RansomHub
Threat IntelligenceDefinition
A rapidly growing ransomware-as-a-service operation that emerged in February 2024 and quickly became the most active ransomware group globally by mid-2024, absorbing affiliates displaced from LockBit and ALPHV following law enforcement actions and exit scams, and using an affiliate-favorable 90% payment split to attract top operators.
Technical Details
RansomHub appeared on cybercriminal forums in February 2024, almost exactly coinciding with the LockBit takedown — a timing that led many researchers to believe its administrators had foreknowledge of or connections to displaced LockBit infrastructure. Within months of launch, RansomHub became the most active ransomware group by victim count, surpassing LockBit, ALPHV, and Play. The group explicitly recruited affiliates from disrupted operations by advertising a more affiliate-friendly model: 90% of ransom payments to affiliates (versus the 80% industry standard), no requirement for affiliates to conduct negotiations (RansomHub handles it), and a policy of not attacking healthcare, nuclear facilities, and government entities — restrictions designed to reduce law enforcement attention. RansomHub's ransomware is written in Go (Golang) and targets Windows, Linux, and VMware ESXi environments. The encryptor uses Curve 25519 elliptic curve cryptography for key exchange and AES-256 for file encryption. The malware supports intermittent encryption modes for speed optimization. RansomHub quickly updated its tooling to incorporate exploits for known vulnerabilities, and affiliates demonstrated proficiency with a wide range of initial access techniques including compromised VPN credentials, Citrix Bleed exploitation (CVE-2023-4966), and RDP brute force. RansomHub gained particular notoriety in mid-2024 when it published data from Change Healthcare — data that ALPHV affiliates had exfiltrated during the February 2024 attack. After ALPHV apparently exit-scammed the affiliate and dissolved, the affiliate brought the Change Healthcare data to RansomHub for a second extortion attempt, demonstrating that paying one ransomware group does not eliminate exposure when the exfiltrated data is portable and can be used by subsequent actors. This event underscored the lasting nature of data extortion risk. CISA published an advisory on RansomHub TTPs in August 2024, noting that the group had attacked at least 210 victims across critical infrastructure sectors including water and wastewater, information technology, government, healthcare, financial services, transportation, and manufacturing. The advisory documented their use of tools including Mimikatz for credential harvesting, Cobalt Strike for C2, and legitimate remote access tools (AnyDesk, Splashtop) for persistence.
Practical Usage
RansomHub's rapid ascent demonstrates the resilience of the ransomware ecosystem — law enforcement disruption of individual groups creates opportunity for new entrants rather than reducing overall ransomware activity. Security teams should not interpret the LockBit or ALPHV disruptions as a reduction in ransomware risk; affiliated attackers with established skills simply migrate to new platforms. Threat intelligence programs should continuously monitor the ransomware landscape and update defensive priorities based on currently active groups' TTPs rather than focusing on groups that may have been disrupted. RansomHub's exploitation of Citrix Bleed (CVE-2023-4966) throughout its early months provides a specific detection and remediation priority. Citrix ADC and Citrix Gateway systems should be patched to address CVE-2023-4966, and organizations should check for signs of session token hijacking in Citrix access logs — specifically authentication events that lack a preceding valid authentication flow, which would indicate a hijacked session. CISA's RansomHub advisory provides specific Snort rules, Yara signatures, and SIGMA detection rules. For organizations that have experienced ALPHV or previous ransomware attacks and paid a ransom in exchange for promised data deletion, the Change Healthcare re-extortion case is a crucial warning: that promise is not binding and exfiltrated data may resurface with other groups. Legal and communications teams should prepare for the possibility of a second extortion demand using the same data, and should understand that any regulatory disclosure obligations may be triggered at the time of the initial exfiltration — not only when a ransom demand is received.
Examples
- RansomHub published stolen Change Healthcare data in April 2024 that ALPHV affiliates had exfiltrated in February — threatening to release 4TB of data after UnitedHealth Group had already paid ALPHV a $22 million ransom for its deletion.
- Within six months of launch, RansomHub had claimed 210+ victims including the City of Columbus (Ohio), Planned Parenthood, and Patelco Credit Union — making it the most active ransomware group in the second half of 2024.
- RansomHub's Go-based encryptor demonstrated ESXi-targeting capabilities that allowed affiliates to encrypt VMware virtual machine disk images without requiring individual VM encryption, maximizing disruption to virtualized data center environments.