A new data exfiltration gang, RansomHouse, has started to list its victims on the dark web. The group uses different techniques and has a distinct business model from other cybercrime operations, leading some analysts to speculate that it may be a group of disgruntled bug bounty hunters that have decided to punish organisations for their lax security.
The group emerged at the end of March and has announced four victims, along with links they claim lead to victim data, on a Telegram channel and a dark web blog. These victims named so far are the Saskatchewan Liquor and Gaming Authority, Jefferson Credit Union based in Alabama, Swedish rail company Dellner Couplers and German airline handling agents AHS Group. There is no indication of whether any of the alleged victims has paid a ransom.
Are RansomHouse frustrated ‘white hat hackers’?
RansomHouse does not encrypt the data it steals, but simply publishes it if the demanded ransom is not paid. However, the group’s motives appear to be slightly different to many other cybercriminals as it seeks to expose victims for not caring enough about protecting their customers to pay the ransom, as well as highlighting examples of bad security.
“According to RansomHouse, many businesses and companies are not willing to invest as much money as required to fortify their infrastructures, while they ignore or do not institute enough bug bounty plans,” note researchers who penned a report on the gang for cybersecurity vendor CyberInt.
The reference to bug bounty programmes led the CyberInt team to conclude the gang may be a group of disenchanted ‘white hat hackers’, who carry out penetration testing for companies to inspect their networks as well as seeking out bugs in commonly used software to claim a financial ‘bounty’.
“Many of the bug bounty hunter community members have been complaining for some time now about companies that do not want to pay the bounty for their hard labour while still enjoying its fruits,” the report notes. “Bug bounty programs also increase their commissions making the bug bounty hunter a very frustrating profession.”
The novelty of RansomHouse’s approach does mark them out from other criminal gangs, says Chris Hauk, consumer privacy champion at Pixel Privacy. “Their approach is a bit different from other bad actor groups, as they do not encrypt a victim’s data, but instead publicly shame targeted companies for not caring enough about their customers to pay a ransom,” Hauk says.
“The group also claims that once the ransom is paid, it will help companies protect themselves from future attacks, and claim they will destroy any information they stole, while also deleting any ‘backdoors’ they used to penetrate a corporate network.”
But, Hauk adds: “No matter the claims they make about what’s behind their actions, RansomHouse is still simply a group of bad actors looking to score a payday,” he says.
Other security experts also believe RansomHouse’s altruistic motives are overstated. “Regardless of their spurious justifications, RansomHouse are still criminals,” says Brian Higgins, security specialist at Comparitech. “They are open about the fact that they don’t feel financially appreciated through legitimate bug bounty activities but are quite prepared to exploit victims of data breaches in order to make money,” he says.
RansomHouse and its links to other cybercrime gangs
RansomHouse has been linked to other criminal gangs, and its name has cropped up in notes and blogs of both the White Rabbit ransomware gang and the now-infamous Lapsus$ Telegram channel. “This indicates that the threat actors are equally interested in selling data to other threat actors as well as the victim,” says the CyberInt report.
It also highlights the possibility that the gang may be a front for White Rabbit, says Nicole Hoffman, senior cyber threat intelligence officer at security company Digital Shadows. “It is likely that RansomHouse operates as the ‘leak site’ of White Rabbit ransomware group,” she says. “White Rabbit have in turn been attributed to “Fin8″; a financially motivated threat group known for targeting banks.”