Ransomware Group
RansomHub
Also known as: RansomHub Ransomware
Status: active • First seen 2024-02 • 200+ known victims
RansomHub is the new kid on the block but they're growing fast. When BlackCat shut down, many of their hackers moved to RansomHub because it offers a better deal - affiliates keep 85% of the ransom. They've already hit hundreds of victims including major companies and seem to be taking over where other groups left off.
Overview
RansomHub is a rapidly growing ransomware-as-a-service operation that emerged in early 2024 and quickly became one of the most active groups. It attracted affiliates from defunct operations like ALPHV/BlackCat and offers an 85/15 profit split favoring affiliates, making it attractive to experienced operators.
Target Industries
Healthcare, Financial Services, Government, Critical Infrastructure, Technology, Manufacturing
How They Attack
- • Exploiting known vulnerabilities (CVE-2020-1472, CVE-2023-3519)
- • Phishing with credential harvesting
- • Purchasing access from initial access brokers
- • Exploiting VPN vulnerabilities
- • Using compromised RDP credentials
Notable Victims
Change Healthcare (2024), Frontier Communications (2024), Christie's Auction House (2024), Multiple healthcare organizations
Is your business exposed?
How to Protect Against RansomHub
- 1.
Patch all known exploited vulnerabilities (check CISA KEV catalog)
- 2.
Update Citrix NetScaler if CVE-2023-3519 not patched
- 3.
Implement EDR with behavioral detection
- 4.
Segment critical healthcare and financial systems
- 5.
Review access broker forums for organizational mentions
MITRE ATT&CK Techniques
Is your business exposed?
Check if your company data is circulating on the dark web
Free scan • No credit card required