“If one group disappears, two more rise in its place.”
— The never-ending cycle of ransomware evolution
Who is RansomHub?
RansomHub is a Ransomware-as-a-Service (RaaS) group that emerged in early 2024 and quickly gained attention in the cyber threat landscape. Believed to be a rebrand or evolution of the Knight or ALPHV (BlackCat) ransomware gangs, RansomHub has built a solid affiliate model, targeting large enterprises through double extortion tactics.
Their leak site is hosted on the dark web and lists a growing number of victims — often with partial data dumps to pressure companies into payment.
Tactics, Techniques, and Procedures (TTPs)
RansomHub follows a typical but effective RaaS model. Here’s how they operate:
- Initial Access: Often gained via compromised credentials, phishing emails, or leaked VPN access.
- Privilege Escalation: Use of known Windows exploits and living-off-the-land binaries (LOLBins).
- Payload Delivery: Encrypted Golang-based ransomware binary with anti-analysis features.
- Exfiltration: Data is stolen before encryption for double extortion.
- Ransom Note: Unique ID and instructions to communicate via a TOR-hosted portal.
Technical Observations
- Written in Golang, which helps evade traditional signature-based detection.
- Uses multiple obfuscation layers and mutex locking to avoid repeated infections.
- Known to deploy Cobalt Strike, Mimikatz, and rclone during lateral movement and exfiltration.
Victim Profile
RansomHub does not appear to discriminate heavily by industry. Victims so far include:
- R&D-heavy firms
- Healthcare providers
- Manufacturing and mining companies (e.g., suspected targeting of firms like Ryerson)
- Educational institutions
This group often targets organizations with weak EDR, unpatched VPNs, or outdated on-prem systems.
IOCs (Indicators of Compromise)
Note: These are publicly available open-source indicators. Always validate before blocking.
| Type | Value |
|---|---|
| IP | 185.244.30[.]50 |
| Domain | ransomhub[.]onion |
| File hash | ec5b7e... (SHA256, redacted) |
| C2 URL | hxxp://ransom-node[.]org |
Defensive Recommendations
- Harden VPNs: Use MFA and monitor for brute-force attempts.
- Patch RDP & Fortinet appliances regularly.
- Implement network segmentation to isolate backups and critical data.
- Monitor for Golang executables, especially in temp/user folders.
- Threat hunt for tools like rclone, Mimikatz, or unexpected Cobalt Strike beacons.
Conclusion
RansomHub is another sign that ransomware isn’t going away, it’s just rebranding, refining, and recruiting. Organizations must treat threat intelligence as continuous — not reactive.
Stay paranoid, patch regularly, and always know who’s after your data.
Written by Mohammed Aladgham (@Al_adg)
Follow for occasional CTI updates and threat actor breakdowns.