RansomHub
RansomHub is a ransomware-as-a-service (RaaS) operation that emerged in February 2024 and rapidly became one of the most active ransomware brands after the disruption of LockBit and ALPHV/BlackCat. Multiple sources in the content state that it absorbed displaced affiliates from those groups, and some reporting assesses it as a rebrand or evolution of Knight, with its encryptor built from repurposed Knight source code. The operation advertised favorable affiliate terms, including direct payment handling by affiliates and a 90% revenue share, and supported Windows, Linux, and VMware ESXi encryptors. Reporting in the content also notes that RansomHub later appeared to go offline or become dormant in 2025.
RansomHub is associated with double-extortion activity and broad enterprise targeting. The content states that affiliates exfiltrate data and deploy encryption tools, often using legitimate administrative utilities, and that the group has targeted organizations in Europe and North America across healthcare, finance, government services, critical infrastructure, manufacturing, legal, automotive, technology, and other sectors. One source cited in the content links RansomHub to more than 200 attacks since February 2024 and notes targeting of U.S. government organizations. Healthcare reporting specifically says its affiliate model enabled some of the most damaging attacks on that sector in 2025.
Observed behavior in the content includes internal network discovery and pre-encryption preparation. RansomHub can enumerate all accessible machines from an infected system. Incident reporting describes affiliates conducting internal network scanning, harvesting credentials, accessing backup passwords, destroying backups, and deploying ransomware across Windows systems and virtual management servers. The content also notes targeting of VMware ESXi and broader virtualization infrastructure. In one Talos-reported case, operators maintained access for over a month before execution and used a compromised Administrator account to execute ransomware, dump credentials, and run scans with a commercial network scanning tool. A previously unseen persistence technique was also reported in which operators modified Windows Firewall settings to enable remote access shortly before ransomware execution.
The malware and its ecosystem are also linked in the content to anti-defense tooling. ESET identified EDRKillShifter as a custom EDR killer developed and maintained by RansomHub and introduced to affiliates in May 2024. The tool used vulnerable drivers in BYOVD-style attacks and was later seen beyond strictly RansomHub cases. Sophos also observed HeartCrypt-packed AV-killer payloads in RansomHub-related incidents, including a VMProtect-packed AV killer targeting ESET, HitmanPro, Kaspersky, Sophos, and Symantec products. Talos further reported use of a Veeam password stealer and KMS Auto in RansomHub intrusions.
Several threat actor relationships are mentioned in the content. Scattered Spider / Octo Tempest / UNC3944 was reported to have added RansomHub to its ransomware payloads in 2024, and multiple articles state that Scattered Spider partnered with Russian ransomware gangs including RansomHub. Mandiant reporting also describes UNC2165, a financially motivated cluster with overlap to Evil Corp, destroying backups and deploying RansomHub in a 2025 investigation. Separate reporting notes alleged ties between RansomHub and Evil Corp, though the precise nature of that relationship is not established in the provided content.
High-confidence infrastructure and sample indicators directly mentioned in the content include EDRKillShifter samples with SHA-1 hashes BF84712C5314DF2AA851B8D4356EA51A9AD50257 and 77DAF77D9D2A08CC22981C004689B870F74544B5, and infrastructure linked by ESET to a RansomHub-affiliated cluster: 45.32.206[.]169 hosting EDRKillShifter and WKTools, and SystemBC C2 server 45.32.210[.]151.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
3 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
An attacker is exploiting a nearly 2-year-old vulnerability in Apache ActiveMQ to compromise Linux servers and install malicious software on them... The servers were all vulnerable to CVE-2023-46604, a maximum-severity remote code execution bug in Apache ActiveMQ message broker... After deploying DripDropper... the attacker downloaded... the patch for CVE-2023-46604... and replaced them with the patched versions.
Ransomware groups—including BlackCat/ALPHV, Black Basta, RansomHub, and Dark Angels—are increasingly targeting VMware ESXi...
Fortinet FortiOS CVE-2024-55591, a zero-day authentication bypass vulnerability disclosed in January 2025, had the highest count of ransomware groups attached to it as the year closed, with six named ransomware families (DragonForce, Hunters International, NightSpire, Qilin, RansomHub, and SuperBlack)...
Groups observed using it
9 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
New to the top three market share boards were RansomHub and Fog ransomware. RansomHub has been gaining share throughout 2024, despite its alleged ties to Evil Corp.
Since the start of 2023, Scattered Spider has also partnered with several Russian ransomware gangs, including BlackCat/AlphV, Qilin, and RansomHub.
RansomHub, a new RaaS gang that emerged around the time of Operation Cronos... It is also worth mentioning that RansomHub’s encryptor is not written from scratch, but based on repurposed code from Knight.
RansomHub, a new RaaS gang that emerged around the time of Operation Cronos... It is also worth mentioning that RansomHub’s encryptor is not written from scratch, but based on repurposed code from Knight.
Prominent RaaS operations observed in early 2025 included RansomHub (tracked by Unit 42 as Spoiled Scorpius, the most prolific on leak sites Jan-Mar 2025)...
“…CISA flagged RansomHub ransomware, linked to more than 200 attacks since February.”
"RansomHub is revisited with new insights on this ransomware-as-a-service (RaaS) platform... RansomHub is known for employing double extortion attacks, encrypting data using 'Curve25519' encryption."
“There are mixed reports of the relationship between Ransomhub and DragonForce…”
Techniques & procedures
26 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 techniqueExecution
1 techniqueDuring the 2016 Ukraine Electric Power Attack, Sandworm Team used the xp_cmdshell command in MS-SQL. During the 2025 Poland Wiper Attacks, the adversaries leveraged PsExec to run cmd.exe commands on multiple victim machines. Numerous malware families and groups are described as using cmd.exe, cmd /c, Windows command shell, or command-line interfaces to execute commands, payloads, reconnaissance, persistence, cleanup, and ransomware actions.
Persistence
2 techniquesOperators leveraged compromised valid accounts in 75 percent of ransomware engagements this quarter to obtain initial access and/or execute ransomware on targeted systems.
The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or .bat files in the Windows Startup folder.
Privilege Escalation
2 techniquesOperators leveraged compromised valid accounts in 75 percent of ransomware engagements this quarter to obtain initial access and/or execute ransomware on targeted systems.
The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or .bat files in the Windows Startup folder.
Stealth
8 techniquesThe content repeatedly describes payloads, strings, configuration files, scripts, URLs, and binaries being obfuscated or encoded using Base64, XOR, RC4, AES, RSA, hex encoding, custom algorithms, and other methods across many malware families and threat actors.
Examples throughout the content include 'encrypted payloads decrypted and executed in memory,' 'encrypts its configuration file,' 'AES-encrypted resource,' 'RC4 encrypted embedded scripts,' and 'payload includes an encrypted main component.'
Many entries explicitly describe deleting artifacts 'to cover tracks,' 'evade detection,' 'remove evidence,' 'reduce their footprint,' or as part of 'post-intrusion cleanup process.' Examples include APT28 deleting files to cover tracks, FIN5 using SDelete to clean up the environment, and Dragonfly deleting operational files as part of cleanup.
The content repeatedly describes adversaries and malware deleting files, directories, droppers, scripts, logs, archives, staged data, and other artifacts from compromised systems, e.g., 'APT29 has used SDelete to remove artifacts from victim networks' and 'Lazarus Group malware has deleted files in various ways, including "suicide scripts" to delete malware binaries from the victim.'
Operators leveraged compromised valid accounts in 75 percent of ransomware engagements this quarter to obtain initial access and/or execute ransomware on targeted systems.
The content repeatedly describes malware and threat actors decoding, decrypting, or deobfuscating payloads, strings, configuration data, commands, and C2 traffic prior to execution or use, e.g., 'APT28 macro uses the command certutil -decode to decode contents of a .txt file storing the base64 encoded payload' and 'Action RAT can use Base64 to decode actor-controlled C2 server communications.'
Credential Access
1 techniqueIn a RansomHub engagement, affiliates leveraged a compromised Administrator account to execute the ransomware, dump credentials, and run scans using a commercial network scanning tool.
Discovery
5 techniquesDuring the 2015 Ukraine Electric Power Attack, Sandworm Team remotely discovered systems over LAN connections. OT systems were visible from the IT network as well, giving adversaries the ability to discover operational assets.
The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.
The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."
Command and Control
1 technique“RansomHub affiliates… deploy encryption tools, often utilizing legitimate administrative utilities to facilitate their malicious activities.”
Exfiltration
3 techniquesGTIG observed confirmed or suspected data theft in approximately 77% of ransomware intrusions — a steep jump from 57% the year before. Attackers now frequently steal sensitive files before deploying encryption, threatening to post the stolen data publicly on leak sites even if victims manage to restore their systems from backup.
Scattered Spider threat actors typically engage in data theft for extortion using multiple social engineering techniques...
resulting in the exfiltration of a significant volume of confidential data... the group ultimately released the stolen data, purportedly amounting to 200 GB, onto the dark web.
Impact
5 techniquesBologna FC 1909 S.p.a. has officially confirmed a targeted ransomware attack on its internal security systems
Apostle retrieves a list of all running processes on a victim host, and stops all services containing the string "sql," likely to propagate ransomware activity to database files. LockBit 3.0 can identify and terminate specific services. RansomHub can stop processes associated with files currently in use to maximize the impact of encryption.
Operators have moved beyond dual-threat encryption-and-theft operations toward systematically denying organizations the ability to recover, targeting identity services, virtualization management planes, and backup infrastructure.
Despite extending the deadline for a ransom payment, the group ultimately released the stolen data
Other
3 techniquesIOCs tracked for this family
8 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
104 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A ransomware operation that absorbed affiliates from disrupted groups and later lost prominence after going quiet.
A ransomware platform cited as one of the destinations for affiliates after major RaaS takedowns.
Ransomware deployed after initial access activity; used to encrypt systems including Windows and virtual management servers, alongside backup destruction.
A ransomware-as-a-service operation that was significantly weakened or dismantled in 2025.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.