Skip to main content

Operator dossier

RansomHub (also tracked as RANSOM HUB) is a ransomware operator no longer publishing new disclosures. Darkfield has indexed 1,032 public victims claimed by this operator between February 10, 2024 and March 31, 2025. RansomHub is a financially-motivated ransomware group that emerged in February 2024 and has rapidly established itself as a significant threat, compromising over 1,000 victims within its first year of operation. The group operates as a Ransomware-as-a-Service (RaaS) model, though their specific country of origin and potential affiliations with other cybercriminal organizations remain under investigation by security researchers. RansomHub employs double extortion tactics, stealing sensitive data before encrypting victims' systems and threatening to leak the information if ransom demands are not met, with their attacks primarily targeting organizations in the United States, Brazil, Canada, United Kingdom, and Italy. The group has demonstrated a particular focus on business services, technology, manufacturing, and healthcare sectors, suggesting they prioritize targets with both high revenue potential and critical operational dependencies that increase the likelihood of ransom payment. Despite their recent emergence, RansomHub has quickly gained notoriety for their aggressive targeting approach and high victim count, with security agencies including CISA and FBI monitoring their activities as part of ongoing ransomware threat assessments. As of current reporting, RansomHub remains active and continues to recruit affiliates for their RaaS operation while expanding their victim base across multiple industries and geographic regions.

Most-targeted sectors

Most-affected countries

Recent disclosures by RansomHub

Most recent 150 of 1,032 indexed disclosures. Click any row for the full per-victim dossier.

See every disclosure indexed for RansomHub

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Inactive ransomware operator

All groups

RansomHub

aka RANSOM HUB · 1,032 victims indexed · first seen 2 years ago · last activity 1 year ago

1,032
Victims indexed
#11 of 364 tracked operators
1y 1m
Active period
Feb 2024 → Mar 2025
30
Countries hit
top United States · 430

At a glance

Status
inactive
Aliases
RANSOM HUB
First seen
2 years ago
Last activity
1 year ago
Onion sites
4 known endpoints
Primary sector
Business Services · 203 hits

About

RansomHub is a financially-motivated ransomware group that emerged in February 2024 and has rapidly established itself as a significant threat, compromising over 1,000 victims within its first year of operation. The group operates as a Ransomware-as-a-Service (RaaS) model, though their specific country of origin and potential affiliations with other cybercriminal organizations remain under investigation by security researchers. RansomHub employs double extortion tactics, stealing sensitive data before encrypting victims' systems and threatening to leak the information if ransom demands are not met, with their attacks primarily targeting organizations in the United States, Brazil, Canada, United Kingdom, and Italy. The group has demonstrated a particular focus on business services, technology, manufacturing, and healthcare sectors, suggesting they prioritize targets with both high revenue potential and critical operational dependencies that increase the likelihood of ransom payment. Despite their recent emergence, RansomHub has quickly gained notoriety for their aggressive targeting approach and high victim count, with security agencies including CISA and FBI monitoring their activities as part of ongoing ransomware threat assessments. As of current reporting, RansomHub remains active and continues to recruit affiliates for their RaaS operation while expanding their victim base across multiple industries and geographic regions.

References

1 link

External sources curated by the MISP threat-intel community.

Timeline

14 months
2024-02-01T00:00:00+00:00 · 92024-03-01T00:00:00+00:00 · 362024-04-01T00:00:00+00:00 · 472024-05-01T00:00:00+00:00 · 432024-06-01T00:00:00+00:00 · 1682024-07-01T00:00:00+00:00 · 862024-08-01T00:00:00+00:00 · 832024-09-01T00:00:00+00:00 · 782024-10-01T00:00:00+00:00 · 862024-11-01T00:00:00+00:00 · 1002024-12-01T00:00:00+00:00 · 592025-01-01T00:00:00+00:00 · 442025-02-01T00:00:00+00:00 · 1032025-03-01T00:00:00+00:00 · 90
2024-02-01T00:00:00+00:002025-03-01T00:00:00+00:00

Top countries

🇺🇸 United States
430
🇬🇧 United Kingdom
52
🇧🇷 Brazil
49
🇮🇹 Italy
47
🇨🇦 Canada
36
🇩🇪 Germany
27
🇪🇸 Spain
25
🇦🇺 Australia
23

Top sectors

Business Services
203
Technology
164
Manufacturing
119
Healthcare
93
Government
55
Transportation/Logistics
39
Agriculture and Food Production
39
Education
32

MITRE ATT&CK

7 techniques · 6 tactics

Tactics

Initial AccessExecutionDefense EvasionCredential AccessExfiltrationImpact

Techniques

  • T1190Exploit Public-Facing Application
  • T1566Phishing
  • T1059Command and Scripting Interpreter
  • T1562Impair Defenses
  • T1003OS Credential Dumping
  • T1486Data Encrypted for Impact
  • T1048Exfiltration Over Alternative Protocol

Indicators of compromise

Known tools

MimikatzPsExecCobalt StrikeNmapPowerShell Empire

Detection · YARA rules

1 rule
  • RansomHub_Ransomware

    Detects RansomHub ransomware

    source: CISA AA24-242A

Recent victims

Loading…

Onion infrastructure

4 known
  • http://fpwwt67hm3mkt6hdavkfyqi42oo3vkaggvjj4kxdr2ivsbzyka5yr2qd.onion
  • http://ransomgxjnwmu5ceqwo2jrjssxpoicolmgismfpnslaixg3pgpe5qcad.onion
  • http://ransomxifxwc5eteopdobynonjctkxxvap77yqifu2emfbecgbqdw6qd.onion
  • http://ijbw7iiyodqzpg6ooewbgn6mv2pinoer3k5pzdecoejsw5nyoe73zvad.onion/blog

Source

Updated 1 year ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.

Get alerted the next time RansomHub posts a victim.

Add RansomHub to your watchlist — Pro pings you within 5 minutes of any new RansomHub leak-site post, Telegram callout, or affiliate-rebrand inference.