The detection identifies potential RansomHub adversary activity through known IOCs associated with ransomware deployment and lateral movement. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate ransomware attacks before they encrypt critical assets.
IOC Summary
Malware Family: RansomHub Total IOCs: 2 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 195[.]123[.]240[.]236:443 | botnet_cc | 2026-05-10 | 75% |
| ip:port | 195[.]123[.]240[.]236:8274 | botnet_cc | 2026-05-10 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - RansomHub
let malicious_ips = dynamic(["195.123.240.236"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["195.123.240.236"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled backup job using RansomHub tool
Description: A scheduled job runs a legitimate backup script that uses the RansomHub tool for data archiving.
Filter/Exclusion: Exclude processes associated with the backup scheduler (e.g., vssadmin, wbadmin, or specific backup service names) or filter by process name like backup_script.exe.
Scenario: Admin task using RansomHub for data migration
Description: An administrator uses RansomHub to migrate data between servers as part of a routine migration task.
Filter/Exclusion: Exclude processes initiated by admin accounts with elevated privileges or filter by user context (e.g., Administrator or Domain Admin).
Scenario: Legitimate endpoint protection tool using RansomHub API
Description: A security tool or EDR solution uses the RansomHub API to check for known malicious files or behaviors.
Filter/Exclusion: Exclude processes related to endpoint protection tools (e.g., Microsoft Defender, CrowdStrike, or SentinelOne) or filter by process name or parent process.
Scenario: System update or patching process using RansomHub
Description: A system update or patching process temporarily uses RansomHub to verify or apply patches.
Filter/Exclusion: Exclude processes related to system update tools (e.g., Windows Update, WSUS, or SCCM) or filter by process name or parent process.
Scenario: Legitimate log analysis tool querying RansomHub database
Description: A log analysis tool queries the RansomHub database to check for known malicious hashes or indicators.
Filter/Exclusion: Exclude processes related to log analysis tools (e.g., Splunk, ELK Stack, or SIEM) or filter by process name or