Introduction
RansomHub [1] [2] [3] [4] [5] [6], a ransomware-as-a-service (RaaS) operation [1] [2] [5] [6], emerged in February 2024 and quickly gained notoriety for its sophisticated multi-platform ransomware targeting various operating systems [3]. The group focused on data theft-based extortion [1], attracting high-profile victims and rapidly expanding its influence in the cybercrime landscape.
Description
RansomHub is a ransomware-as-a-service (RaaS) operation that emerged in February 2024 [1], quickly gaining notoriety for its sophisticated multi-platform ransomware targeting various operating systems [3], including Windows [5], Linux [2] [3], FreeBSD [2] [3], and ESXi [2] [3]. The group has focused on data theft-based extortion rather than traditional data encryption [1], attracting high-profile victims such as Halliburton, Christie’s [1], Frontier Communications [1], and Planned Parenthood [1]. RansomHub’s rapid success was bolstered by its acquisition of the Knight (formerly Cyclops) code and a versatile encryptor [2], as well as its generous payment splits that drew prominent affiliates like Scattered Spider and Evil Corp.
To enhance its operations [1], RansomHub affiliates have utilized a newly identified backdoor called Betruger [1], a multi-function tool designed to streamline ransomware activities [1]. Betruger includes capabilities such as keylogging [1], network scanning [1], privilege escalation [1], credential dumping [1], screenshotting [1], and file uploads to a command-and-control server [1], minimizing the need for additional tools during attacks [1]. This evolution in tactics reflects RansomHub’s commitment to increasing the effectiveness of its operations [1].
However, the group’s online infrastructure went offline on April 1, 2025, leading to a significant shift in the ransomware landscape and causing considerable disruption among its affiliates, resulting in what has been described as “affiliate unrest.” This outage prompted many affiliates to migrate to Qilin, a rising competitor in the RaaS market, which has seen a doubling in data leak activity since February [2] [4].
In response to disruptions in the ransomware ecosystem caused by law enforcement actions and exit scams affecting major RaaS players [5], RansomHub enhanced its extortion model and intensified efforts to recruit affiliates [5]. The group adopted an aggressive affiliate-friendly business model [3], offering a low commission fee of 10% [3], which was later increased to 15%, significantly below the industry standard of 20-30% [3]. This strategy attracted affiliates from competing groups like LockBit and ALPHV [3], particularly those facing increased law enforcement scrutiny [3].
RansomHub’s affiliate panel featured a pricing model based on victim revenue [5], designed to increase the likelihood of ransom payments [5]. The group emphasized affiliate autonomy in communication and payment collection [3], allowing full control for affiliates over victim negotiations and offering additional customization options for ransom notes [5]. To promote these features [5], representatives actively engaged on RAMP forums [5], leveraging the instability of competing groups [5].
During its operational period, RansomHub successfully attacked over 200 victims across various sectors [3], including infrastructure [2] [3], IT [3], government [3], healthcare [3], and financial services [3]. The group employed standard disruption tactics [5], such as deleting Windows Shadow Copies and virtual machine snapshots [5], to hinder recovery efforts [5]. As technical differences between ransomware families diminished [5], factors like affiliate trust [5], communication flexibility [5], and perceived reliability became increasingly important for group success [5]. Recent trends indicated that affiliate migration and brand perception were now more influential in RaaS dynamics than malware innovation alone [5].
The closure of RansomHub marked a pivotal moment in the cybercrime landscape [6], highlighting the resilience and adaptability of cybercriminal networks [6]. The ability of affiliates to quickly adapt to new platforms like Qilin demonstrates their sophistication and resourcefulness [6], complicating law enforcement efforts [6]. Rival group DragonForce has claimed that it is absorbing RansomHub’s affiliates, indicating a shift from traditional RaaS operations, as DragonForce provides infrastructure and tools while allowing affiliates to develop their own brands [2]. Meanwhile, other ransomware actors [4] [5] [6], such as Anubis and ELENOR-corp [4], continue to develop new extortion tactics [4]. As these networks become more interconnected [6], the challenges for authorities increase [6], necessitating proactive and multifaceted takedown strategies [6]. The shift to Qilin may also lead to more aggressive tactics among cybercriminals [6], resulting in an increase in ransomware attacks [6], sophisticated phishing campaigns [6], and targeting of critical infrastructure [6].
Tracking these developments is crucial for anticipating the behavior of threat actors in a fragmented threat landscape [5], as the evolution of ransomware tactics continues and affiliates refine their approaches to enhance operational security.
Conclusion
The rise and fall of RansomHub underscore the dynamic nature of the cybercrime ecosystem, where adaptability and strategic alliances are key to success. As cybercriminal networks evolve [6], law enforcement and cybersecurity professionals must adopt proactive and multifaceted strategies to counteract these threats. The migration of affiliates to platforms like Qilin and the emergence of new tactics highlight the need for continuous monitoring and adaptation to mitigate the impact of ransomware attacks on critical infrastructure and other sectors.
References
[1] https://izoologic.com/financial-malware/ransomhub-uses-betruger-backdoor-for-ransomware-attacks/
[2] https://clickcontrol.com/cyber-crime/breaking-ransomhub-vanishes-overnight-as-affiliates-rush-to-qilin-amid-dragonforce-takeover-claims/
[3] https://gbhackers.com/researchers-uncovered-ransomhub-operation/
[4] https://thenimblenerd.com/article/ransomhubs-vanishing-act-affiliates-scramble-as-raas-rivalry-heats-up/
[5] https://www.infosecurity-magazine.com/news/ransomhub-refines-extortion/
[6] https://cloudindustryreview.com/ransomhub-shuts-down-affiliates-shift-to-qilin-as-dragonforce-takes-over/
