BIPI
BIPI

RansomHub: Profile of 2025's Most Prolific Ransomware Affiliate Operation

Threat Intelligence

RansomHub emerged in early 2024 and dominated ransomware statistics through 2025, displacing LockBit following law enforcement disruption. A deep profile of its affiliate model, TTPs, targeting patterns, and IOCs.

By Arjun Raghavan, Security & Systems Lead, BIPI · August 11, 2025 · 12 min read

#ransomware#ransomhub#raas#threat-actor#iocs

RansomHub launched in February 2024 and within twelve months had become the most active ransomware operation by victim count, eclipsing LockBit 3.0 following the Cronos law enforcement takedown in February 2024. By Q2 2025, RansomHub was responsible for approximately 22% of all publicly observed ransomware victims globally, according to tracking by GuidePoint Research and Mandiant.

The group operates a classic ransomware-as-a-service model with some notable structural differences from earlier operations. Affiliates retain 90% of ransoms paid — one of the most favourable splits in the RaaS ecosystem — while the core team handles malware development, leak site infrastructure, and negotiation support. This aggressive compensation model attracted experienced affiliates displaced from disrupted operations including LockBit, ALPHV/BlackCat, and Scattered Spider.

22%
Share of publicly observed ransomware victims attributed to RansomHub in Q2 2025
90/10
Affiliate revenue split — among the most favourable in the RaaS ecosystem
500+
Confirmed victims listed on RansomHub's Tor leak site by end of Q1 2025

Initial Access TTPs

RansomHub affiliates are not monolithic in their initial access methods — the RaaS model means different affiliates bring different specialisations. The CISA and FBI joint advisory AA24-242A from August 2024 documented the most common observed techniques: exploitation of known vulnerabilities in internet-facing systems, phishing for VPN credentials, and purchase of access from initial access brokers.

  • Citrix NetScaler CVE-2023-4966 (Citrix Bleed): session token hijacking without credentials — heavily exploited through 2025
  • Fortinet SSL VPN credential harvesting via CVE-2023-27997 and unpatched older variants
  • Apache ActiveMQ CVE-2023-46604: unauthenticated RCE used for initial shell in manufacturing and logistics targets
  • VPN credential spray using credential dumps from stealer log markets
  • Microsoft Exchange ProxyShell variants in legacy environments observed through Q1 2025

Post-Compromise Behaviour

Post-compromise behaviour follows a pattern consistent with the ALPHV/BlackCat lineage. Initial enumeration uses tools including ADRecon, BloodHound CE, and SharpHound for Active Directory mapping. Lateral movement primarily uses living-off-the-land techniques: WMI remote execution, PsExec, and legitimate RMM tools. Credential harvesting targets LSASS via ProcDump or direct NTDS.dit extraction from domain controllers.

  • Cobalt Strike Beacon or Brute Ratel as primary C2 framework with frequently rotating beacon profiles
  • ALPHV-derived EDR killer component targeting driver-level termination of AV/EDR processes
  • Atera, AnyDesk, or TeamViewer installed for persistent remote access alongside C2
  • NTDS.dit extracted via ntdsutil or VSS shadow copy combined with SYSTEM hive for offline cracking
  • Data staged in encrypted ZIP archives uploaded via rclone to Mega.io or attacker-controlled cloud storage before encryption
  • Multi-platform encryptor supporting Windows, Linux/ESXi, and NAS devices deployed in final phase

Targeting Patterns and Sector Focus

RansomHub publicly states it does not target hospitals, nuclear facilities, or government entities in CIS countries. In practice, the group's affiliates have breached healthcare entities, critical infrastructure, and government contractors. Documented targets include water utilities, oil and gas pipeline operators, legal firms, and financial services companies. Average ransom demand observed by Mandiant is $3.2 million, with actual payments averaging approximately $700,000.

Key IOCs and Detection

  • Encryptor binary drops ransom note as README.txt in encrypted directories with RansomHub mutex
  • Rclone config files in %APPDATA% targeting Mega.io with attacker account credentials
  • EDR killer driver: known variants targeting Palo Alto Cortex, SentinelOne, and CrowdStrike Falcon driver handles
  • ADRecon.ps1 execution from temp directories; SharpHound.exe from C:\ProgramData paths
  • NTDS.dit volume shadow copy activity: vssadmin create shadow and ntdsutil snapshot commands
  • C2 communication to .onion proxied through residential proxies; Cobalt Strike HTTPS beacon on port 443 with malleable profile mimicking Microsoft CDN
RansomHub's success is structural rather than technical. A 90% affiliate payout attracted the best operators from disrupted operations. The defence is not catching the encryptor — it is detecting the 72 hours of hands-on-keyboard activity that precedes it.
$3.2M
Average RansomHub ransom demand observed by Mandiant in 2025
72 hrs
Median dwell time from initial access to encryption deployment in RansomHub incidents
Citrix Bleed
Single most exploited initial access vector in RansomHub affiliate campaigns through 2025

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.