View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

Data theft gang RansomHouse might be ‘frustrated’ white hat hackers, researchers claim

A new hacking gang claims to have altruistic intentions, but not all cybersecurity analysts are convinced.

By Claudia Glover

A new data exfiltration gang, RansomHouse, has started to list its victims on the dark web. The group uses different techniques and has a distinct business model from other cybercrime operations, leading some analysts to speculate that it may be a group of disgruntled bug bounty hunters that have decided to punish organisations for their lax security.

Hackers, such as those pictured here at the DEF CON hacking conference in Las Vegas, often carry out penetration testing for businesses to try and find flaws in networks. (Photo by Nate Griff/WikiMedia Commons)

The group emerged at the end of March and has announced four victims, along with links they claim lead to victim data, on a Telegram channel and a dark web blog. These victims named so far are the Saskatchewan Liquor and Gaming Authority, Jefferson Credit Union based in Alabama, Swedish rail company Dellner Couplers and German airline handling agents AHS Group. There is no indication of whether any of the alleged victims has paid a ransom.

Are RansomHouse frustrated ‘white hat hackers’?

RansomHouse does not encrypt the data it steals, but simply publishes it if the demanded ransom is not paid. However, the group’s motives appear to be slightly different to many other cybercriminals as it seeks to expose victims for not caring enough about protecting their customers to pay the ransom, as well as highlighting examples of bad security.

“According to RansomHouse, many businesses and companies are not willing to invest as much money as required to fortify their infrastructures, while they ignore or do not institute enough bug bounty plans,” note researchers who penned a report on the gang for cybersecurity vendor CyberInt.

The reference to bug bounty programmes led the CyberInt team to conclude the gang may be a group of disenchanted ‘white hat hackers’, who carry out penetration testing for companies to inspect their networks as well as seeking out bugs in commonly used software to claim a financial ‘bounty’.

“Many of the bug bounty hunter community members have been complaining for some time now about companies that do not want to pay the bounty for their hard labour while still enjoying its fruits,” the report notes. “Bug bounty programs also increase their commissions making the bug bounty hunter a very frustrating profession.”

The novelty of RansomHouse’s approach does mark them out from other criminal gangs, says Chris Hauk, consumer privacy champion at Pixel Privacy. “Their approach is a bit different from other bad actor groups, as they do not encrypt a victim’s data, but instead publicly shame targeted companies for not caring enough about their customers to pay a ransom,” Hauk says.

“The group also claims that once the ransom is paid, it will help companies protect themselves from future attacks, and claim they will destroy any information they stole, while also deleting any ‘backdoors’ they used to penetrate a corporate network.”

Content from our partners
Why food manufacturers must pursue greater visibility and agility
How to define an empowered chief data officer
Financial management can be onerous for CFOs, but new tech is helping lighten the load

But, Hauk adds: “No matter the claims they make about what’s behind their actions, RansomHouse is still simply a group of bad actors looking to score a payday,” he says.

Other security experts also believe RansomHouse’s altruistic motives are overstated. “Regardless of their spurious justifications, RansomHouse are still criminals,” says Brian Higgins, security specialist at Comparitech. “They are open about the fact that they don’t feel financially appreciated through legitimate bug bounty activities but are quite prepared to exploit victims of data breaches in order to make money,” he says.

RansomHouse has been linked to other criminal gangs, and its name has cropped up in notes and blogs of both the White Rabbit ransomware gang and the now-infamous Lapsus$ Telegram channel. “This indicates that the threat actors are equally interested in selling data to other threat actors as well as the victim,” says the CyberInt report.

It also highlights the possibility that the gang may be a front for White Rabbit, says Nicole Hoffman, senior cyber threat intelligence officer at security company Digital Shadows. “It is likely that RansomHouse operates as the ‘leak site’ of White Rabbit ransomware group,” she says. “White Rabbit have in turn been attributed to “Fin8″; a financially motivated threat group known for targeting banks.”

Read more: Meet the ransomware gangs fuelling a global cybercrime spree

Topics in this article:
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU