The detection identifies potential RansomHub adversary activity through known IOCs associated with ransomware deployment and lateral movement. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate ransomware attacks before significant data loss or system compromise occurs.
IOC Summary
Malware Family: RansomHub Total IOCs: 2 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 195[.]123[.]240[.]236:443 | botnet_cc | 2026-05-10 | 75% |
| ip:port | 195[.]123[.]240[.]236:8274 | botnet_cc | 2026-05-10 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - RansomHub
let malicious_ips = dynamic(["195.123.240.236"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["195.123.240.236"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate Scheduled Backup Job Using RansomHub-Related Tools
Description: A backup process uses a tool like rsync or Veeam that coincidentally shares a filename or hash with RansomHub IOCs.
Filter/Exclusion: Exclude processes related to backup tools (e.g., rsync, VeeamBackup, Veritas) or filter by file paths common to backup operations.
Scenario: Admin Task Involving RansomHub-Related Hashes in Log Files
Description: System administrators may manually check hashes of known malware (e.g., RansomHub) for analysis, leading to false positives in log files.
Filter/Exclusion: Exclude log entries containing known benign hashes or filter by user accounts with admin privileges (e.g., root, admin, sysadmin).
Scenario: Legitimate Use of PowerShell for System Monitoring
Description: A PowerShell script (e.g., PowerShell.exe) is used for system monitoring or compliance checks and includes strings or hashes that match RansomHub IOCs.
Filter/Exclusion: Exclude processes launched by PowerShell scripts with known monitoring tools (e.g., Powershell.exe -File monitoring_script.ps1) or filter by process names like PowerShell.exe.
Scenario: False Positive from Threat Intelligence Feed Update
Description: A threat intelligence feed updates with RansomHub IOCs, and the system incorrectly flags benign files or processes that match these hashes.
Filter/Exclusion: Exclude files or processes that are part of recent threat intelligence updates or filter by source IP addresses of trusted threat intelligence feeds.
Scenario: Legitimate Use of RansomHub-Related Strings in Internal Tools
Description: An internal tool or script (e.g., internal_tool.exe) uses strings or hashes related