RansomHub Ransomware Group Targets 210 Victims Across Critical Sectors

Threat actors linked to the RansomHub ransomware group encrypted and exfiltrated data from at least 210 victims since its inception in February 2024, the U.S. government said.
The victims span various sectors, including water and wastewater, information technology, government services and facilities, healthcare and public health, emergency services, food and agriculture, financial services, commercial facilities, critical manufacturing, transportation, and communications critical infrastructure.
"RansomHub is a ransomware-as-a-service variant—formerly known as Cyclops and Knight—that has established itself as an efficient and successful service model (recently attracting high-profile affiliates from other prominent variants such as LockBit and ALPHV)," government agencies said.
A ransomware-as-a-service (RaaS) variant that's a descendant of Cyclops and Knight, the e-crime operation has attracted high-profile affiliates from other prominent variants such as LockBit and ALPHV (aka BlackCat) following a recent wave of law enforcement actions.
ZeroFox, in an analysis published late last month, said RansomHub's activity as a proportion of all ransomware activity observed by the cybersecurity vendor is on an upward trajectory, accounting for approximately 2% of all attacks in Q1 2024, 5.1% in Q2, and 14.2% so far in Q3.
"Approximately 34% of RansomHub attacks have targeted organizations in Europe, compared to 25% across the threat landscape," the company noted.
The group is known to employ the double extortion model to exfiltrate data and encrypt systems in order to extort victims, who are urged to contact the operators via a unique .onion URL. Targeted companies who refuse to acquiesce to the ransom demand have their information published on the data leak site for anywhere between three to 90 days.
Initial access to victim environments is facilitated by exploiting known security vulnerabilities in Apache ActiveMQ (CVE-2023-46604), Atlassian Confluence Data Center and Server (CVE-2023-22515), Citrix ADC (CVE-2023-3519), F5 BIG-IP (CVE-2023-46747), Fortinet FortiOS (CVE-2023-27997), and Fortinet FortiClientEMS (CVE-2023-48788) devices, among others.
This step is succeeded by affiliates conducting reconnaissance and network scanning using programs like AngryIPScanner, Nmap, and other living-off-the-land (LotL) methods. RansomHub attacks further involve disarming antivirus software using custom tools to fly under the radar.
"Following initial access, RansomHub affiliates created user accounts for persistence, re-enabled disabled accounts, and used Mimikatz on Windows systems to gather credentials [T1003] and escalate privileges to SYSTEM," the U.S. government advisory reads.
"Affiliates then moved laterally inside the network through methods including Remote Desktop Protocol (RDP), PsExec, AnyDesk, Connectwise, N-Able, Cobalt Strike, Metasploit, or other widely used command-and-control (C2) methods."
Another notable aspect of RansomHub attacks is the use of intermittent encryption to speed up the process, with data exfiltration observed through tools such as PuTTY, Amazon AWS S3 buckets, HTTP POST requests, WinSCP, Rclone, Cobalt Strike, Metasploit, and other methods.
The development comes as Palo Alto Networks Unit 42 unpacked the tactics associated with the ShinyHunters ransomware, which it tracks as Bling Libra, highlighting its shift to extorting victims as opposed to their traditional tactic of selling or publishing stolen data. The threat actor first came to light in 2020.
"The group acquires legitimate credentials, sourced from public repositories, to gain initial access to an organization's Amazon Web Services (AWS) environment," security researchers Margaret Zimmermann and Chandni Vaya said.
"While the permissions associated with the compromised credentials limited the impact of the breach, Bling Libra infiltrated the organization's AWS environment and conducted reconnaissance operations. The threat actor group used tools such as the Amazon Simple Storage Service (S3) Browser and WinSCP to gather information on S3 bucket configurations, access S3 objects and delete data."
It also follows a significant evolution in ransomware attacks, which have moved beyond file encryption to employ complex, multi-faceted extortion strategies, even employing triple and quadruple extortion schemes, per SOCRadar.
"Triple extortion ups the ante, threatening additional means of disruption beyond encryption and exfiltration," the company said.
"This might involve conducting a DDoS attack against the victim's systems or extending direct threats to the victim's clients, suppliers, or other associates to wreak further operational and reputational damage on those ultimately targeted in the extortion scheme."
Quadruple extortion ups the ante by contacting third-parties that have business relationships with the victims and extorting them, or threatening victims to expose data from third-parties to heap further pressure on a victim to pay up.
The lucrative nature of RaaS models has fueled a surge in new ransomware variants like Allarich, Cronus, CyberVolk, Datablack, DeathGrip, Hawk Eye, and Insom. It has also led Iranian nation-state actors to collaborate with known groups like NoEscape, RansomHouse, and BlackCat in return for a cut of the illicit proceeds.
CVE-2025-22224 VMware ESXi and Workstation TOCTOU Race Condition Vulnerability
CVE-2020-29574 CyberoamOS (CROS) SQL Injection Vulnerability
CVE-2022-43769 Hitachi Vantara Pentaho BA Server Special Element Injection Vulnerability
CVE-2022-43939 Hitachi Vantara Pentaho BA Server Authorization Bypass Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2018-19410 Paessler PRTG Network Monitor Local File Inclusion Vulnerability
CVE-2018-8639 Microsoft Windows Win32k Improper Resource Shutdown or Release Vulnerability
CVE-2024-40890 Zyxel DSL CPE OS Command Injection Vulnerability
CVE-2017-0148 Microsoft SMBv1 Server Remote Code Execution Vulnerability
InformationalInformation Disclosure - Suspicious Comments
InformationalRe-examine Cache-control Directives
Free online web security scanner