Inside RansomHub: Tactics, Targets, and What It Means for You

Ransomware attacks are undeniably on the rise—but just how significant is the increase? According to Bitsight CTI researchers, ransomware attacks (as measured by unique victims listed on leak sites) rose by almost 25% in 2024, and the number of ransomware group leak sites rose by 53%. Ransomware is becoming the go-to tactic for financially driven threat actors seeking quick and substantial payouts. Furthermore, RansomHub has been recognized by security analysts as the most prolific ransomware group currently in operation. However, recent reports have sparked speculation over whether the group may be taking a hiatus from its otherwise lucrative activities. Understanding threat actors—including their target profiles and tactics, techniques, procedures (TTPs)—is integral to effectively protecting your assets. 

Background

RansomHub was first observed in February 2024 and operates as a Ransomware-as-a-Service (RaaS) platform with a distinctive affiliate payment model.  Unlike traditional ransomware models where the core group controls ransom payments, RansomHub allows its affiliates to manage their own wallets and receive payments directly from victims. Affiliates then remit a 10% commission to the core group. 

While it is difficult to definitively say where the group is based, many of the clues point to the group being Russian based or Russian-friendly. The homepage of their Data Leak Site (DLS) says that it prohibits attacks on “CIS, Cuba, North Korea, and China.” Additionally, In early February 2024, a user by the name of ‘koley’ announced the sale of RansomHub’s RaaS. It was first published on RAMP4u, a Russian based forum leveraged by cybercriminals to market their services.

The group is widely believed to be a spinoff of the Knight ransomware, which originated from the Cyclops group. Technical analysis shows strong code similarities between the two groups, with RansomHub primarily written in Golang and using Gobfuscate for obfuscation. According to security researchers, RansomHub has also been observed selling exfiltrated victim data on its DLS, which was last seen as active on May 2, 2025. 

Although RansomHub may be newer to the scene, they have climbed the ranks to be one of the top ransomware groups. Bitsight estimates they have had 534 attacks in 2024, and the group has quickly gained attention due to the volume of its attacks. Bitsight’s Ransomware Intelligence module tracks that RansomHub has over 15,000 telegram mentions, 315 paste bin mentions, and 148 Reddit mentions.

RansomHub TTPs

Initial access

For initial access, RansomHub operators have been observed leveraging social engineering attacks — in particular, phishing attacks, password spraying attacks, and exploitation of CVEs. Password spraying is a type of brute force attack in which the attacker tries common passwords against multiple usernames, whereas password spraying is leveraged to prevent account lockouts from trying too many passwords on a single account. 

Discovery

Once inside a system, RansomHub operators will conduct reconnaissance of the environment, also known as the discovery phase. During this phase, the group leverages several tools, including: AngryIPScanner, Nmap, and PowerShell-based, living off the land methods. 

AngryIPScanner is an open source tool used to scan for IPs and open ports. It is used to identify devices within a network to include IP addresses, hostnames, and MAC addresses.

Nmap is another open source tool. It is used to conduct reconnaissance on a network allowing the user to explore a network and conduct security exploration. 

Living off the Land (LotL) is a technique in which an attacker uses tools, software, and functions within the victim’s system to avoid detection. PowerShell is a built-in Windows scripting language frequently exploited in LotL attacks. Because PowerShell is a legitimate administrative tool integral to Windows, its usage typically does not trigger alerts from many security solutions, enabling attackers to maintain stealth and persistence for extended periods.

CVEs exploited by RansomHub: 

• Citrix NetScaler ADC (CVE-2023-3519) 
• FortiOS (CVE-2023-27997/Groma Explorer)
• Java OpenWire (CVE-2023-46604/Groma Explorer) 
• Confluence Data Center and Server (CVE-2023-22515/Groma Explorer)
• BIG-IP (CVE-2023-46747) 
• FortiClientEMS (CVE-2023-48788)
• SMBv1 (CVE-2017-0144)
• Netlogon Remote Protocol (CVE-2020-1472)
• Net logon (CVE-2020-1472)

Lateral movement

Once inside a victim’s environment, RansomHub operators have been observed by security researchers engaging in post-exploitation activities, including the creation of new user accounts, re-enabling previously disabled accounts, and the use of Mimikatz, a well-known credential dumping tool used to harvest credentials at scale.

Persistence

During an attack, RansomHub affiliates have been observed evading detection by renaming malicious executables into normal sounding file names like windows.exe.  

Once inside a victim’s environment, RansomHub affiliates have been observed deploying Mimikatz to extract login credentials in bulk. Following initial access, the group attempts to escalate privileges, granting them broader control over sensitive systems and data. For lateral movement, RansomHub operators employ a range of remote access and post-exploitation tools, including Remote Desktop Protocol (RDP), AnyDesk, Metasploit, PsExec, N-able, and Cobalt Strike, among other command-and-control (C2) frameworks.

These C2 tools enable threat actors to operate covertly by mimicking legitimate user behavior, maintaining persistence, escalating privileges, and remotely controlling compromised systems. Their use significantly increases the difficulty of detection, allowing attackers to stealthily navigate the network, access valuable assets, and exfiltrate sensitive information.

Exfiltration 

According to the Cybersecurity and Infrastructure Security Agency (CISA), the RansomHub ransomware-as-a-service (RaaS) platform does not provide built-in mechanisms for data exfiltration. As a result, affiliates are responsible for determining and executing their own methods for extracting sensitive data from victim environments. Security researchers have observed threat actors leveraging the RansomHub RaaS platform to exfiltrate data using a variety of tools and techniques, including:

• PuTTY 
• Amazon AWS S3 buckets/tools 
• HTTP POST requests 
• WinSCP and Rclone 
• Post-exploitation frameworks: Cobalt Strike and Metasploit

These techniques highlight the flexibility RansomHub affiliates have in choosing their own data exfiltration paths, given the RaaS model does not provide a built-in exfiltration component.

Once data has been successfully encrypted and exfiltrated, victims will find a ransom note on their systems. Below is a sample ransom note from RansomHub operators:

Hello!

Visit our Blog: 

    Tor Browser Links:

        http://redacted/

    Links for normal browser:

        http://redacted/

 

>>> Your data is stolen and encrypted.

If you don't pay the ransom, the data will be published on our TOR darknet sites. Keep in mind that once your data appears on our leak site, it could be bought by your competitors at any second, so don't hesitate for a long time. The sooner you pay the ransom, the sooner your company will be safe.

 

>>> If you have an external or cloud backup; what happens if you don’t agree with us?

All countries have their own PDPL (Personal Data Protection Law) regulations. In the event that you do not agree with us, information pertaining to your companies and the data of your company’s customers will be published on the internet, and the respective country’s personal data usage authority will be informed. Moreover, confidential data related to your company will be shared with potential competitors through email and social media. You can be sure that you will incur damages far exceeding the amount we are requesting from you should you decide not to agree with us.
 

>>> How to contact with us? 

- Install and run 'Tor Browser' from https://www.torproject.org/download/

- Go to http://redacted/

- Log in using the Client ID: [snip]

 

>>> WARNING

DO NOT MODIFY ENCRYPTED FILES YOURSELF.

DO NOT USE THIRD PARTY SOFTWARE TO RESTORE YOUR DATA.

YOU MAY DAMAGE YOUR FILES, IT WILL RESULT IN PERMANENT DATA LOSS.

Targeting 

While RansomHub affiliates appear to be primarily financially motivated and non-discriminatory in its targeting, Bitsight has identified the top targeted sectors as Manufacturing; Healthcare and Social Assistance; Professional, Scientific, and Technical Services; Construction; and Retail. The group’s operations are global in scope, with primary targets located in the United States, United Kingdom, Brazil, Italy, and Germany. 

Notable RansomHub Attacks

On February 21, 2024, RansomHub affiliates launched an attack on Change Healthcare just weeks after the company was previously targeted by the ALPHV/BlackCat group. In this new incident, RansomHub affiliates claimed to have stolen 4 terabytes of sensitive data from Change Healthcare and demanded an extortion payment. The group threatened to sell the data to the highest bidder if the payment wasn’t made within 12 days.

The stolen data includes sensitive personal information, such as that of US military personnel, as well as medical records, financial information, and more. 

This latest attack follows a $22 million ransom payment made by Change Healthcare to the BlackCat group, aimed at preventing a data leak and restoring their systems. However, a BlackCat affiliate, who allegedly stole the data, has since claimed they were cheated out of their share of the ransom. It is believed that this recent ransom demand from RansomHub affiliates may be tied to the affiliate’s efforts to recoup their lost profit.

In response to the incident, UnitedHealth Group, the parent company of Change Healthcare, has provided temporary financial assistance totaling $4.7 billion to healthcare providers affected by the breach. Ongoing investigations and negotiations between the involved parties are still in progress, with the situation remaining complex.

Where are they now?

Dark Reading reports that RansomHub appears to have halted its operations, though it remains unclear whether this is a temporary pause or a permanent cessation. On April 1, 2025, Security Researchers observed that RansomHub’s client communication portal had gone offline. The portal was frequently used to negotiate ransomware demands with victims. Speculation suggests a dispute may have arisen between RansomHub’s core members and its affiliates. Some researchers believe certain members may have defected to Qilin, another well-known RaaS group. However, no clear explanation has been provided for the abrupt halt in RansomHub’s operations.

Mitigation Strategies

Ransomware continues to be one of the most devastating types of cyberattacks, capable of locking systems, halting operations, and causing severe financial and reputational damage. Protecting against it requires a multi-layered defense strategy focused on prevention, detection, and response.

1. Strengthen credential security

• Use strong, unique passwords for each account—ideally, at least 12–16 characters with a mix of letters, numbers, and symbols.
• Implement multi-factor authentication (MFA) across all systems, especially for email, VPNs, and administrative accounts. MFA significantly reduces the risk from leaked or stolen credentials.
• Monitor for leaked credentials: Bitsight offers Cyber Threat Intelligence solutions to help protect you and your company from threats. We proactively scan the deep, dark, and clear web for stolen credentials, collecting 13.2B credentials with 1.23B unique URL-credential pairs in 2024.

2. Patch and update systems regularly

• Keep operating systems, software, and firmware up to date. Many ransomware campaigns exploit known vulnerabilities. 
• Bitsight and Cybersixgill leverage our proprietary Dynamic Vulnerability Exploit (DVE) scoring system to assess and prioritize vulnerabilities based on their likelihood of exploitation in real-world attack scenarios. The system integrates threat intelligence feeds, historical exploit data, and real-time attack trends to dynamically adjust vulnerability risk scores. This allows organizations to focus their remediation efforts on high-risk vulnerabilities that are actively being targeted by threat actors, enabling more effective allocation of resources and a proactive defense against potential exploits. By continuously updating the DVE scores as new intelligence and exploit techniques emerge, this system helps security teams stay ahead of evolving threats and reduce their attack surface.

3. Use endpoint protection and EDR

• Deploy Endpoint Detection and Response (EDR) tools that offer real-time detection and containment of suspicious activity.

4. Maintain secure backups

• Keep regular, encrypted backups of critical data—stored offline or in immutable cloud storage.
• Test backup restoration procedures regularly. Backups must be isolated from your network so they can’t be encrypted by attackers.

5. Train employees and simulate phishing

• Conduct security awareness training to help employees spot phishing emails, social engineering, and suspicious behavior.
• Run phishing simulations to identify weak points in your human firewall.

6. Implement network segmentation and least privilege

• Use network segmentation to limit lateral movement if an attacker gains access.
• Apply least privilege access—users should only have access to the data and systems necessary for their job.

7. Monitor and detect

• Use a Security Information and Event Management (SIEM) platform to monitor for anomalies.
• Threat intelligence can provide early warning of threats targeting your industry or assets.

8. Prepare for incident response

• Develop and routinely test an incident response plan specific to ransomware scenarios.
• Ensure legal, PR, and executive leadership are part of the plan—ransomware is a business crisis, not just an IT issue.