RansomHub

About

Since its discovery in February 2024, RansomHub has quickly become a dominant force in ransomware. As of now, according to global statistics, this group of Masked Actors has already surpassed even long-established cybercriminals in attacks.

Active since

February 2024

Primary targets

Attacking over 600 organizations globally, causing significant disruption and financial losses

Motivation

Financial gain. Using double-extortion tactics, this group encrypts data and then threatens to leak sensitive information if ransoms are not paid.

Heritage

Appeared in 2024 after ALPHV (BlackCat) disappeared

Learn more about RansomHub from Group-IB’s research

Blog "RansomHub ransomware-as-a-service"

Blog "RansomHub Never Sleeps"

Ransom notes

Blog "Ransomware debris: an analysis of the RansomHub"

Podcast "RansomHub: From RaaS Kingpin to Cartel Mystery"

Victims

Primary target sectors are industrial manufacturing and healthcare. Over 200 organizations have been infiltrated (August 2024), with 74 victims reported in September alone. Notable victims include laptop maker Clevo.

What we know about RansomHub members

After launching its affiliate program in February 2024, RansomHub recruited former Scattered Spider group members (ex-Conti and REvil), offering Ransomware-as-a-Service (RaaS), enabling even low-skilled cybercriminals to launch sophisticated attacks. RansomHub presents itself as a group of helpful and professional consultants rather than cybercriminals, offering “valuable advice” on IT protection, post-payment.