Threat Actor Profile

RansomHub

Aliases
  • Spoiled Scorpius
Origin
Russia
Active Since
2024-01-01
Motivation
Financial gain, Extortion
Cause
Cybercriminal
Recent Activity

RansomHub appears to have gone inactive after its infrastructure reportedly went dark around April 1, 2025. Reporting indicates some affiliates shifted to other ransomware operations, including Qilin, while DragonForce claimed control of parts of the operation. This should be framed as reported activity, not fully confirmed ownership.

Primary Targets
  • Manufacturing organizations
  • Healthcare organizations
  • Retail organizations
  • Finance organizations
  • Public administration organizations
Target Locations
  • United States
  • United Kingdom
  • Brazil
  • Italy
  • Germany
Target Sectors
  • Manufacturing
  • Healthcare
  • Retail
  • Finance
  • Public Administration
Vulnerabilities

CVE-2020-1472

CVE-2021-42278

CVE-2023-27532

CVE-2022-24521

Techniques
  • Ransomware-as-a-service

  • Double extortion

  • Data exfiltration

  • Data encrypted for impact

  • Impair defenses

  • Disable or modify tools

  • Command and scripting interpreter: PowerShell

  • Indicator removal

  • Masquerading

  • Remote encryption

  • Zerologon exploitation

  • Affiliate-led intrusions

Malware Tools
  • Golang ransomware
  • Gobfuscate obfuscation
  • EDRKillShifter
  • Knight ransomware overlap
  • Cyclops ransomware overlap
Bitsight Contextualized Intelligence
  • RansomHub is ransomware written in Golang and obfuscated with Gobfuscate.

  • RansomHub has significant code overlap with Knight ransomware.

  • RansomHub is a ransomware-as-a-service offering with Windows, ESXi, Linux, and FreeBSD versions.

  • RansomHub has been in use since at least 2024 to target organizations in multiple sectors globally.

  • RansomHub operators may have purchased and rebranded resources from Knight, formerly Cyclops, ransomware.

  • Knight shares infrastructure, feature, and code overlaps with RansomHub.

  • RansomHub is also known as Spoiled Scorpius.

  • RansomHub is associated with CVE-2024-55591, CVE-2020-1472, CVE-2021-42278, CVE-2023-3519, CVE-2023-46604, CVE-2023-27532, and CVE-2022-24521.

  • RansomHub employs a double-extortion model, encrypting systems and exfiltrating data to extort victims.

  • RansomHub has targeted manufacturing, healthcare and wellness, retail, finance, and public administration.

  • RansomHub has impacted victims primarily in the United States, United Kingdom, Brazil, Italy, and Germany.

  • RansomHub has claimed 750 victims, including Community Health Northwest Florida, Musicians Institute, and Intels Nigeria.

  • RansomHub has been linked to attacks exploiting the Zerologon vulnerability for initial access.

  • RansomHub is known for techniques such as Impair Defenses: Disable or Modify Tools, Command and Scripting Interpreter: PowerShell, Data Encrypted for Impact, Indicator Removal, and Masquerading.

  • RansomHub has deployed a tool dubbed EDRKillShifter, which disables endpoint detection and response software.

  • RansomHub encryptors are reportedly based on Knight, also known as Cyclops, ransomware encryptors.

  • RansomHub uses a unique affiliate prepayment model.

  • RansomHub has attracted former affiliates of the ALPHV ransomware group.

  • RansomHub is one of the top ransomware groups on the underground.

  • RansomHub has introduced technological innovations such as tools capable of remote encryption.

Defensive Takeaways
  • Patch known exploited vulnerabilities, especially remote access and public-facing systems

  • Monitor for EDR tampering and endpoint protection disablement

  • Restrict and monitor PowerShell usage

  • Enforce multifactor authentication for privileged and remote access

  • Monitor for Zerologon-style exploitation and suspicious domain controller activity

  • Maintain offline or immutable backups

  • Review exposure across Windows, Linux, ESXi, and FreeBSD environments

How Bitsight Helps

Understanding threat actor capabilities is only half the battle—the other half is knowing whether your organization is in their crosshairs. See how Bitsight threat intelligence helps you move from observation to action.

Request threat intel demo