Ransomhub is a ransomware-as-a-service (RaaS) operation that was first identified in February 2024. The group has been assessed to be related to the Alphv ransomware group, likely due to multiple former Alphv affiliates being observed using the Ransomhub ransomware. Additionally, security researchers with Symantec reported that the Ransomhub and Knight ransomware operations share significant overlap of code. The overlap has been assessed to likely be due to the Knight ransomware source code being sold on cybercriminal forums after the Knight operators halted operations rather than a cooperative relationship between the two operations.
Ransomhub is written in Golang and C++, according to an advertisement on a dark-web forum. The post also stated that the malware is obfuscated using abstract syntax tree (AST) and built daily, the ransomware operators take 10% commission from affiliates in the RaaS model, and the asymmetric algorithm is based on x25519 and the encryption algorithm is adjusted in AES256, ChaCha20, and XChaCha20. The ransomware supports targeting Windows, Linux, ESXi, and devices running on MIPS architectures.
Ransomhub initial access methods likely vary depending on the affiliate deploying the ransomware. However, methods reported have included phishing, vulnerability exploitation, initial access malware, and more.
An incident reported in October 2024 included the use of Google Voice by the Ransomhub affiliate Scattered Spider to call the victim organization’s IT help desk to have the password of a C-suite level executive. The changed password provided the affiliate with initial access to the victim environment that resulted in the deployment of the Ransomhub encryptor.
Ransomhub does not allow affiliates to target organizations that have previously paid a ransom demand and non-profit organizations. Additionally, affiliates are prohibited from targeting organizations in the Commonwealth of Independent States (CIS), Cuba, North Korea, and China.
Two former Alphv affiliates, Notchy and Scattered Spider, have been linked to the Ransomhub operation. Scattered Spider was linked by the observation of STONESTOP and POORTRY in a Ransomhub cyberattack. Both STONESTOP and POORTRY have been previously linked to the Scattered Spider threat group. Notchy was likely linked to Ransomhub when the group posted Change Healthcare on their data leak site after the Alphv group reportedly pulled an exit scam after taking credit for the attack. It is widely believed that the Notchy affiliate took the stolen data to Ransomhub to re-extort the victim.
Ransomhub has quickly become the most active ransomware operation, surpassing LockBit who has remained the most active for the previous two years. This is likely due to the law enforcement actions against LockBit in early 2024 and encouraging affiliates to join with a 90/10 payment split. The more lucrative payment option has likely led to more sophisticated affiliates switching to the Ransomhub operation.
In early 2025, multiple other ransomware operations, including BianLian, Medusa, and Play were reported to use Ransomhub’s EDR killing tool, EDRKillShifter. While BianLian has been previously reported to act as an affiliate of other ransomware operations, Medusa and Play have been reported to be private operations. This indicates that trusted members of Medusa and Play are likely to have a cooperative relationship with Ransomhub operators.
Ransomhub operators were reported to be deploying new backdoor malware to maintain persistence on compromised endpoints. A reported backdoor, Betruger, is a multi-function backdoor that contains functionality that is often found in several ransomware-related tools, including screenshotting, keylogging, network scanning, and more.
Multiple affiliates of the Ransomhub operation have been disclosed so far in 2025, including:
- ShadowSyndicate – a known group to operate with Alphv, Cactus, Nokoyawa, and more.
- QuadSwitcher – an affiliate group that has been tied to both Ransomhub and BianLian.
- CosmicBeetle – an individual, rather than a group, that has been reported to utilize the Ransomhub variant as well as their own encryptor, ScRansom.
The Ransomhub data leak site has been down since March 31, 2025, without any indication of what happened. Ransomhub originally attracted multiple affiliates from other operations as the group advertised that affiliates got to keep 90% of their ransom payments (as opposed to the typical 80%) and that the payments would be made to the affiliate or split at payment. Other ransomware operations have been reported to take the money and then pay out the affiliate.
The model offered by Ransomhub offered more security for affiliates when it comes to operations pulling exit scams or taking money.
However, at the beginning of April security researchers began reporting the observation of potential internal conflict within an unknown number of affiliates. Ransomhub affiliates were reported to be diverting their communications onto other non-Ransomhub platforms. Additionally, Ransomhub affiliates were observed posting to the cybercriminal forum, RAMP, asking for clarification on the future of Ransomhub.
On April 02, 2025, the DragonForce Ransomware operation claimed that Ransomhub had “decided to move to their infrastructure” under the new white-label DragonForce cartel. To make matters more confusing, the DragonForce operators posted the Ransomhub as a victim on their data leak site. DragonForce was observed requesting that Ransomhub “consider [their] offer”.
While there is significant confusion and uncertainty around the future of the Ransomhub operation, the site has been inactive since at least March 31, 2025. The reason behind the downed site remains unknown, with theories ranging from the group has conducted an exit scam to the group has joined forces with the DragonForce operation. There is an even chance that Ransomhub will return to the landscape or that the affiliates will move to other operations permanently.
