Don't let cyberattacks disrupt your workflow. See what's at risk.
Utility navigation bar redirect icon
Portal LoginSupportBlogContact
Search
Portal LoginSupportBlogContact
Search
Get a Demo
Start for Free
HomeThreat LibraryThreat Actors
Ransomhub
Threat Actor Profile

Ransomhub

Ransomhub, a Ransomware-as-a-Service (RaaS) group, emerged in February 2024 and quickly gained notoriety for targeting critical infrastructure sectors. Known for their double extortion tactics, Ransomhub has impacted over 200 organizations globally, leveraging advanced techniques to exfiltrate and encrypt sensitive data.

Threat Actor Profile

Ransomhub

Country of Origin

The exact country of origin for Ransomhub remains unknown. However, their operational patterns suggest affiliations with Russian-speaking cybercriminal forums.

Members

The group’s size is unknown, but it is believed to consist of multiple affiliates, including former members of other ransomware groups like ALPHV and Knight.

Leadership

No specific leaders or aliases have been identified for Ransomhub. The group operates as a decentralized RaaS model, recruiting affiliates through dark web forums.

Ransomhub TTPs

Tactics

  • Ransomhub primarily aims to exfiltrate sensitive data and encrypt systems to extort ransom payments.

Techniques

  • Exploiting known vulnerabilities (e.g., CVE-2023-3519, CVE-2023-27997).
  • Phishing and password spraying for initial access.
  • Using tools like MimiKatz for credential dumping and PowerShell for network reconnaissance.

Procedures

  • Double extortion: Encrypting data and threatening to leak it.
  • Disabling endpoint detection tools using EDRKillShifter.
  • Employing intermittent encryption for faster attacks.

Want to Shut Down Threats Before They Start?

Schedule a Demo Today

Indicators of Compromise (IoCs)

  • IPs and domains associated with command-and-control servers.
  • Malware signatures: Curve 25519 and AES encryption algorithms.
  • Tools: AngryIPScanner, Nmap, and RClone for data exfiltration.

Key Victims

Notable victims include:

  • Rite Aid
  • American Clinical Solutions
  • Florida Department of Health
  • Haliburton

Notable Cyberattacks

The Change Healthcare attack in early 2024, where stolen data was used for extortion. 

A significant breach of the Florida Department of Health, impacting critical public health services.

Law Enforcement & Arrests

No arrests have been reported. However, global law enforcement agencies, including the FBI and CISA, have issued advisories to mitigate Ransomhub’s impact.

Glitch effectGlitch effect

How to Defend Against Ransomhub

1

Implement multi-factor authentication (MFA) to prevent unauthorized access.

2

Regularly patch known vulnerabilities.

3

Use network segmentation to limit lateral movement.

Huntress solutions help protect organizations by monitoring endpoints, detecting intrusions, and mitigating threats with enterprise-grade technology.

References

Detect, Respond, Protect

See how the global Huntress SOC can augment your team
with 24/7 coverage and unmatched human expertise.
Start your free trial today.

Try Huntress for Free