3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
RansomHub

RansomHub

ID: 400cac598c390f6f5f478ca7b58adcd891597
Crimeware Ransomware
Threat types: Ransomware, RaaS, Double-Extortion
Russia
Updated: 2026-03-14
Created: 2026-02-23
Progress: 75% Completeness: 77% Freshness: 70%
Operation zone:
Aliases Limited alias preview
Ransomhub Group
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium
Actor Techniques page ATT&CK® Diagram

RansomHub is a Ransomware-as-a-Service (RaaS) operation active since early 2024, enabling affiliates to conduct double-extortion intrusions that combine data theft and encryption; reporting highlights defense-evasion steps (including anti-EDR tooling) and enterprise-scale lateral movement prior to impact.


Technique Technique name Tactics Evidence
T1562.001 Disable or Modify Tools TA0005
  • 2024-09-20 — Reporting describes defense evasion focused on disabling/terminating endpoint protections (anti-EDR behavior) as part of the RansomHub chain. · ref
T1068 Exploitation for Privilege Escalation TA0004
  • 2024-09-20 — Reporting notes exploitation of Zerologon (CVE-2020-1472) within the attack chain, consistent with privilege escalation via exploitation. · ref
T1070.001 Clear Windows Event Logs TA0005
  • 2025-01-29 — Casework lists commands clearing Windows event logs using wevtutil across multiple channels (security/system/application). · ref
T1490 Inhibit System Recovery TA0040
  • 2025-01-29 — Casework lists shadow copy removal via CIM/WMI (Win32_ShadowCopy | Remove-CimInstance) and other pre-impact actions to inhibit recovery. · ref
T1021.002 SMB/Windows Admin Shares TA0008
  • 2025-01-29 — Casework describes rollout via SMB and remote execution tooling (e.g., PsExec) consistent with lateral movement over SMB/Windows Admin Shares. · ref
T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol TA0010
  • 2025-01-29 — Casework describes data exfiltration over SFTP using FileZilla to an external IP prior to encryption (double-extortion staging). · ref
T1486 Data Encrypted for Impact TA0040
  • 2024-12-20 — Public profiling describes RansomHub as a ransomware operation conducting encryption for impact as part of double extortion. · ref
T1078 Valid Accounts TA0001 TA0003 TA0004 TA0005
  • 2025-01-29 — Casework indicates compromised VPN users and use of compromised privileged accounts to move laterally and deploy ransomware. · ref
T1583.001 Domains TA0042
  • 2024-10-02 — DNS-focused reporting highlights newly registered domains associated with RansomHub-linked IOCs used for blocking recommendations. · ref
T1105 Ingress Tool Transfer TA0011
  • 2025-01-29 — INFERENCE (confidence: medium): The observed tool staging (e.g., TFTP utility placement) and remote tooling implies ingress tool transfer into the environment prior to deployment. · ref
Strategic Intelligence
Limited preview
Last updated: 2026-02-25T01:36:28+00:00

RansomHub — RaaS ransomware operation (affiliate ecosystem)

Classification: TLP:WHITE — Open Source Intelligence (OSINT)

Category: Cyber — Ransomware-as-a-Service (RaaS) / Double-extortion — Origin: likely Russian-speaking ecosystem (INFERENCE, confidence: medium)

Author: iQBlack CTI Team



Executive Summary

RansomHub is a ransomware-as-a-service (RaaS) operation that emerged publicly in early 2024 and rapidly scaled through an affiliate program model. Public reporting and casework consistently describe a double‑extortion workflow: affiliates obtain initial access, conduct internal discovery and credential access, exfiltrate sensitive data, and then deploy encryption at scale while threatening public release via a dedicated leak site.

RansomHub is frequently described as having lineage overlap with the earlier “Knight” ransomware family, with multiple vendors assessing strong code similarity and evolution rather than a wholly new codebase. This matters operationally because lineage often implies reuse of deployment conventions, configuration structures, and encryption implementation choices that remain stable across rebrands.

A defining operational theme across reporting is “defense evasion as a first‑class objective.” Multiple sources describe anti‑EDR and endpoint tampering, including the use of an “EDR killer” tool commonly referred to as EDRKillShifter, alongside commodity post‑exploitation tooling and living‑off‑the‑land (LOLBIN) execution. This creates a predictable defensive posture requirement: visibility and response controls must be resilient against driver/process termination and policy tampering, not only against the final ransomware binary.

Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Saved Limited preview

RansomHub — Executive Analyst Brief (CISO / Decision Makers)

Classification: TLP:WHITE — Open Source Intelligence (OSINT)

Upgrade to access the full executive brief.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Saved Limited preview

Hunting Playbook — RansomHub


Upgrade to access the full hunting playbook.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Saved Limited preview
Last updated: 2026-02-25T01:39:24+00:00

IOC Appendix (TLP:WHITE) — RansomHub


More IOC context for Research. Full appendix for Analyst and Premium plans.
IOC Appendix now
Saved successfully.
OSINT Library
Saved Limited preview
Last saved: 2026-02-25T01:39:36+00:00

OSINT Library — RansomHub


2024-06-05 — Symantec (Broadcom) — "RansomHub: New Ransomware has Origins in Older Knight"

Full OSINT references available for Research / Analyst.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/49
Address Verification SOCMINT
t.me/Ran********** Restricted Not integrated
t.me/Ran******** Restricted Not integrated
t.me/Ran******* Restricted Not integrated
Address Verification SOCMINT
ransomxifxwc5eteopdobynonjctkxxvap77yqifu2emfbecgbqdw6qd.onion Restricted Not integrated
ijbw7iiyodqzpg6ooewbgn6mv2pinoer3k5pzdecoejsw5nyoe73zvad.onion Restricted Not integrated
mjmru3yz65o5szsp4rmkmh4adlezcpy5tqjjc4y5z6lozk3nnz2da2ad.onion Restricted Not integrated
an2ce4pqpf2ipvba2djurxi5pnxxhu3uo7ackul6eafcundqtly7bhid.onion Restricted Not integrated
fpwwt67hm3mkt6hdavkfyqi42oo3vkaggvjj4kxdr2ivsbzyka5yr2qd.onion Restricted Not integrated
xeuvs5poflczn5i5kbynb5rupmidb5zjuza6gaq22uqsdp3jvkjkciqd.onion Restricted Not integrated
7vy5mydtkf4hqo3g5s4v7skmyn2xdh4mxg3xgtcqnequuospqtsmutqd.onion Restricted Not integrated
crylcxzmkllsvq3qgh6gmeg3abqcyliepqza2r57o43gsfwomibq2cyd.onion Restricted Not integrated
qa5qvqhtuzlyzrrgc7dkepyj34hb4psf6hk7jmiyn6cef7fxajdleoid.onion Restricted Not integrated
ransombgegc4e2vuq45noxekkmauikzt7qu6ab2rqsthdyxdpdufbqid.onion Restricted Not integrated
ransomgxjnwmu5ceqwo2jrjssxpoicolmgismfpnslaixg3pgpe5qcad.onion Restricted Not integrated
shedjytnmsdgyey7ho7r52leod3plffhe3yjmhyxfxxivnunnmw7coid.onion Restricted Not integrated
vqcrizmr7757hjbamfcb7pei2zv462o4ypi2djj4xvy5ax7f2b3c7bad.onion Restricted Not integrated
3ysbtsnhldlijvfdv7hwkr2gl3op2d56puspeo4whs6p272sde6fq5id.onion Restricted Not integrated
bd3atkmicmcif6mliquqdxltjq6mxvagw44gealayp34awtcx3ywlxid.onion Restricted Not integrated
biurt7anlhkncf2t3dvvtlszpnnyg3oiksyapcikxostz6zfrh4csvid.onion Restricted Not integrated
bzfp6qfir7bfqjxnpgofwvfzoyca7kmcsfliot5zzfsas6oofwo7zoad.onion Restricted Not integrated
fmcrlb2t524cpiiqiudbvdjmgvaczix2o5y5uc3zvi57niiyl467qgyd.onion Restricted Not integrated
gsqxzyynjegp73imth5p3ug4etgbehd3pb72e4zmiro4st3s2nlkmgyd.onion Restricted Not integrated
hjs27fuzq4j4gzshhbakt274eewxv2qdwmeugjx5eepwoaecczdkiiyd.onion Restricted Not integrated
i2agsvbyoy3viwel7ucjqtzcq3ocsj3jqqew5wlwpxty6uxd455qkoqd.onion Restricted Not integrated
kfvsqtlnfa5iiweywpubtqk4c2omc2vu4hvy26mhanaahtvpifzuxlid.onion Restricted Not integrated
l5hzzorh57w4wp5va4ouye77x5f2apqd6rvvh3tb2a7vcenn6c5a2fad.onion Restricted Not integrated
ljxmkfr6kl3ovwgkxycdrvvdf6tk7qdhgowcjkpsiocg7j5uuhmszyyd.onion Restricted Not integrated
red46f427ed4ogc76gscsqrytpdh4gy5reh2g6dzjpbm24k3ns2t27qd.onion Restricted Not integrated
xznhtihjpaz3rwcgwqrv3jipbbivlg5ttsdqoet55xe5a3nbxi47jwqd.onion Restricted Not integrated
y2hkrrb7aba2pgyvpfzqj3vlhbw7e2wj2t2wvtlmkr54yqz7p5ghnfid.onion Restricted Not integrated
davtdavm734bl4hkr3sr4dvfzpdzuzei2zrcor4vte4a3xuok2rxcmyd.onion Restricted Not integrated
dd4djzr2ywfcox3zfvpkpyh3b657hsdwpwv5cfkmdfde2lr3fpz6spad.onion Restricted Not integrated
cki3klxqycazagx3r5prae3nmfvxmwa34beknr3il4uf76vxd76akqid.onion Restricted Not integrated
pod4gkypkd6kykwoht3kioehhpoh4k75ybdfoe6q7hqbphrd77b32jqd.onion Restricted Not integrated
445ouvbxlevrxm7phyfr4au3ritat62zl7cwvrarvonrwmququordayd.onion Restricted Not integrated
nr4jw2reeta2u4n2sq4sejjudllir4yfotzf5d4p3wn2ep6ddomtxxid.onion Restricted Not integrated
m52fl4estv4lmcvqhssh7mb7nsygiwe7oybhjhny7iuzrzwulq455eqd.onion Restricted Not integrated
brclvwefzszko5xrlan7pebyliqdkv5cw75xksrxp772urjytkko5fyd.onion Restricted Not integrated
rmr2kgq6vzifnyoaz7jaxdx5t6gsxurbakah5bafatsqldtt2mwneyid.onion Restricted Not integrated
xdg53hbpwshgtbfbm6m7nv3ckkduo3dfdwdearcsvybfb3qaf4v7suyd.onion Restricted Not integrated
toq7bk6abkr6lapwj3k22ffu4ud5jpox7jbfgzetpz7lxb427katstid.onion Restricted Not integrated
tjnt7x2xodhthwrfnabhloogoo66jrgohgzpta22uwbqznsvrm5tu4id.onion Restricted Not integrated
fvixrjsdk2adazfnz4mrdvr4eznm346fk33y7nos65bdrtmfvw7f5vid.onion Restricted Not integrated
vhxbjx4iaeqgna22kqt5ajlqi72vbm6qcjev3efgr5oiklgptvjvjhqd.onion Restricted Not integrated
yszafmehxkoa7hrcay7cnyogfrmjqc4grds6innadspii5oz6fneyzyd.onion Restricted Not integrated
i4xita2momkw2jitqohbqgomjxqp53pyvgv5gbogvendbx3ucnynekyd.onion Restricted Not integrated
yvst24dvz66unqqes6se3p3flxyzbtohaz6faknu5ne3zzeq2jumpiid.onion Restricted Not integrated
sres5y2sze7lqkk5s4ahns5lhvc7nr5hqy5lchbxcvhaty2hnivdacqd.onion Restricted Not integrated
rnc6scfbqslz5aqxfg5hrjel5qomxsclltc6jvhahi6qwt7op5qc7iad.onion Restricted Not integrated
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
Showing 1–4 of 4 images
Reference image Free Preview
Reference image
Reference image Free Preview
Reference image
Reference image Free Preview
Reference image
Reference image Free Preview
Reference image