RansomHub

ransomhub · primary source: Other · first observed 2024

?? · UnknownRansomwareModerate confidencelast cited Aug 28, 2024 · 1.7y ago

Russian-speaking ransomware-as-a-service operation announced via RAMP forum on 2 February 2024 by a user 'koley', widely assessed as the primary destination for displaced ALPHV/BlackCat and LockBit affiliates after those operations were disrupted in early 2024. By end of 2024 RansomHub was the most-claiming ransomware brand on public leak-site tracking with 593+ victims. Codebase shares lineage with Knight ransomware. FBI/CISA/MS-ISAC/HHS joint advisory AA24-242A issued 29 August 2024.

Aliases

GreenbottleOtherCyclopsOther

Motivations

financial gain

Target sectors

healthcaremanufacturinggovernmentfinancialeducationcommunications

Target countries

USGBDEBRITCAAUESFR

Lineage & relationships

full graph →

Lineage of

ALPHV/BlackCat

Primary destination for displaced ALPHV/BlackCat affiliates

Lineage of

LockBit

Also absorbed LockBit affiliates post-Operation Cronos

Diamond Model

Caltagirone / Pendergast / Betz 2013 — four-vertex attribution framework.

Adversary

RansomHub
Unknown
financial gain

Capability

Infrastructure

188.34.188.7

Victim

healthcare
manufacturing
government
US
GB
+1 more

MITRE ATT&CK techniques

T1486 T1490 T1567.002 T1133

Timeline

1 event

AdvisoryHigh2024-08-29·CISA
FBI/CISA/MS-ISAC/HHS joint advisory on RansomHub (AA24-242A)
FBI, CISA, MS-ISAC, and HHS released joint cybersecurity advisory AA24-242A disseminating RansomHub indicators of compromise and TTPs identified through FBI threat-response activities and third-party reporting through August 2024. The advisory followed RansomHub's emergence in February 2024 as the destination for displaced ALPHV/BlackCat and LockBit affiliates, by which point the brand had become the most prolific ransomware operation on public leak-site tracking.
ransomwarejoint-advisoryttps

Indicators of compromise

3 indicators

defangedcsv

Type	Value	First seen	Source
Email	brahma2023[at]onionmail[.]org family · RansomHub RansomHub affiliate contact address listed in Table 5 of CISA AA24-242A (2023-2024).	Aug 28, 2024	CISA
IPv4	188[.]34[.]188[.]7 family · RansomHub RansomHub affiliate staging host serving second-stage payloads (NEWOFFICIALPROGRAMCAUSEOFNEWUPDATE.exe and helper DLLs under /555/) per Table 4 of CISA joint advisory AA24-242A.	Aug 28, 2024	CISA
SHA-256	02e9f0fbb7f3acea4fcf155dc7813e15c1c8d1c77c3ae31252720a9fa7454292 family · RansomHub RansomHub Windows encryptor sample published in Symantec's August 2024 analysis tying the family back to its Knight / Cyclops origins. Sample uses Curve25519 with intermittent encryption as described in CISA AA24-242A.	Jul 31, 2024	Symantec

Related actors

shared ATT&CK techniques

RU · Russia8Base4 shared techniques
?? · UnknownAkira4 shared techniques
?? · UnknownHive4 shared techniques
?? · UnknownQilin4 shared techniques
?? · UnknownALPHV/BlackCat3 shared techniques
RU · RussiaDarkSide3 shared techniques

References

#StopRansomware: RansomHub Ransomware (AA24-242A)
CISA · 2024-08-29

cite this page

Threat Intel Tracker. (2026-05-19). RansomHub — actor profile. Retrieved from https://threatintel.local/actors/ransomhub

latest cited activity · 2024-08-29 · 3 cataloged indicators