The detection identifies potential RansomHub adversary activity through known IOCs associated with ransomware deployment and data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate ransomware attacks before significant data loss or operational disruption occurs.
IOC Summary
Malware Family: RansomHub Total IOCs: 2 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 108[.]181[.]115[.]254:443 | botnet_cc | 2026-06-13 | 75% |
| ip:port | 108[.]181[.]115[.]254:7045 | botnet_cc | 2026-06-13 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - RansomHub
let malicious_ips = dynamic(["108.181.115.254"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["108.181.115.254"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate system backup using Veeam Backup & Replication
Description: A scheduled backup job using Veeam may generate network traffic that matches RansomHub IOCs, especially if the backup destination is a remote server.
Filter/Exclusion: Exclude traffic originating from or destined to Veeam backup servers, or filter based on known Veeam IP ranges or domain names.
Scenario: Admin task using PowerShell for log management
Description: An administrator may use PowerShell scripts (e.g., Invoke-Command, Export-EventLog) to collect and transfer logs to a SIEM system, which could resemble RansomHub’s behavior.
Filter/Exclusion: Exclude PowerShell scripts executed by users with administrative privileges or those associated with log management tools like Splunk or ELK Stack.
Scenario: Scheduled job for database backups using SQL Server Agent
Description: A SQL Server Agent job may initiate network connections to a remote backup storage location, which could be flagged as suspicious if the destination IP matches RansomHub IOCs.
Filter/Exclusion: Exclude connections initiated by SQL Server Agent jobs or those using known backup-related services and ports (e.g., port 445 for SMB).
Scenario: Remote desktop session using Microsoft Remote Desktop Services (RDP)
Description: An RDP session may involve outbound traffic to a remote server, which could be mistaken for C2 activity if the destination IP is associated with RansomHub.
Filter/Exclusion: Exclude traffic from RDP sessions by checking the source IP against known internal RDP clients or by filtering based on the presence of RDP-related headers or session IDs.
Scenario: Software update process using Microsoft Endpoint Configuration Manager (MECM)
Description: MECM may initiate outbound traffic to Microsoft update servers, which could be flagged if the traffic