01 RansomHub

RansomHub

Region

Europe,

Latin America,

North America

Industries

Healthcare,

Manufacturing,

Real Estate,

Science & Engineering

First seen

February 2024

Cybercrime

Attacking over 600 organizations globally, causing significant disruption and financial losses

Heritage

Appeared in 2024 after ALPHV (BlackCat) disappeared

Categorizations

Ransomware-as-a-Service (RaaS)

About

Since its discovery in February 2024, RansomHub has quickly become a dominant force in ransomware. As of now, according to global statistics, this group of Masked Actors has already surpassed even long-established cybercriminals in attacks.

Learn more about RansomHub from Group-IB’s research

RansomHub ransomware-as-a-service

RansomHub Never Sleeps

Ransom notes

Ransomware debris: an analysis of the RansomHub

Victims

Primary target sectors are industrial manufacturing and healthcare. Over 200 organizations have been infiltrated (August 2024), with 74 victims reported in September alone. Notable victims include laptop maker Clevo.

What we know about RansomHub members

After launching its affiliate program in February 2024, RansomHub recruited former Scattered Spider group members (ex-Conti and REvil), offering Ransomware-as-a-Service (RaaS), enabling even low-skilled cybercriminals to launch sophisticated attacks. RansomHub presents itself as a group of helpful and professional consultants rather than cybercriminals, offering “valuable advice” on IT protection, post-payment.

Motivations

Financial gain. Using double-extortion tactics, this group encrypts data and then threatens to leak sensitive information if ransoms are not paid.