Ransomhub was a ransomware-as-a-service (RaaS) operation that was first identified in February 2024. The group was assessed to be related to the Alphv ransomware group, likely due to multiple former Alphv affiliates being observed using the Ransomhub ransomware. Additionally, security researchers with Symantec reported that the Ransomhub and Knight ransomware operations shared significant overlap of code. The overlap was assessed to likely be due to the Knight ransomware source code being sold on cybercriminal forums after the Knight operators halted operations rather than a cooperative relationship between the two operations.
Ransomhub was written in Golang and C++, according to an advertisement on a dark-web forum. The post also stated that the malware was obfuscated using abstract syntax tree (AST) and built daily, the ransomware operators took 10% commission from affiliates in the RaaS model, and the asymmetric algorithm was based on x25519 and the encryption algorithm was adjusted in AES256, ChaCha20, and XChaCha20. The ransomware supported targeting Windows, Linux, ESXi, and devices running on MIPS architectures.
Ransomhub initial access methods varied depending on the affiliate deploying the ransomware. However, methods reported included phishing, vulnerability exploitation, initial access malware, and more.
An incident reported in October 2024 included the use of Google Voice by the Ransomhub affiliate Scattered Spider to call the victim organization’s IT help desk to have the password of a C-suite level executive. The changed password provided the affiliate with initial access to the victim environment that resulted in the deployment of the Ransomhub encryptor.
Ransomhub did not allow affiliates to target organizations that had previously paid a ransom demand and non-profit organizations. Additionally, affiliates were prohibited from targeting organizations in the Commonwealth of Independent States (CIS), Cuba, North Korea, and China.
Two former Alphv affiliates, Notchy and Scattered Spider, were linked to the Ransomhub operation. Scattered Spider was linked by the observation of STONESTOP and POORTRY in a Ransomhub cyberattack. Both STONESTOP and POORTRY have been previously linked to the Scattered Spider threat group. Notchy was likely linked to Ransomhub when the group posted Change Healthcare on their data leak site after the Alphv group reportedly pulled an exit scam after taking credit for the attack. It is widely believed that the Notchy affiliate took the stolen data to Ransomhub to re-extort the victim.
Ransomhub quickly became the most active ransomware operation, surpassing LockBit who had remained the most active for the previous two years. This was likely due to the law enforcement actions against LockBit in early 2024 and encouraging affiliates to join with a 90/10 payment split. The more lucrative payment option likely led to more sophisticated affiliates switching to the Ransomhub operation.
In early 2025, multiple other ransomware operations, including BianLian, Medusa, and Play were reported to use Ransomhub’s EDR killing tool, EDRKillShifter. While BianLian has been previously reported to act as an affiliate of other ransomware operations, Medusa and Play have been reported to be private operations. This indicates that trusted members of Medusa and Play were likely to have had a cooperative relationship with Ransomhub operators.
Ransomhub operators were reported to be deploying new backdoor malware to maintain persistence on compromised endpoints. A reported backdoor, Betruger, is a multi-function backdoor that contains functionality that is often found in several ransomware-related tools, including screenshotting, keylogging, network scanning, and more.
Multiple affiliates of the Ransomhub operation were disclosed in 2025, including:
- ShadowSyndicate – a known group to operate with Alphv, Cactus, Nokoyawa, and more.
- QuadSwitcher – an affiliate group that has been tied to both Ransomhub and BianLian.
- CosmicBeetle – an individual, rather than a group, that has been reported to utilize the Ransomhub variant as well as their own encryptor, ScRansom.
The Ransomhub data leak site has been down since March 31, 2025, without any indication of what happened. Ransomhub originally attracted multiple affiliates from other operations as the group advertised that affiliates got to keep 90% of their ransom payments (as opposed to the typical 80%) and that the payments would be made to the affiliate or split at payment. Other ransomware operations have been reported to take the money and then pay out the affiliate.
The model offered by Ransomhub offered more security for affiliates when it comes to operations pulling exit scams or taking money.
However, at the beginning of April security researchers began reporting the observation of potential internal conflict within an unknown number of affiliates. Ransomhub affiliates were reported to be diverting their communications onto other non-Ransomhub platforms. Additionally, Ransomhub affiliates were observed posting to the cybercriminal forum, RAMP, asking for clarification on the future of Ransomhub.
On April 02, 2025, the DragonForce Ransomware operation claimed that Ransomhub had “decided to move to their infrastructure” under the new white-label DragonForce cartel. To make matters more confusing, the DragonForce operators posted the Ransomhub as a victim on their data leak site. DragonForce was observed requesting that Ransomhub “consider [their] offer”.
While there is significant confusion and uncertainty around the future of the Ransomhub operation, the site has been inactive since at least March 31, 2025. The group has not been reported to have returned to the landscape and is likely that any affiliates have migrated to other operations within the previous 12 months.
