Emergent RansomHub ransomware — which was leveraged in attacks against Change Healthcare, Frontier Communications, and Christie's auction house — was discovered by Symantec researchers to be an evolved iteration of the Knight ransomware, also known as Cyclops 2.0, reports The Hacker News.
Only a new "sleep" option within the command-line help menu and distinct commands executed by cmd.exe differentiated RansomHub from Knight ransomware, both of which were based on the Go programming language and had the same obfuscation approach, ransom notes, and safe mode restarts prior to encryption, according to the Symantec report.
The findings also showed that both Notchy and Scattered Spider, which were previously affiliated with the ALPHV/BlackCat ransomware operation, have entered a partnership with RansomHub, echoing a recent report from Mandiant.
"The speed at which RansomHub has established its business suggests that the group may consist of veteran operators with experience and contacts in the cyber underground," said researchers.