Threat Actor Profile

Ransomhub

Ransomhub, a Ransomware-as-a-Service (RaaS) group, emerged in February 2024 and quickly gained notoriety for targeting critical infrastructure sectors. Known for their double extortion tactics, Ransomhub has impacted over 200 organizations globally, leveraging advanced techniques to exfiltrate and encrypt sensitive data.

Threat Actor Profile

Ransomhub

Country of Origin

The exact country of origin for Ransomhub remains unknown. However, their operational patterns suggest affiliations with Russian-speaking cybercriminal forums.

Members

The group’s size is unknown, but it is believed to consist of multiple affiliates, including former members of other ransomware groups like ALPHV and Knight.

Leadership

No specific leaders or aliases have been identified for Ransomhub. The group operates as a decentralized RaaS model, recruiting affiliates through dark web forums.

Ransomhub TTPs

Tactics

Ransomhub primarily aims to exfiltrate sensitive data and encrypt systems to extort ransom payments.

Techniques

Exploiting known vulnerabilities (e.g., CVE-2023-3519, CVE-2023-27997).
Phishing and password spraying for initial access.
Using tools like MimiKatz for credential dumping and PowerShell for network reconnaissance.

Procedures

Double extortion: Encrypting data and threatening to leak it.
Disabling endpoint detection tools using EDRKillShifter.
Employing intermittent encryption for faster attacks.

Want to Shut Down Threats Before They Start?

Schedule a Demo Today

Notable Cyberattacks

The Change Healthcare attack in early 2024, where stolen data was used for extortion.

A significant breach of the Florida Department of Health, impacting critical public health services.

Law Enforcement & Arrests

No arrests have been reported. However, global law enforcement agencies, including the FBI and CISA, have issued advisories to mitigate Ransomhub’s impact.