EncryptHub Breaches Hundreds of Organizations Globally

EncryptHub, also called Larva-208, has been launching attacks against organizations across the world. The group, using a mix of spear-phishing and clever social engineering, is responsible for breaking into the networks of 618 companies since they kicked off in June 2024.

Inside EncryptHub’s Malicious Operations

Prodaft’s latest research, recently released to the public, details how EncryptHub secures its foothold within networks. Post-infiltration, they install Remote Monitoring and Management (RMM) software. The threat actors then unleash data-stealing malware such as Stealc and Rhadamanthys, and also infect compromised systems with ransomware in many cases.

According to Prodaft, EncryptHub is linked with RansomHub and BlackSuit, deploying ransomware encryptors from these groups or acting as an initial access broker. Additionally, EncryptHub has been observed using a custom PowerShell-based data encryptor, which indicates they also have their own tools for encrypting and ransoming data.

How EncryptHub Snares Its Victims

EncryptHub uses fake VPN pages that mimic big names like Cisco AnyConnect and Microsoft 365 to trap employees. They usually pose as IT support to trick employees into believing they have a problem with VPN access or a security threat to their account, directing them to phishing sites where their credentials and multi-factor authentication tokens are stolen.

Phishing process overview (Source: Prodaft)

The attackers avoid immediate detection by redirecting victims to their service’s actual domain after the attack. EncryptHub’s strategy includes creating over 70 convincing fake domains like linkwebcisco.com and weblinkteams.com, hosted on servers known for ignoring takedown requests, adding another layer of resilience to their operations.

Malware and Ransomware Deployment

Once in, EncryptHub uses PowerShell and Python scripts to dig in deeper, stealing everything from web browser data to cryptocurrency wallet info. They install RMM software like AnyDesk or Splashtop, granting them long-term remote access over infected systems.

EncryptHub also uses infostealers to target data stored in web browsers—such as login credentials and cryptocurrency wallet passphrases—and Python scripts designed to pilfer information from Mac and Linux devices. 

EncryptHub ransomware note (Source: Prodaft)

The finale involves their own brand of ransomware that locks files with a “.crypted” extension and leaves a ransom note demanding payment in cryptocurrency on Telegram. Prodaft characterizes EncryptHub as a highly sophisticated group as it tailors its methods to optimize success in high-stakes breaches.