Skip to main content

Operator dossier

Ransomhouse (also tracked as RANSOM HOUSE) is a ransomware operator currently active on public leak sites. Darkfield has indexed 210 public victims claimed by this operator between June 1, 2021 and June 29, 2026. Ransomhouse is a ransomware group that emerged in June 2021, operating primarily for financial gain through extortion campaigns targeting organizations across multiple sectors globally. The group's origin and specific affiliations remain unclear based on publicly available intelligence, though their operational patterns suggest they function as an independent cybercriminal organization rather than a traditional ransomware-as-a-service model. Ransomhouse employs double extortion tactics, stealing sensitive data before deploying their ransomware payload and threatening to publish the information on their leak site if victims refuse to pay the demanded ransom. The group has demonstrated a broad targeting approach, with documented attacks against 187 victims primarily concentrated in the United States, China, United Kingdom, Italy, and Spain, focusing heavily on healthcare, technology, business services, and manufacturing sectors. While specific high-profile campaigns have not been extensively documented by major security firms, the group's consistent victim count and geographic distribution indicate sustained operational capability since their emergence. As of current reporting, Ransomhouse remains active with no known major law enforcement disruptions or confirmed rebranding efforts.

Most-targeted sectors

Most-affected countries

Recent disclosures by Ransomhouse

Most recent 150 of 210 indexed disclosures. Click any row for the full per-victim dossier.

See every disclosure indexed for Ransomhouse

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Active ransomware operator

All groups

Ransomhouse

aka RANSOM HOUSE · 210 victims indexed · first seen 5 years ago · last activity 16 days ago

210
Victims indexed
#38 of 364 tracked operators
5y 0m
Active period
Jun 2021 → Jun 2026
30
Countries hit
top United States · 59

At a glance

Status
active
Aliases
RANSOM HOUSE
First seen
5 years ago
Last activity
16 days ago
Onion sites
4 known endpoints
Primary sector
Not Found · 27 hits

About

Ransomhouse is a ransomware group that emerged in June 2021, operating primarily for financial gain through extortion campaigns targeting organizations across multiple sectors globally. The group's origin and specific affiliations remain unclear based on publicly available intelligence, though their operational patterns suggest they function as an independent cybercriminal organization rather than a traditional ransomware-as-a-service model. Ransomhouse employs double extortion tactics, stealing sensitive data before deploying their ransomware payload and threatening to publish the information on their leak site if victims refuse to pay the demanded ransom. The group has demonstrated a broad targeting approach, with documented attacks against 187 victims primarily concentrated in the United States, China, United Kingdom, Italy, and Spain, focusing heavily on healthcare, technology, business services, and manufacturing sectors. While specific high-profile campaigns have not been extensively documented by major security firms, the group's consistent victim count and geographic distribution indicate sustained operational capability since their emergence. As of current reporting, Ransomhouse remains active with no known major law enforcement disruptions or confirmed rebranding efforts.

References

1 link

External sources curated by the MISP threat-intel community.

Timeline

24 months
2024-06-01T00:00:00+00:00 · 32024-07-01T00:00:00+00:00 · 112024-08-01T00:00:00+00:00 · 22024-09-01T00:00:00+00:00 · 12024-10-01T00:00:00+00:00 · 52024-11-01T00:00:00+00:00 · 52024-12-01T00:00:00+00:00 · 12025-01-01T00:00:00+00:00 · 12025-02-01T00:00:00+00:00 · 32025-03-01T00:00:00+00:00 · 32025-04-01T00:00:00+00:00 · 42025-05-01T00:00:00+00:00 · 52025-06-01T00:00:00+00:00 · 22025-08-01T00:00:00+00:00 · 32025-09-01T00:00:00+00:00 · 12025-10-01T00:00:00+00:00 · 92025-11-01T00:00:00+00:00 · 142025-12-01T00:00:00+00:00 · 102026-01-01T00:00:00+00:00 · 72026-02-01T00:00:00+00:00 · 62026-03-01T00:00:00+00:00 · 42026-04-01T00:00:00+00:00 · 62026-05-01T00:00:00+00:00 · 82026-06-01T00:00:00+00:00 · 4
2024-06-01T00:00:00+00:002026-06-01T00:00:00+00:00

Top countries

🇺🇸 United States
59
🇨🇳 China
14
🇬🇧 United Kingdom
14
🇪🇸 Spain
9
🇮🇹 Italy
8
🇯🇵 Japan
6
🇨🇦 Canada
5
🇩🇪 Germany
5

Top sectors

Healthcare
23
Manufacturing
22
Business Services
19
Technology
19
Public Sector
11
Financial Services
8
Government
6
Energy
6

MITRE ATT&CK

8 techniques · 6 tactics

Tactics

Initial AccessExecutionDefense EvasionCollectionExfiltrationImpact

Techniques

  • T1190Exploit Public-Facing Application
  • T1566Phishing
  • T1204User Execution
  • T1027Obfuscated Files or Information
  • T1560Archive Collected Data
  • T1005Data from Local System
  • T1041Exfiltration Over C2 Channel
  • T1486Data Encrypted for Impact

Recent victims

Loading…

Onion infrastructure

4 known
  • http://xw7au5pnwtl6lozbsudkmyd32n6gnqdngitjdppybudan3x3pjgpmpid.onion
  • http://xw7au5pnwtl6lozbsudkmyd32n6gnqdngitjdppybudan3x3pjgpmpid.onion/
  • http://zohlm7ahjwegcedoz7lrdrti7bvpofymcayotp744qhx6gjmxbuo2yid.onion
  • http://zohlm7ahjwegcedoz7lrdrti7bvpofymcayotp744qhx6gjmxbuo2yid.onion/a

Source

Updated 16 days ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.

Get alerted the next time Ransomhouse posts a victim.

Add Ransomhouse to your watchlist — Pro pings you within 5 minutes of any new Ransomhouse leak-site post, Telegram callout, or affiliate-rebrand inference.