Threat ActorRansomHub Ransomware
Description
RansomHub is a Ransomware-as-a-Service (RaaS) operation that emerged in early 2024 and is believed to be Knight’s ransomware’s successor. The group quickly gained notoriety by claiming to have acquired data stolen by the BlackCat (ALPHV) ransomware group in one of the attacks, and attempted a second extortion based on that data. The ransomware group employs encryptors written in Golang (Go) to attack Windows and Linux systems and uses variants written in C++ to target ESXI systems. The RansomHub’s infrastructure was reportedly taken over by another ransomware group “DragonForce” in March 2025. After RansomHub’s leak site and negotiation portal went offline, DragonForce announced that RansomHub was a part of the ransomware cartel. This means that RansomHub can keep its name while using Dragon Force’s shared infrastructure.
Common Vulnerabilities and Exposures
Known Tools Used
- Advanced Port Scanner
- Amazon AWS S3 buckets/tools
- AngryIPScanner
- AnyDesk
- Atera
- Atera Agent
- bcdedit
- BadRentdrv2
- Betruger
- BITSAdmin
- Cobalt Strike
- Connectwise
- CrackMapExec
- EDRKillShifter
- ExploitDB
- GitHub
- gobfuscate
- Google Voice
- iisreset.exe
- Impacket
- IOBit Unlocker
- Kerberoast
- Kerbrute
- LaZagne
- LSASS
- Lumma Stealer
- MEGA
- Metasploit
- Microsoft Teams
- netscan
- ngrok
- N-Able
- nmap
- ntdsutil
- POORTRY
- PowerShell
- PsExec
- PuTTY
- Python-based Backdoor
- Rclone
- Remote Desktop Pro
References
RansomHub (MITRE)
https://attack.mitre.org/software/S1212/
#StopRansomware: RansomHub Ransomware (CISA)
https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-242a
