RansomHub ransomware employs new Betruger backdoor malware

Security researchers have discovered a new backdoor called Betruger, linked to recent ransomware attacks. This malware is associated with the RansomHub ransomware operation. The Betruger backdoor is unique because it serves multiple functions. According to Symantec researchers, it can perform various tasks that help prepare for ransomware attacks. This includes keylogging, scanning networks, and taking screenshots. It aims to reduce the need for multiple tools during an attack. Researchers noted that using a custom backdoor like Betruger is unusual in ransomware cases. Most attackers typically rely on existing, legitimate software or public malware. Betruger is disguised as a mailing application with filenames like 'mailer.exe'. RansomHub, previously known as Cyclops and Knight, is a ransomware-as-a-service group that emerged in February 2024. It is known for data-theft-based extortion rather than simply encrypting victims' data. The group has targeted high-profile organizations, including Halliburton and Christie's auction house. Recently, RansomHub claimed responsibility for breaching BayMark Health Services, the largest addiction treatment provider in North America, affecting about 75,000 patients daily. The FBI reported that RansomHub affiliates have attacked more than 200 victims across critical sectors, including healthcare and government, by August 2024.