Executive Summary
- First Identified: 2024
- Operation Style:
- Ransomware-as-a-Service (RaaS); affiliates reportedly make 90% of ransom payments.
- Extortion Method:
- Double extortion – combining the traditional ransomware extortion method (encryption) with exfiltration of victim’s sensitive data; the group threatens to leak the data via a data leak site if the ransom demand is not paid.
- Most Frequently Targeted Industries:
- Industrials (Construction & Engineering)
- Most Frequently Targeted Victim HQ Locations:
- North America
- Known Associations:
- Water Bakunawa
- Koley
- Nothcy
- ALPHV Ransomware
- BianLian Ransomware
- Knight Ransomware
- Scattered Spider
Description
Ransomhub is a ransomware-as-a-service (RaaS) operation that was first identified in February 2024. The group has been assessed to be related to the Alphv ransomware group, likely due to multiple former Alphv affiliates being observed using the Ransomhub ransomware. Additionally, security researchers with Symantec reported that the Ransomhub and Knight ransomware operations share significant overlap of code. The overlap has been assessed to likely be due to the Knight ransomware source code being sold on cybercriminal forums after the Knight operators halted operations rather than a cooperative relationship between the two operations.
Ransomhub is written in Golang and C++, according to an advertisement on a dark-web forum. The post also stated the malware is obfuscated using abstract syntax tree (AST) and built daily, the ransomware operators take 10% commission from affiliates in the RaaS model, and the asymmetric algorithm is based on x25519 and the encryption algorithm is adjusted in AES256, ChaCha20, and XChaCha20. The ransomware supports targeting Windows, Linux, ESXi, and devices running on MIPS architectures.
Ransomhub initial access methods likely vary depending on the affiliate deploying the ransomware.
An incident reported in October 2024 included the use of Google Voice by the Ransomhub affiliate Scattered Spider to call the victim organization’s IT help desk to have the password of a C-suite level executive. The changed password provided the affiliate with initial access to the victim environment that resulted in the deployment of the Ransomhub encryptor.
Ransomhub does not allow affiliates to target organizations that have previously paid a ransom demand and non-profit organizations. Additionally, affiliates are prohibited from targeting organizations in the Commonwealth of Independent States (CIS), Cuba, North Korea, and China.
Two former Alphv affiliates, Notchy and Scattered Spider, have been linked to the Ransomhub operation. Scattered Spider was linked by the observation of STONESTOP and POORTRY in a Ransomhub cyberattack. Both STONESTOP and POORTRY have been previously linked to the Scattered Spider threat group. Notchy was likely to Ransomhub when the group posted Change Healthcare on their data leak site after the Alphv group reportedly pulled an exit scam after taking credit for the attack. It is widely believed that the Notchy affiliate took the stolen data to Ransomhub to re-extort the victim.
Ransomhub has quickly become the most active ransomware operation, surpassing LockBit who has remained the most active for the previous two years. This is likely due to the law enforcement actions against LockBit in early 2024 and encouraging affiliates to join with a 90/10 payment split. The more lucrative payment option has likely led to more sophisticated affiliates switching to the Ransomhub operation.