ransomhub

RansomHub

also known as: Knight Ransomware (predecessor) Cyclops Ransomware (origin) RansomBay (DragonForce cartel spin-off)

RansomHub dominated the ransomware landscape from its emergence in February 2024 through early 2025 — absorbing affiliates displaced by the FBI takedown of LockBit and the BlackCat exit scam, offering the highest affiliate revenue split in the ecosystem, and crossing 210 confirmed victims within six months of launch before closing out 2024 with 547 confirmed victims for the year. On April 1, 2025, its infrastructure went offline without explanation. Hundreds of affiliates were left mid-negotiation with no contact point, and the group has not returned in its original form. Its collapse triggered the largest single affiliate migration in ransomware history, with the majority moving to Qilin.

attributed origin Russia (assessed — CIS country exclusion in code; RAMP forum primary recruitment venue)

confirmed lineage Cyclops ransomware (~May 2023) → Knight ransomware (July 2023) → RansomHub (February 2024)

active period February 2024 — April 1, 2025 (infrastructure dark; status unresolved)

primary motivation Financial — RaaS / double extortion

primary targets Healthcare, Critical Infrastructure, Government, Water/Wastewater, Financial Services, Manufacturing

confirmed victims 547 confirmed across all of 2024 (Comparitech); 210+ per CISA advisory (August 2024 mid-year snapshot); peak group globally in 2024

mitre att&ck group Unassigned (no formal G-number as of March 2026)

notable affiliates Scattered Spider, Evil Corp (assessed), former LockBit/BlackCat affiliates

threat level HIGH — dormant but affiliates remain active under other brands

Overview

RansomHub's origin is formally confirmed by CISA: it is a rebrand of Knight ransomware, itself a rebrand of Cyclops, which first appeared around May 2023. The Cyclops-to-Knight rebrand occurred in July 2023 when operators announced version 2.0. Approximately six months later, Knight became RansomHub — arriving in February 2024 at precisely the moment the ransomware ecosystem needed a new dominant platform. LockBit had just been disrupted by Operation Cronos (February 19, 2024). BlackCat/ALPHV had collapsed in an exit scam days later, stealing the $22 million Change Healthcare ransom from its own affiliates. RansomHub stepped into the vacuum immediately, publicly recruiting those displaced affiliates with an aggressive value proposition.

The business model was RansomHub's defining competitive advantage. Where the industry standard was a 70/30 or 80/20 affiliate split (affiliates keeping 70–80%), RansomHub offered up to 90% — the highest payout in the ecosystem. Affiliates collected ransom payments directly from victims before passing the core group's cut, which eliminated the trust issue that had destroyed BlackCat (operators absconding with ransom proceeds). High-profile affiliates including Scattered Spider — known for sophisticated social engineering against major enterprises — and assessed Evil Corp members joined the platform, immediately elevating the technical sophistication of RansomHub operations beyond what most new RaaS platforms could achieve.

The encryptor itself — a Golang-based multi-platform tool supporting Windows, Linux, ESXi, FreeBSD, and NAS devices — was technically competent. It used Curve25519 elliptic curve encryption for key generation and deliberately excluded CIS countries from targeting at the code level, consistent with Russian-speaking criminal norms. The ransom note left no demand amount — victims contacted RansomHub via a Tor .onion URL using a provided client ID, with 3 to 90 days (affiliate-determined) before data publication.

By August 2024 — just six months after launch — CISA, the FBI, HHS, and MS-ISAC had issued a joint advisory naming RansomHub as a critical threat across eleven critical infrastructure sectors. This pace of FBI advisory issuance is unusual for such a new operation and reflects how rapidly RansomHub's impact had escalated. For all of 2024, RansomHub alternated with LockBit for the top position by victim count, and for much of the year held the #1 spot outright.

The April 1, 2025 collapse remains partially unexplained. Several dynamics converged: DragonForce had been aggressively targeting rival RaaS operations as part of its cartel strategy, successfully taking over BlackLock in March 2025. On April 1, RansomHub's affiliate chat portals, negotiation infrastructure, and data leak site simultaneously went offline. DragonForce posted on RAMP claiming RansomHub had "decided to move to our infrastructure." RansomHub spokesperson "koley" reappeared in late April accusing DragonForce of sabotage, alleged insider betrayal, and claimed DragonForce had FSB contacts — accusations DragonForce denied. Koley also demanded that remaining affiliates transfer 1 BTC to a dedicated cryptocurrency address to demonstrate loyalty and commitment to RansomHub, a move widely interpreted as a sign of desperation rather than operational recovery. Both sides defaced each other's sites in the following weeks. Adding a further layer: in early April 2025, an actor named "Rjun" posted on the XSS underground forum claiming the Russian Ministry of Internal Affairs had thwarted RansomHub's attempted resurgence — attributing the intervention either to an alleged attack on critical infrastructure within CIS countries or to an internal leak that compromised vital operational information. This claim has not been officially confirmed but aligns with koley's subsequent silence; the RAMP threat actor koley has been inactive since April 2025.

What is confirmed: RansomHub did not return. Affiliates scattered primarily to Qilin, whose monthly victim disclosures nearly doubled in Q2 2025 — rising from an average of approximately 35 per month before the collapse to nearly 70 per month — and whose attack claims jumped roughly 280% between late April and October 2025 (Comparitech). Scattered Spider — one of RansomHub's most technically capable affiliated groups — is confirmed to have migrated to Qilin following the collapse. DragonForce tripled its monthly victim count, reaching 56 victims in Q3 2025. Former RansomHub affiliates additionally formed new groups: VanHelsing ransomware was created by former RansomHub affiliates; RansomBay, a white-label brand running on DragonForce infrastructure, emerged from the same displacement event. In September 2025, LockBit returned with version 5.0, further reshaping the post-RansomHub ecosystem.

affiliate risk persists

RansomHub's collapse as a platform does not mean its affiliates stopped operating. Many are confirmed active under Qilin, DragonForce, and newly created groups including VanHelsing — a ransomware group created directly by former RansomHub affiliates — and RansomBay, a white-label brand operating on DragonForce infrastructure. Scattered Spider — one of RansomHub's most capable affiliated groups, known for defeating MFA through vishing at major enterprises — is confirmed to have migrated to Qilin following the collapse and continued operations against airlines and insurance companies through mid-2025. The TTPs documented in the CISA advisory remain relevant because the humans who developed and used them are still active, just under different banners.

Target Profile

RansomHub targeted across a remarkably wide range of critical infrastructure sectors — eleven in total, per the CISA advisory — with no strong sector specialization. This breadth reflected the affiliate model: different affiliates brought different access and industry knowledge, resulting in a diverse victim portfolio rather than concentrated sector campaigns.

Healthcare and Public Health: Consistently the most newsworthy target category. RansomHub's involvement in the Change Healthcare data re-extortion, the Rite Aid attack, the Florida Department of Health breach, and the Planned Parenthood of Montana breach collectively made RansomHub the defining ransomware threat to US healthcare in 2024. The group's willingness to publish stolen reproductive healthcare data — including patient records from Planned Parenthood — demonstrated a willingness to cause individual-level harm beyond financial extortion.
Water and Wastewater: One of the few RaaS operations to explicitly hit water utilities — a sector that the US government has repeatedly flagged as dangerously underprotected. These attacks carry the potential for public health consequences beyond financial and operational disruption.
Government Services and Facilities: Federal, state, and local government entities appeared across the victim list, consistent with RansomHub's broad affiliate base drawing on varied initial access opportunities. Government victims face public accountability pressure that heightens the payment incentive.
Financial Services and Critical Manufacturing: High-value organizations with large revenue bases were preferred for large ransom demands. Christie's auction house (art market) and Halliburton (oilfield services) represent the group's willingness to target globally recognized brands across diverse commercial sectors.
Telecommunications: Frontier Communications — the fourth-largest US high-speed internet provider serving 25 states — was among confirmed victims in H1 2024, demonstrating the group's reach into communications infrastructure.

Tactics, Techniques & Procedures

TTPs sourced from CISA/FBI/HHS/MS-ISAC joint advisory AA24-242A (August 29, 2024) and third-party field reporting. Because RansomHub operated as an affiliate model, specific TTPs varied by affiliate — the below represents the documented RansomHub affiliate playbook. Scattered Spider affiliates in particular brought sophisticated vishing and social engineering capabilities not typical of the broader affiliate base.

mitre id	technique	description
T1190	Exploit Public-Facing Application	Documented exploitation of known CVEs in internet-facing appliances including Apache ActiveMQ (CVE-2023-46604), Atlassian Confluence (CVE-2023-22518), Citrix ADC (CVE-2023-3519), F5 BIG-IP (CVE-2023-46747), and Fortinet FortiOS (CVE-2023-27997) for initial access. RansomHub affiliates prioritized recently disclosed vulnerabilities with available PoCs.
T1078	Valid Accounts	Compromised credentials used via VPN, RDP, and cloud portals for initial access. Scattered Spider affiliates obtained credentials through sophisticated vishing — impersonating IT helpdesk staff to convince employees to provide MFA codes or reset credentials.
T1566	Phishing	Spear-phishing emails with malicious attachments or credential-harvesting links used for initial access by some affiliates. Scattered Spider-attributed operations used highly targeted phishing and vishing combinations that successfully bypassed MFA at multiple major enterprises.
T1059.001	PowerShell	Extensive PowerShell use for discovery, lateral movement preparation, and payload staging. CISA advisory documents PowerShell-based network and domain reconnaissance as a consistent post-access behavior across RansomHub affiliate incidents.
T1197	BITS Jobs	Background Intelligent Transfer Service (BITS) used to perform asynchronous file transfers for payload delivery and data staging. BITS is a native Windows mechanism that blends with legitimate OS activity and is not flagged by many endpoint security tools.
T1021.001	Remote Services: RDP	RDP used throughout post-access phases for lateral movement and interactive access to additional systems. Combined with valid domain credentials obtained from initial access, RDP activity blends with legitimate administrator behavior.
T1484	Domain Policy Modification	Group Policy Objects (GPOs) modified to disable security tools, deploy payloads, and configure environment settings across all domain-joined machines simultaneously — enabling mass encryption deployment at scale from a single action.
T1562.001	Impair Defenses: Disable or Modify Tools	Antivirus and EDR software disabled using legitimate administrative privileges or GPO modification. The Betruger backdoor — documented in early 2025 RansomHub affiliate operations — consolidated multiple pre-encryption functions (credential theft, screenshot capture, keylogging, network scanning) into a single custom payload, reducing the tool footprint and detection surface compared to using Mimikatz, Cobalt Strike, and dedicated scanners separately.
T1041	Exfiltration Over C2 Channel	Data exfiltrated before encryption as part of the double extortion model. Documented exfiltration tools include RClone and WinSCP. Data exfiltration methods varied by affiliate; the ransom note explicitly threatened data publication on the RansomHub Tor DLS within the affiliate-set deadline.
T1486	Data Encrypted for Impact	Curve25519 elliptic curve encryption for per-victim key generation, combined with ChaCha20 for file encryption. Multi-platform: Windows, Linux, ESXi, FreeBSD, and NAS variants. Files appended with 58 bytes of key material. Smaller files (<1 MB) fully encrypted; larger files partially encrypted for speed. Processes and services terminated before encryption to maximize file access. CIS country targeting exclusion hard-coded.
T1490	Inhibit System Recovery	Volume Shadow Copies deleted. Backup infrastructure targeted for credential extraction and destruction before encryption — preventing recovery via traditional backup paths. ESXi snapshot deletion documented in larger enterprise attacks.

Known Campaigns

Selected high-impact confirmed incidents during RansomHub's active period (February 2024 — April 2025). The group's broad affiliate base means many additional incidents were not publicly attributed or disclosed.

Change Healthcare — Secondary Extortion April 2024

Following the February 2024 BlackCat/ALPHV attack on Change Healthcare (UnitedHealth Group's subsidiary), a disgruntled ALPHV affiliate who had conducted the attack took the 4 TB of stolen data to RansomHub after ALPHV's leadership pocketed the $22 million ransom without paying the affiliate's share. RansomHub listed Change Healthcare on its leak site and threatened to publish the data unless a further payment was made — effectively a second extortion attempt against the same organization. This incident underscored how data stolen in one ransomware attack can be weaponized by a subsequent group, and demonstrated RansomHub's willingness to pressure organizations already victimized by another gang. UnitedHealth Group ultimately disclosed the breach affected approximately 100 million individuals — the largest healthcare data breach in US history.

Halliburton August 2024

RansomHub attacked Halliburton, one of the world's largest oilfield services companies, disrupting systems across its Houston headquarters and forcing the company to take portions of its network offline. The attack temporarily impacted operations including billing and global connectivity systems. Halliburton acknowledged the incident and confirmed it had notified law enforcement. The attack demonstrated RansomHub's reach into energy sector critical infrastructure and its affiliates' capacity to penetrate heavily secured enterprise environments.

Christie's Auction House May 2024

RansomHub attacked Christie's, the prestigious international auction house, in the lead-up to its major spring sale events. The attack forced Christie's to shut down its main website and take systems offline. The group exfiltrated personal data on wealthy clients globally — including names, nationalities, and birth dates — and threatened to publish it when Christie's did not engage in negotiations. Christie's confirmed the breach and notified affected clients. The incident highlighted that ransomware groups have no reservations about attacking cultural or luxury institutions, regardless of their public profile.

Planned Parenthood of Montana August–September 2024

RansomHub breached Planned Parenthood of Montana between August 24 and August 28, 2024, exfiltrating 93 GB of data including protected health information for 56,917 patients. The data included reproductive health records — particularly sensitive given state-level abortion restrictions in Montana following Roe v. Wade's overturn. RansomHub published sample files on its leak site on September 4 when negotiations did not progress to its satisfaction. The incident drew national attention to the intersection of ransomware and reproductive health privacy.

Frontier Communications April 2024

RansomHub claimed the breach of Frontier Communications, the fourth-largest US high-speed internet provider, serving approximately 25 states. The group published data on its leak site after Frontier did not engage with ransom demands. The attack disrupted Frontier's internal systems and forced the company to partially shut down portions of its network, affecting customer-facing services across its service territory.

Infrastructure Collapse and Affiliate Exodus April 1, 2025

RansomHub's affiliate communication portals went offline on the morning of April 1, 2025. Affiliates lost access to negotiation tools mid-ransom discussion, leaving victims with no contact point and affiliates with no infrastructure. DragonForce posted on RAMP claiming RansomHub had joined its cartel, previewing a dedicated RansomHub affiliate portal on DragonForce's platform. RansomHub spokesperson "koley" resurfaced in late April claiming a state-sponsored attack and internal betrayal, demanded affiliates transfer 1 BTC to prove loyalty, then posted a defacement of DragonForce's site — only for DragonForce to acknowledge its own site had been compromised by an insider. An actor named "Rjun" posted on the XSS underground forum claiming the Russian Ministry of Internal Affairs had intervened to halt RansomHub's resurgence, citing either CIS-country infrastructure attacks or an internal leak as the trigger. Koley has been inactive on RAMP since April 2025. Neither platform returned to normal operation in its original form. Former RansomHub affiliates formed VanHelsing ransomware and launched RansomBay via DragonForce infrastructure. The majority of RansomHub affiliates migrated to Qilin, whose monthly victim count nearly doubled — from approximately 35 per month to nearly 70 — in the immediate aftermath, with a 280% jump in attack claims recorded between late April and October 2025.

Tools & Malware

RansomHub encryptor (multi-platform Golang): Curve25519 key generation (unique per victim) combined with ChaCha20 file encryption. Supports Windows, Linux, VMware ESXi, FreeBSD, and NAS environments in a single compiled toolset. Excludes CIS countries at the code level. Files appended with 58 bytes of key data post-encryption. Partial encryption for large files (every 0x200000 bytes encrypted, with skips between) to maximize encryption speed without compromising leverage.
Betruger backdoor: A custom multi-function pre-encryption backdoor documented in early 2025 RansomHub affiliate operations. Consolidates functions previously requiring multiple separate tools: credential theft, screenshot capture, keylogging, network scanning, and data exfiltration. Designed to reduce detection surface by replacing Mimikatz, Cobalt Strike beacons, and network scanners with a single binary. Assessed by researchers to indicate a shift toward more operationally disciplined, tool-minimal intrusion tradecraft.
RClone / WinSCP: Legitimate file transfer tools used for data staging and exfiltration before encryption, consistent with standard RaaS affiliate tradecraft for avoiding malware-signature detection during the exfiltration phase.
BITS (bitsadmin): Windows Background Intelligent Transfer Service abused for asynchronous payload delivery and data transfer, blending with legitimate OS activity.
GPO-based deployment: Group Policy Objects modified for simultaneous mass deployment of ransomware payloads across all domain-joined systems, and for disabling antivirus and EDR tools at scale before encryption execution.
RansomHub data leak site: Tor-hosted dark web platform where victim data was published after deadline expiry. Ransom notes directed victims to contact via a unique .onion URL with a provided client ID — no demand amount specified in the note itself. Affiliates controlled the 3–90 day deadline per victim.

Indicators of Compromise

IOCs sourced from CISA advisory AA24-242A (August 29, 2024). The advisory PDF contains full tables of IP addresses, file hashes, and additional network indicators. As with all dormant groups, network IOCs should be treated with caution — infrastructure may have been reassigned or reused by other actors since RansomHub's collapse.

warning

Many IP addresses in the CISA advisory were first observed as early as 2020 and historically linked to QakBot infrastructure. CISA itself recommends investigating or vetting these IPs before blocking. Network IOCs from a dormant group are particularly prone to false positives as infrastructure is reassigned. The full IOC tables (Tables 2–5) are in the CISA advisory PDF at ic3.gov/CSA/2024/240829.pdf.

indicators of compromise — RansomHub (structural and behavioral)

encryption Curve25519 per-victim key pair; ChaCha20 file encryption; 58 bytes appended to end of each encrypted file containing key material

file ext Random or affiliate-configured extension appended to encrypted files — no fixed extension across all victims

ransom note Text file dropped in encrypted directories; contains client ID and .onion URL; no ransom amount included; 3–90 day deadline before publication

behavior GPO modification to disable security tools across domain — detectable via Group Policy audit logging and unexpected policy changes

behavior BITS job creation (bitsadmin) for payload download — alert on bitsadmin invocations downloading from external IPs

tool rclone.exe / winscp.exe for data exfiltration; alert on these tools running outside approved software inventory, particularly with large outbound transfers

malware Betruger — custom multi-function backdoor; full hash tables in CISA advisory AA24-242A (Tables 2–5)

cisa advisory Full IOC set: ic3.gov/CSA/2024/240829.pdf — includes IP addresses, file hashes, and network indicators (note: historical data; vet before blocking)

Mitigation & Defense

RansomHub's CISA advisory mitigations remain relevant because the group's affiliates — and their TTPs — are still active under Qilin, DragonForce, and new brands. The initial access vectors (public-facing CVE exploitation and credential compromise) are unchanged.

Patch internet-facing appliances immediately: RansomHub affiliates consistently exploited known, patchable CVEs in Citrix, Fortinet, Apache, Atlassian, and F5 products. These CVEs were documented and patched before the attacks — the vulnerability was delayed remediation, not zero-day exploitation. A maximum 72-hour remediation window for critical CVEs affecting internet-facing systems is the appropriate standard for organizations in RansomHub's target profile.
Enforce phishing-resistant MFA on all remote access: Scattered Spider affiliates bypassed TOTP-based MFA through vishing — impersonating IT support to convince users to approve MFA prompts or provide codes. Hardware-bound FIDO2 authentication cannot be bypassed through social engineering. Organizations with high brand visibility or large employee counts should consider mandatory security awareness training specifically focused on IT helpdesk impersonation.
Monitor and restrict GPO modification: RansomHub affiliates used Group Policy to disable security tools and deploy payloads across entire domains simultaneously. SIEM alerts on unexpected Group Policy Object creation or modification — particularly policies affecting security software — should trigger immediate tier-1 escalation. Restrict GPO modification rights to a small number of explicitly authorized accounts with MFA.
Alert on BITS job creation from non-standard processes: bitsadmin or PowerShell-initiated BITS jobs downloading from external IPs are a reliable indicator of payload staging. Most legitimate BITS traffic originates from Windows Update or established enterprise software. Alert on any BITS job creation that does not match approved software sources.
Audit RClone and WinSCP executions: These legitimate tools are consistently used for data exfiltration. Maintain an approved software allowlist and alert on execution of file transfer tools outside that list, especially when combined with large outbound network transfers. Consider blocking direct RClone execution on servers that have no legitimate business reason to run it.
Implement network segmentation to contain lateral movement: RansomHub affiliates moved laterally via RDP across poorly segmented networks, reaching backup infrastructure before triggering encryption. Tier-0 systems (domain controllers, backup servers, ESXi hosts) should require separate privileged credentials not reachable from standard workstation or server networks.
Test backup restoration quarterly and maintain offline copies: RansomHub affiliates targeted backup infrastructure specifically. Backups stored on network-accessible paths reachable from production were encrypted alongside primary data. Offline or immutable backups on isolated infrastructure are the only reliable recovery path after a full-environment ransomware event.

ecosystem lesson

RansomHub's rise and collapse in fourteen months illustrates a structural feature of the RaaS ecosystem: affiliate loyalty is entirely financial, not institutional. When the platform that offered the highest payout disappeared, affiliates migrated to the next best option within weeks. No relationship, reputation, or institutional trust survived the infrastructure outage. This means law enforcement disruption operations — and internal conflict — can rapidly restructure the ransomware landscape, but rarely eliminate the skilled operators who move between platforms. Targeting affiliates rather than infrastructure is assessed as the more durable law enforcement strategy.

Sources & Further Reading

— end of profile — last updated 2026-03-26