Credential Theft
- Mimikatz
RansomHub is a ransomware-as-a-service operation that emerged in February 2024 and rapidly became one of the most active post-LockBit and post-ALPHV ransomware brands.
Profile source: Mallory opens in a new tabRansomHub
RansomHub is a ransomware-as-a-service operation that emerged in February 2024 and rapidly became one of the most active post-LockBit and post-ALPHV ransomware brands. Its operators provide encryptors and supporting infrastructure to affiliates in exchange for a share of proceeds, with reporting indicating unusually favorable affiliate terms and direct payment handling by affiliates. The operation is commonly described as prohibiting attacks against CIS countries and several politically sensitive states, consistent with patterns seen in Russian-speaking cybercriminal ecosystems.
RansomHub’s malware is based on repurposed Knight source code and supports attacks against Windows, Linux, and VMware ESXi environments. Builds have been reported as password-protected prior to execution, and the broader operation is associated with double-extortion activity in which data theft precedes encryption and public leak-site pressure. RansomHub has been linked to damaging intrusions across multiple sectors, including healthcare, and became notable for attracting experienced affiliates after disruption of rival ransomware programs.
A distinguishing feature of the ecosystem around RansomHub is its development and maintenance of EDRKillShifter, a custom endpoint-defense killer used by affiliates to disable security products through bring-your-own-vulnerable-driver techniques. Reporting also links RansomHub intrusions to credential theft and post-compromise tradecraft including use of NirSoft credential-recovery tools, Mimikatz, remote administration software, PowerShell, PsExec, and common lateral-movement and reconnaissance utilities. Observed access paths associated with RansomHub deployments include phishing and fake browser update chains via SocGholish, exploitation of public-facing vulnerabilities such as CVE-2023-46604, compromised remote access services, stolen credentials, and access obtained through affiliates or initial access brokers.
RansomHub has also been associated with prominent affiliate ecosystems and criminal partnerships. Scattered Spider has been reported as a RansomHub affiliate or partner in some periods, and multiple reports describe overlap or migration between RansomHub affiliates and other ransomware brands including Play, Medusa, BianLian, Qilin, and DragonForce. In 2025, the operation appeared to suffer major disruption or shutdown, with some reporting suggesting infrastructure takeover or affiliate migration to competing ransomware services.
Ransomware.live
Reported operators
They've also previously partnered with other ransomware operations, such as Qilin, RansomHub, and DragonForce...
The user @dragonforce ... stated, “It has been decided that RansomHub’s infrastructure will be transferred to DragonForce, and the two groups are in a partnership.”
These RaaS programs include: Akira (Howling Scorpius) ALPHV (Ambitious Scorpius) DragonForce (Slippery Scorpius) Play (Fiddling Scorpius) Qilin (Spikey Scorpius) RansomHub (Spoiled Scorpius)
RansomHub is one of the most prolific groups to emerge following the LockBit disruption and ALPHV (also known as BlackCat) demise in 2024.
New to the top three market share boards were RansomHub and Fog ransomware. RansomHub has been gaining share throughout 2024, despite its alleged ties to Evil Corp.
RansomHub, a new RaaS gang that emerged around the time of Operation Cronos... It is also worth mentioning that RansomHub’s encryptor is not written from scratch, but based on repurposed code from Knight.
RansomHub, a new RaaS gang that emerged around the time of Operation Cronos... It is also worth mentioning that RansomHub’s encryptor is not written from scratch, but based on repurposed code from Knight.
"RansomHub is a RaaS operation that was first observed in February 2024."
"RansomHub is revisited with new insights on this ransomware-as-a-service (RaaS) platform... RansomHub is known for employing double extortion attacks, encrypting data using 'Curve25519' encryption."
Exploited software
MITRE ATT&CK
Reporting
RansomHub operators have also been observed using the same combination of tools to compromise networks.
In the Huntress 2026 Cyber Threat Report, four groups—Akira, Medusa, Qilin, and Ransomhub—accounted for over half of observed ransomware incidents...
They've also previously partnered with other ransomware operations, such as Qilin, RansomHub, and DragonForce...
TA569’s SocGholish inject activity has been linked to major ransomware families and criminal syndicates. Those families include WastedLocker, LockBit, and RansomHub.
Orange’s cyber defense unit observed SocGholish delivering loaders like Gholoader and MintsLoader, which eventually led to payloads such as the GhostWeaver PowerShell backdoor, LockBit and RansomHub ransomware...
For example, when LockBit and BlackCat were disrupted by law enforcement in 2024, their affiliates moved mainly to RansomHub.
Following the law enforcement takedowns of LockBit and ALPHV/BlackCat, their affiliate networks dispersed into new platforms like RansomHub, Qilin, Akira, and DragonForce...
In a 2025 investigation, roughly 70 minutes elapsed between the FAKEUPDATES infection and UNC2165’s earliest interactive activity. UNC2165 ultimately destroyed backups and deployed RansomHub ransomware across Windows and virtual management servers.
Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.