The detection identifies potential RansomHub activity through known IOCs associated with ransomware deployment and lateral movement. SOC teams should proactively hunt for this behavior to detect and mitigate ransomware attacks before data encryption and financial loss occur.
IOC Summary
Malware Family: RansomHub Total IOCs: 2 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 193[.]5[.]65[.]169:4348 | botnet_cc | 2026-05-28 | 75% |
| ip:port | 193[.]5[.]65[.]169:443 | botnet_cc | 2026-05-28 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - RansomHub
let malicious_ips = dynamic(["193.5.65.169"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["193.5.65.169"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate Scheduled Backup Job Using RansomHub-Related Tools
Description: A backup process uses a tool like rsync or Veeam and inadvertently matches a hash from a RansomHub IOC due to a hash collision.
Filter/Exclusion: Exclude processes associated with known backup tools (rsync, Veeam, Commvault) or check for presence of backup-related directories (e.g., /backup, /vm_backups).
Scenario: System Administration Task Involving RansomHub Hashes
Description: An admin is using a tool like hashdeep or md5sum to verify file integrity and the command includes a hash that matches a RansomHub IOC.
Filter/Exclusion: Exclude processes initiated by admin accounts with elevated privileges or filter commands containing known hash verification tools.
Scenario: Legitimate Use of PowerShell for System Monitoring
Description: A PowerShell script (e.g., PowerShell.exe) is running a scheduled job to monitor system logs or disk usage, and the script name or command line matches a RansomHub IOC.
Filter/Exclusion: Exclude processes with PowerShell.exe that are associated with known monitoring tools (e.g., Splunk, ELK stack) or check for presence of monitoring-related directories (e.g., /logs, /monitoring).
Scenario: False Positive from Threat Intelligence Feed Update
Description: A threat intelligence feed update includes a hash from RansomHub that is not yet removed from the system, causing a false positive.
Filter/Exclusion: Exclude processes that are part of threat intelligence integration tools (e.g., MISP, ThreatConnect) or filter based on the timestamp of the IOC update.
Scenario: Legitimate Use of Ransomware Research Tools