a price.

Diving into details

RansomHouse first emerged in March and has bagged four victims, as claimed on its Onion site.
  • The operation states that it does not use any ransomware and focuses on network infiltration by abusing vulnerabilities.
  • The attackers focus primarily on data exfiltration and do not build any encryption modules. They operate manually, focusing on one victim at a time.
  • RansomHouse has three Telegram channels for communication, apart from Onion. The first channel is for announcements regarding new victims, the second is for chatting with followers, and the third is solely for journalists.
  • Two of its victims include the Saskatchewan Liquor and Gaming Authority (SLGA) and a German airline support service provider.

Bug bounty hunters beyond control?

RansomHouse doesn’t like to take responsibility for its actions and instead blames the victims for not implementing proper network security controls. Analyzing the contents of the Telegram channels, researchers surmise that the attackers might be dissatisfied bug bounty hunters. Furthermore, the group has not yet come up as an independent entity but is being promoted by other threat groups, such as its mention in White Rabbit ransom notes and Telegram posts on the Lapsus$ gang’s Telegram channels.

The bottom line

While experts believe that RansomHouse is not going to become a very successful gang in the near future, the launch of a new data exfiltration portal should be taken seriously. While the techniques employed by the attackers may not work on every organization, the impact can still be severe depending on the nature of the stolen data.
Cyware Publisher