Skip to content
Ransomware group EsxiLinuxWindows

RansomHub

RansomHub is a ransomware-as-a-service operation that emerged in February 2024 and rapidly became one of the most active post-LockBit and post-ALPHV ransomware brands.

Profile source: Mallory opens in a new tab

RansomHub

Family profile

RansomHub is a ransomware-as-a-service operation that emerged in February 2024 and rapidly became one of the most active post-LockBit and post-ALPHV ransomware brands. Its operators provide encryptors and supporting infrastructure to affiliates in exchange for a share of proceeds, with reporting indicating unusually favorable affiliate terms and direct payment handling by affiliates. The operation is commonly described as prohibiting attacks against CIS countries and several politically sensitive states, consistent with patterns seen in Russian-speaking cybercriminal ecosystems.

RansomHub’s malware is based on repurposed Knight source code and supports attacks against Windows, Linux, and VMware ESXi environments. Builds have been reported as password-protected prior to execution, and the broader operation is associated with double-extortion activity in which data theft precedes encryption and public leak-site pressure. RansomHub has been linked to damaging intrusions across multiple sectors, including healthcare, and became notable for attracting experienced affiliates after disruption of rival ransomware programs.

A distinguishing feature of the ecosystem around RansomHub is its development and maintenance of EDRKillShifter, a custom endpoint-defense killer used by affiliates to disable security products through bring-your-own-vulnerable-driver techniques. Reporting also links RansomHub intrusions to credential theft and post-compromise tradecraft including use of NirSoft credential-recovery tools, Mimikatz, remote administration software, PowerShell, PsExec, and common lateral-movement and reconnaissance utilities. Observed access paths associated with RansomHub deployments include phishing and fake browser update chains via SocGholish, exploitation of public-facing vulnerabilities such as CVE-2023-46604, compromised remote access services, stolen credentials, and access obtained through affiliates or initial access brokers.

RansomHub has also been associated with prominent affiliate ecosystems and criminal partnerships. Scattered Spider has been reported as a RansomHub affiliate or partner in some periods, and multiple reports describe overlap or migration between RansomHub affiliates and other ransomware brands including Play, Medusa, BianLian, Qilin, and DragonForce. In 2025, the operation appeared to suffer major disruption or shutdown, with some reporting suggesting infrastructure takeover or affiliate migration to competing ransomware services.

Capabilities

  • Byovd
  • Credential Theft
  • Defense Evasion
  • Exfiltration
  • Lateral Movement
  • Reconnaissance

Ransomware.live

Operational record

View group record ↗

Credential Theft

  • Mimikatz

Defense Evasion

  • Acronis Disk Director
  • BadRentdrv2
  • Revo Uninstaller
  • ThreatFire System Monitor driver (BYOVD)

Discovery Enum

  • Angry IP Scanner
  • Nmap
  • SoftPerfect NetScan
  • WKTools

Exfiltration

  • FileZilla
  • PSCP
  • RClone
  • WinSCP

LOLBAS

  • BITSAdmin
  • PsExec
  • WMIC

Networking

  • Cloudflared
  • Ngrok
  • Stowaway

Offsec

  • Cobalt Strike
  • CrackMapExec
  • Impacket
  • Kerbrute
  • Metasploit
  • NetExec
  • Sliver

RMM Tools

  • AnyDesk
  • Atera
  • N-Able
  • ScreenConnect
  • Splashtop
  • TightVNC

Reported operators

Threat actors

9 named in public reporting
Scattered Spider

They've also previously partnered with other ransomware operations, such as Qilin, RansomHub, and DragonForce...

DragonForce

The user @dragonforce ... stated, “It has been decided that RansomHub’s infrastructure will be transferred to DragonForce, and the two groups are in a partnership.”

RansomHub

These RaaS programs include: Akira (Howling Scorpius) ALPHV (Ambitious Scorpius) DragonForce (Slippery Scorpius) Play (Fiddling Scorpius) Qilin (Spikey Scorpius) RansomHub (Spoiled Scorpius)

GOLD HARVEST

RansomHub is one of the most prolific groups to emerge following the LockBit disruption and ALPHV (also known as BlackCat) demise in 2024.

Indrik Spider

New to the top three market share boards were RansomHub and Fog ransomware. RansomHub has been gaining share throughout 2024, despite its alleged ties to Evil Corp.

Andariel

RansomHub, a new RaaS gang that emerged around the time of Operation Cronos... It is also worth mentioning that RansomHub’s encryptor is not written from scratch, but based on repurposed code from Knight.

CosmicBeetle

RansomHub, a new RaaS gang that emerged around the time of Operation Cronos... It is also worth mentioning that RansomHub’s encryptor is not written from scratch, but based on repurposed code from Knight.

SocGholish

"RansomHub is a RaaS operation that was first observed in February 2024."

ShadowSyndicate

"RansomHub is revisited with new insights on this ransomware-as-a-service (RaaS) platform... RansomHub is known for employing double extortion attacks, encrypting data using 'Curve25519' encryption."

Exploited software

Vulnerabilities linked to RansomHub

12 CVEs

MITRE ATT&CK

RansomHub in ATT&CK

95 distinct techniques

Techniques

95 techniques
T1486 Data Encrypted for Impact T1105 Ingress Tool Transfer T1189 Drive-by Compromise T1562.001 Disable or Modify Tools T1203 Exploitation for Client Execution T1657 Financial Theft T1567 Exfiltration Over Web Service T1562 Impair Defenses T1489 Service Stop T1059.003 Windows Command Shell T1057 Process Discovery T1547.001 Registry Run Keys / Startup Folder T1082 System Information Discovery T1497 Virtualization/Sandbox Evasion T1027 Obfuscated Files or Information T1027.013 Encrypted/Encoded File T1070.004 File Deletion T1070 Indicator Removal T1140 Deobfuscate/Decode Files or Information T1018 Remote System Discovery T1490 Inhibit System Recovery T1041 Exfiltration Over C2 Channel T1003 OS Credential Dumping T1078 Valid Accounts T1656 Impersonation T1537 Transfer Data to Cloud Account T1562.009 Safe Mode Boot T1491.001 Internal Defacement T1497.003 Time Based Checks T1135 Network Share Discovery T1059.001 PowerShell T1480 Execution Guardrails T1070.001 Clear Windows Event Logs T1090 Proxy T1021.002 SMB/Windows Admin Shares T1083 File and Directory Discovery T1078.003 Valid Accounts: Local Accounts T1190 Exploit Public-Facing Application T1566.001 Phishing: Spearphishing Attachment T1566.004 Phishing: Spearphishing Voice T1047 Windows Management Instrumentation T1059 Command and Scripting Interpreter T1059.006 Command and Scripting Interpreter: Python T1098 Account Manipulation T1133 External Remote Services T1136 Create Account T1136.001 Create Account: Local Account T1136.002 Create Account: Domain Account T1547 Boot or Logon Autostart Execution T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL T1068 Exploitation for Privilege Escalation T1548.002 Abuse Elevation Control Mechanism: Bypass UAC T1027.009 Obfuscated Files or Information: Embedded Payloads T1036 Masquerading T1055.012 Process Injection: Process Hollowing T1112 Modify Registry T1134 Access Token Manipulation T1134.001 Access Token Manipulation: Token Impersonation/Theft T1222.001 File and Directory Permissions Modification: Windows Permissions T1484.001 Domain or Tenant Policy Modification: Group Policy Modification T1564 Hidden Artifacts T1564.003 Hidden Artifacts: Hidden Window T1620 Reflective DLL Injection T1003.001 OS Credential Dumping: LSASS Memory T1003.003 OS Credential Dumping: NTDS T1003.008 OS Credential Dumping: /etc/passwd and /etc/shadow T1110 Brute Force T1110.003 Brute Force: Password Spraying T1555.005 Credentials from Password Stores: Password Managers T1007 System Service Discovery T1016.001 Internet Connection Discovery T1033 System Owner/User Discovery T1046 Network Service Discovery T1087 Account Discovery T1087.001 Account Discovery: Local Account T1087.002 Account Discovery: Domain Account T1120 Peripheral Device Discovery T1482 Domain Trust Discovery T1021 Remote Services T1021.001 Remote Services: Remote Desktop Protocol T1021.004 Remote Services: SSH T1210 Exploitation of Remote Services T1570 Lateral Tool Transfer T1005 Data from Local System T1048 Exfiltration Over Alternative Protocol T1048.002 Exfiltration Over Alternative Protocol: Asymmetric Encrypted Non-C2 Protocol T1048.003 Exfiltration Over Alternative Protocol: Unencrypted Non-C2 Protocol T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage T1071.001 Application Layer Protocol: Web Protocols T1102.002 Web Service: Bidirectional Communication T1219 Remote Access Tools T1529 System Shutdown/Reboot T1531 Account Access Removal T1561.001 Disk Wipe: Disk Content Wipe T1586 Compromise Accounts

Reporting

Research mentioning RansomHub

Jul 10
Threataft

Ransomware Gangs Use PsExec + NirSoft to Own Your Network Before You Notice | ThreatAft

RansomHub operators have also been observed using the same combination of tools to compromise networks.

Jul 1
Huntress

How the RaaS Business Model Actually Works | Huntress

In the Huntress 2026 Cyber Threat Report, four groups—Akira, Medusa, Qilin, and Ransomhub—accounted for over half of observed ransomware incidents...

Jun 30
Bleeping Computer

Insurance giant Aflac discloses data breach after subsidiary hack

They've also previously partnered with other ransomware operations, such as Qilin, RansomHub, and DragonForce...

Jun 19
Security Affairs

14,971 WordPress Sites Cleaned in Global SocGholish Takedown

TA569’s SocGholish inject activity has been linked to major ransomware families and criminal syndicates. Those families include WastedLocker, LockBit, and RansomHub.

Jun 19
Security Week

15,000 WordPress Websites Cleaned Up in SocGholish Botnet Takedown - SecurityWeek

Orange’s cyber defense unit observed SocGholish delivering loaders like Gholoader and MintsLoader, which eventually led to payloads such as the GhostWeaver PowerShell backdoor, LockBit and RansomHub ransomware...

Apr 20
Eset Welivesecurity

Ransomware’s back office: What the ransom note won’t say

For example, when LockBit and BlackCat were disrupted by law enforcement in 2024, their affiliates moved mainly to RansomHub.

Apr 2
Socradar

BLACKNET-00: The Ransomware-as-a-Service Platform That Weaponizes Mediocrity

Following the law enforcement takedowns of LockBit and ALPHV/BlackCat, their affiliate networks dispersed into new platforms like RansomHub, Qilin, Akira, and DragonForce...

Mar 24
Help Net Security

Attackers are handing off access in 22 seconds, Mandiant finds - Help Net Security

In a 2025 investigation, roughly 70 minutes elapsed between the FAKEUPDATES infection and UNC2165’s earliest interactive activity. UNC2165 ultimately destroyed backups and deployed RansomHub ransomware across Windows and virtual management servers.

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.