The detection identifies potential RansomHub adversary activity through known IOCs associated with ransomware deployment and lateral movement. SOC teams should proactively hunt for this behavior to detect and mitigate ransomware attacks before data encryption and exfiltration occur.
IOC Summary
Malware Family: RansomHub Total IOCs: 2 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 45[.]56[.]162[.]61:443 | botnet_cc | 2026-05-25 | 75% |
| ip:port | 45[.]56[.]162[.]61:6031 | botnet_cc | 2026-05-25 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - RansomHub
let malicious_ips = dynamic(["45.56.162.61"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["45.56.162.61"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled backup job using RansomHub’s API for testing
Description: A system administrator schedules a backup job that uses RansomHub’s API to test integration with a third-party backup service.
Filter/Exclusion: Exclude traffic to api.ransomhub.com from known backup servers or IP ranges used by the organization’s IT department.
Scenario: Internal tool using RansomHub’s public API for threat intelligence lookup
Description: A security tool within the enterprise uses RansomHub’s public API to fetch threat intelligence data as part of its automated investigation process.
Filter/Exclusion: Exclude traffic to api.ransomhub.com originating from internal security tools or SIEM systems with known IP addresses.
Scenario: Admin task involving RansomHub’s documentation or support portal
Description: A security analyst accesses RansomHub’s official documentation or support portal to research a potential threat or validate an IOC.
Filter/Exclusion: Exclude traffic to support.ransomhub.com or docs.ransomhub.com from user agents associated with internal security teams.
Scenario: Legitimate use of RansomHub’s open-source tool for malware analysis
Description: A malware analysis lab uses RansomHub’s open-source tool for static analysis of suspicious files.
Filter/Exclusion: Exclude traffic to tools.ransomhub.com from known malware analysis environments or sandboxed systems.
Scenario: False positive from a third-party integration using RansomHub’s IOC database
Description: A third-party security integration tool (e.g., CrowdStrike, SentinelOne) pulls RansomHub IOCs as part of its threat feed, leading to false positives.
Filter/Exclusion: Exclude traffic to api.ransomhub.com from known third-party security tools or integration services.