Understanding threat actor capabilities is only half the battle—the other half is knowing whether your organization is in their crosshairs. See how Bitsight threat intelligence helps you move from observation to action.
RansomHub appears to have gone inactive after its infrastructure reportedly went dark around April 1, 2025. Reporting indicates some affiliates shifted to other ransomware operations, including Qilin, while DragonForce claimed control of parts of the operation. This should be framed as reported activity, not fully confirmed ownership.
CVE-2020-1472
CVE-2021-42278
CVE-2023-27532
CVE-2022-24521
Ransomware-as-a-service
Double extortion
Data exfiltration
Data encrypted for impact
Impair defenses
Disable or modify tools
Command and scripting interpreter: PowerShell
Indicator removal
Masquerading
Remote encryption
Zerologon exploitation
Affiliate-led intrusions
RansomHub is ransomware written in Golang and obfuscated with Gobfuscate.
RansomHub has significant code overlap with Knight ransomware.
RansomHub is a ransomware-as-a-service offering with Windows, ESXi, Linux, and FreeBSD versions.
RansomHub has been in use since at least 2024 to target organizations in multiple sectors globally.
RansomHub operators may have purchased and rebranded resources from Knight, formerly Cyclops, ransomware.
Knight shares infrastructure, feature, and code overlaps with RansomHub.
RansomHub is also known as Spoiled Scorpius.
RansomHub is associated with CVE-2024-55591, CVE-2020-1472, CVE-2021-42278, CVE-2023-3519, CVE-2023-46604, CVE-2023-27532, and CVE-2022-24521.
RansomHub employs a double-extortion model, encrypting systems and exfiltrating data to extort victims.
RansomHub has targeted manufacturing, healthcare and wellness, retail, finance, and public administration.
RansomHub has impacted victims primarily in the United States, United Kingdom, Brazil, Italy, and Germany.
RansomHub has claimed 750 victims, including Community Health Northwest Florida, Musicians Institute, and Intels Nigeria.
RansomHub has been linked to attacks exploiting the Zerologon vulnerability for initial access.
RansomHub is known for techniques such as Impair Defenses: Disable or Modify Tools, Command and Scripting Interpreter: PowerShell, Data Encrypted for Impact, Indicator Removal, and Masquerading.
RansomHub has deployed a tool dubbed EDRKillShifter, which disables endpoint detection and response software.
RansomHub encryptors are reportedly based on Knight, also known as Cyclops, ransomware encryptors.
RansomHub uses a unique affiliate prepayment model.
RansomHub has attracted former affiliates of the ALPHV ransomware group.
RansomHub is one of the top ransomware groups on the underground.
RansomHub has introduced technological innovations such as tools capable of remote encryption.
Patch known exploited vulnerabilities, especially remote access and public-facing systems
Monitor for EDR tampering and endpoint protection disablement
Restrict and monitor PowerShell usage
Enforce multifactor authentication for privileged and remote access
Monitor for Zerologon-style exploitation and suspicious domain controller activity
Maintain offline or immutable backups
Review exposure across Windows, Linux, ESXi, and FreeBSD environments
Understanding threat actor capabilities is only half the battle—the other half is knowing whether your organization is in their crosshairs. See how Bitsight threat intelligence helps you move from observation to action.