Threat Intelligence Tarot
Vol. II · 102
Criminal (Russia-linked, global affiliates)
★★★★★
risk 4/5
✦ The Auction House ✦
RansomHub
Cyclops · Knight successor
HealthcareCritical infrastructureGovernmentTechnologyWater utilities
Active since February 2024 · Financial extortion, RaaS platform
The Auction House puts everything under the hammer: hospital records, government databases, critical infrastructure access. It offers affiliates the highest payout split in the ransomware ecosystem and receives the most motivated criminals in return.
Tactics & Techniques
RCN
RDV
INI
EXC
PRS
PRV
EVA
CRD
DSC
LAT
COL
C2
EXF
IMP
Notable Operations
- ◆Change Healthcare attack (2024, $22M ransom paid, national prescription disruption)
- ◆Christie's auction house breach during major sale period
- ◆Frontier Communications breach
- ◆210+ victims in first 6 months (FBI advisory August 2024)
Defenses
- ▸MFA mandatory on all internet-facing remote access with no exceptionsNIST CSF: PR.AC ↗
- ▸Critical infrastructure sector information sharing via CISA advisoriesNIST CSF: ID.RA ↗
- ▸Healthcare supply chain risk assessment for third-party payment processorsCIS Control 15 ↗
- ▸Business continuity planning tested annually for critical system loss scenariosNIST CSF: RC.RP ↗
Reversed: Their Weakness
Its rapid growth attracted law enforcement attention in its first year. Organizations that closed the specific Change Healthcare VPN access path (no MFA) would have stopped the most damaging healthcare attack in US history.
Share this adversary profile
Compare →swipe to browse
Related Adversaries
Data sourced from MITRE ATT&CK. For educational purposes.