The notorious ransomware gang RansomHub has released a sophisticated attack campaign targeting U.S. government agencies, leveraging the FakeUpdates malware framework to devastating effect. The operation, tracked as Water Scylla by researchers, represents a disturbing evolution in ransomware tactics. Since their emergence in February 2024 (formerly known as Cyclops and Knight), they’ve racked up an impressive—or terrifying, depending on your perspective—210 victims across critical sectors.
Sophisticated ransomware outfit RansomHub evolves tactics, targets government, leaving hundreds of victims in its destructive wake.
These aren’t amateur hackers. RansomHub has recruited high-profile affiliates from disbanded groups like LockBit and ALPHV. Their collaboration with FakeUpdates, which uses the SocGholish payload for initial access, has supercharged their capabilities. The attack chain is brutally effective. Legitimate websites get infected with malicious scripts. Unsuspecting visitors see fake browser update notifications. Click. Download. Game over.
The technical details aren’t pretty. RansomHub employs multiple initial access techniques: vulnerability exploitation, phishing emails, password spraying. Once inside, they create user accounts, use Mimikatz for credential theft, and move laterally through networks via RDP and other tools. The group frequently exploits known vulnerabilities in Citrix and other systems to gain initial access. Their encryption uses the Curve 25519 algorithm with intermittent encryption for speed. Clever. Evil, but clever. RansomHub’s distinctive ransom notes provide victims with a unique Tor URL for communication rather than stating initial demands.
Government targets have included the City of Tarrant, Sault Ste. Marie Tribe of Chippewa Indians, and Laramie County Library System. The average ransom demand? A cool $2.79 million. Pay up or your data goes public on their leak site. Nearly 1.6 million records have been affected in 2024 alone. According to industry reports, comprehensive risk assessments could have identified the vulnerabilities these agencies faced before they were exploited.
What’s driving this surge? Simple economics. The ransomware business is booming, and RansomHub offers lucrative splits to affiliates. Their double extortion model—steal data, then encrypt systems—maximizes pressure on victims.
For government agencies, the message is clear: patch systems, enforce strong passwords and MFA, train employees, and maintain offline backups. Because RansomHub isn’t just another cybercrime group. They’re the new big players in a very dangerous game.
