RansomHub Deploys Custom Betruger Backdoor in Ransomware Attacks

- Reported on March 20, the RansomHub ransomware-as-a-service (RaaS) group has begun using a new custom backdoor, Betruger, in attacks. Betruger is a rare multi-function malware designed to streamline pre-ransomware activities, including screenshotting, keylogging, credential dumping, and privilege escalation, reducing the need for multiple tools. - Unlike most ransomware groups that rely on public or legitimate tools, RansomHub affiliates have also been using the Bring Your Own Vulnerable Driver (BYVOD)** technique and exploiting vulnerabilities like **CVE-2022-24521** and **CVE-2023-27532. - Additionally, attackers have leveraged various tools for network exploitation, credential theft, and remote access, such as **Impacket, Mimikatz, Rclone, and SystemBC**. RansomHub, operated by the cybercrime group **Greenbottle**, has rapidly grown since February 2024, becoming the most prolific ransomware operation by Q3 2024, attracting affiliates with better financial incentives than rival groups.