Executive summary
RansomHub is a ransomware-as-a-service (RaaS) program active since Feb 2024, offering lockers for Windows, Linux, ESXi, and FreeBSD, and recruiting affiliates with an unusually affiliate-friendly model (affiliates keep payments in their own wallets and remit a small cut to the core). The operation (with clear lineage to Knight/Cyclops) surged through 2024–25 with hundreds of victims across healthcare, manufacturing, IT services, and more. As of Aug 31, 2025, multiple sources note a cartel-style merger/takeover narrative with DragonForce and a resulting shift or pause in RansomHub’s own branding—yet its TTPs and tooling remain in active affiliate use across the ecosystem. MITRE ATT&CKCISABitsightTrend Micro
Who/what is RansomHub (status + traits)
-
Platform support: lockers for Windows/Linux/ESXi/FreeBSD; Go-based with obfuscation; supports safe-mode execution, event-log wiping, VSS deletion, allow-listing hosts, and chunk-skipping for faster crypto. MITRE ATT&CK
-
Lineage: credible overlaps with Knight/Cyclops (panel and code). MITRE ATT&CKTrend Micro
-
Scale: public estimates range widely (e.g., ≥210 victims by Aug 2024, ~534 attacks in 2024, hundreds more into 2025), reflecting differing telemetry/methods. CISABitsight
-
Rules & targeting: do-not-attack lists (CIS/China/Cuba/NK) and “no repeat of paid victims”; often big-game hunting of US-centric enterprises. Trend Micro
-
Business model: affiliate-managed wallets (10% to core) and payouts up to ~90% advertised to lure top operators. Bitsightdarktrace.com
-
2025 landscape: reporting indicates a DragonForce ‘takeover’/cartel dynamic in spring 2025; campaigns and affiliates appear to have migrated or re-badged, driving rivalry and potential double-extortion collisions. Trend MicroTom's Hardware
Notable incidents (context)
-
Change Healthcare: second-wave extortion and data-sale claims after ALPHV; emblematic of affiliate disputes and re-extortion. WIREDForescout
-
Christie’s (2024): claims and leak-site proof-of-data samples highlighted the group’s “name-and-shame” playbook. The Record from Recorded FutureThe Guardian
Attack chain (MITRE ATT&CK mapping + specifics)
1) Initial access — TA0001
-
Vectors: phishing/spear-phishing (including voice-phishing resets), valid accounts, exploitation of public-facing apps. CISATrend Micro
-
Common CVEs exploited (examples): Citrix CVE-2023-3519, FortiOS CVE-2023-27997, ActiveMQ CVE-2023-46604, Confluence CVE-2023-22515, F5 BIG-IP CVE-2023-46747, FortiClientEMS CVE-2023-48788, EternalBlue CVE-2017-0144, Zerologon CVE-2020-1472. CISABitsight
2) Discovery/Lateral movement — TA0007/TA0008
-
Tools observed across campaigns: AngryIP, Nmap, nbtscan, native PowerShell, RDP/SMB/AnyDesk/Splashtop, PsExec, Cobalt Strike/Sliver; account creation and admin-group adds; proxy/SOCKS use. BitsightTrend Microdarktrace.com
3) Exfiltration — TA0010
-
Affiliate-chosen methods (the core doesn’t bundle an exfil module): WinSCP, Rclone, MEGA/HTTP POST, SFTP, cloud buckets; SSH to infrastructure tied to affiliates (e.g., ShadowSyndicate). Bitsightdarktrace.com
4) Impact/Encryption — TA0040 (T1486)
-
Notes & file patterns: ransom notes like
README_[A-Za-z0-9]{6}.txt; extensions like.[A-Za-z0-9]{6}; leak-site threats and deadlines 3–90 days; safe-mode boot, VSS delete, service/process kill, event-log clearing. darktrace.comCISAMITRE ATT&CK
Artifacts & IOCs (examples you can hunt today)
-
Ransom note:
README_[A-Za-z0-9]{6}.txt(and matching 6-char extension). darktrace.com -
TTP hallmarks:
vssadmin Delete Shadows, boot to Safe Mode prior to encrypt,wevtutil clto clear logs, targeted network shares over SMB. MITRE ATT&CK -
Exfil indicators: rclone, WinSCP, large outbound SSH bursts; MEGA user-agents. darktrace.comTrend Micro
(Treat IOCs as short-lived; focus on behaviors above.)
Detection & hunting quick wins (defender-friendly)
Windows (EDR/SIEM)
-
Alert on Safe Mode changes + shadow copy deletion:
Process = vssadmin.exeORwmic.exe shadowcopy delete→ followed by service stops and high-volume file-renames. MITRE ATT&CK -
Log wiping:
wevtutil cl Security|System|Applicationfollowed by encryption spikes. MITRE ATT&CK -
RDP/RMM abuse: rare AnyDesk/Splashtop installs + new local admin creation + inbound 3389 from new ASNs. Trend Microdarktrace.com
Linux/ESXi
-
Watch for ESXi SSH enablement/reset, mass VM stops, and simultaneous SFTP of an encryptor to multiple hosts. Trend Micro
Network
-
LotL C2 frameworks (Cobalt Strike/Sliver) + SSH bulk egress; cloud-storage destinations (MEGA/S3) from atypical hosts. darktrace.comBitsight
Mitigation priorities (what really moves risk)
-
Patch the edge first (the CVE set above + VPNs/NetScaler/ESXi/Confluence/F5) and kill SMBv1. CISA
-
MFA everywhere, especially remote access; block risky RMM/tunneling tools by default; allowlist only business-approved ones. Varonis
-
Hardening & monitoring: strict admin creation alerts; PowerShell constrained language mode; log immutability; audit share access. CISA
-
Backups: offline/immutable, cross-tenant replicated, restore tested; assume leak-site exposure regardless of payment. CISA
-
Tabletop IR for double/triple extortion (legal/comms/sector regulators); pre-draft breach notifications. (Change Healthcare is a cautionary case.) WIRED
Negotiation & extortion style (what to expect)
-
Initial notes often omit a demand; victims receive a client ID + Tor URL; timers range 3–90 days; threats include regulator reporting and contacting competitors to amplify pressure. Affiliates control comms/wallets, so tone and asks vary. Law enforcement discourages payment; it does not guarantee deletion or decryption. CISABitsight
Risk to your business (2024–25)
-
RansomHub became one of the most prolific RaaS operations, with hundreds of posted victims; healthcare and manufacturing consistently appear in the top buckets across datasets. Costs extend far beyond ransoms: downtime, regulatory penalties, cyber-insurance friction, and post-breach audits. BitsightTrend Micro
Fast response playbook (print-ready)
-
Contain: isolate suspected endpoints/VMs; block RDP/SSH from rare ASNs; cut access for newly created admins.
-
Preserve: snapshot evidence before wiping (memory, disks, firewall/EDR/CloudTrail/Entra logs); mirror exfil endpoints.
-
Hunt: search for the note/extension regex;
vssadmin,wevtutil, service kills; AnyDesk/Splashtop installs; rclone/WinSCP beacons. -
Eradicate: remove footholds (new users/services/GPOs); rotate creds; re-image ESXi and domain controllers if needed.
-
Recover: restore from offline immutable backups; staged bring-up with extra egress controls.
-
Report & notify: regulators (HIPAA/GDPR as applicable); engage legal and PR; share indicators with ISACs. CISA
Sources / further reading
-
CISA #StopRansomware: RansomHub (IOCs, ATT&CK mapping, CVEs, mitigations). CISA
-
MITRE ATT&CK S1212 (features, techniques). MITRE ATT&CK
-
Bitsight (2025) — affiliate wallet model, victim counts, toolset overview. Bitsight
-
Darktrace (2025) — ShadowSyndicate affiliate ops; 90% affiliate payout; note/extension patterns; SSH/MEGA exfil. darktrace.com
-
Trend Micro (2024–25) — infection chains, ESXi scripts, tooling (NodeStealer/XWorm/RClone/AMSI bypass), DragonForce takeover timeline. Trend Micro
-
Change Healthcare & Christie’s reporting for context on impacts and leak-site pressure. WIREDThe Record from Recorded FutureThe Guardian
CTA (CyberDudeBivash services)
Need a 2-hour tabletop or rapid patch-prioritization for the CVEs above? We’ll run it and deliver a custom MITRE-mapped detection pack for your SIEM/XDR.
cyberdudebivash.com | cyberbivash.blogspot.com
#CyberDudeBivash #RansomHub #RaaS #Ransomware #ThreatIntel #MITREATTACK #CISA #ZeroTrust #HealthcareSecurity #ESXi #DFIR #XDR #DataExfiltration #DoubleExtortion #IncidentResponse