RansomHub emerged in early 2024 as a ransomware-as-a-service (RaaS) operation that quickly became one of the most active extortion brands tracked by Western cybersecurity agencies. Under the RaaS model, the core developers maintain the encryptor and data-leak site while recruiting independent "affiliates" who carry out intrusions in exchange for a share of ransom payments — RansomHub reportedly offered affiliates an unusually generous cut (around 90%), which helped it attract operators from disrupted rivals such as ALPHV/BlackCat and LockBit.
In August 2024, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the FBI, the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Department of Health and Human Services issued a joint Cybersecurity Advisory (#StopRansomware: RansomHub) detailing the group's tactics, techniques, and procedures. The advisory noted that affiliates had encrypted and exfiltrated data from at least 210 victims across critical infrastructure sectors including water and wastewater, healthcare, government services, financial services, and critical manufacturing.
RansomHub typically uses double extortion: victims are pressured both by file encryption and by the threat of publishing stolen data on a Tor-based leak site. Initial access has been linked to phishing, exploitation of known vulnerabilities (including Citrix and Fortinet products), and password spraying. The malware is written largely in Go and Rust and runs on Windows, Linux, and ESXi systems.
For policy researchers, RansomHub illustrates several recurring themes in cyber governance debates:
- The affiliate model complicates attribution and sanctions, since the brand and the operators are distinct.
- It feeds ongoing arguments at the UN Open-Ended Working Group on ICT security and the Counter Ransomware Initiative (a U.S.-led coalition launched in 2021) about whether to ban ransom payments outright.
- High-profile victims attributed to RansomHub affiliates include Change Healthcare (2024) and Rite Aid (2024), underscoring spillover effects on healthcare access and consumer data.
Activity associated with the brand reportedly declined in early 2025 amid infrastructure disruptions and affiliate migration to successor groups.
Example
In February 2024, a RansomHub affiliate claimed responsibility for publishing data stolen from Change Healthcare after the company's earlier payment to ALPHV/BlackCat, illustrating the affiliate-driven nature of the brand.
Frequently asked questions
The core developers are unattributed but widely assessed by Western analysts to be Russian-speaking. Day-to-day intrusions are carried out by independent affiliates, several of whom reportedly migrated from ALPHV/BlackCat and LockBit after those groups were disrupted.
Keep learning