Operator dossier

RansomHub is a ransomware operator no longer publishing new disclosures. Darkfield has indexed 1,032 public victims claimed by this operator between February 10, 2024 and March 31, 2025. RansomHub is a financially-motivated ransomware group that emerged in February 2024 and has rapidly established itself as a significant threat, compromising over 1,000 victims within its first year of operation. The group operates as a Ransomware-as-a-Service (RaaS) model, though their specific country of origin and potential affiliations with other cybercriminal organizations remain under investigation by security researchers. RansomHub employs double extortion tactics, stealing sensitive data before encrypting victims' systems and threatening to leak the information if ransom demands are not met, with their attacks primarily targeting organizations in the United States, Brazil, Canada, United Kingdom, and Italy. The group has demonstrated a particular focus on business services, technology, manufacturing, and healthcare sectors, suggesting they prioritize targets with both high revenue potential and critical operational dependencies that increase the likelihood of ransom payment. Despite their recent emergence, RansomHub has quickly gained notoriety for their aggressive targeting approach and high victim count, with security agencies including CISA and FBI monitoring their activities as part of ongoing ransomware threat assessments. As of current reporting, RansomHub remains active and continues to recruit affiliates for their RaaS operation while expanding their victim base across multiple industries and geographic regions.

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Inactive ransomware operator

← All groups

RansomHub

1,032 victims indexed · first seen 2 years ago · last activity 1 year ago

1,032

Victims indexed

#8 of 348 tracked operators

1y 1m

Active period

Feb 2024 → Mar 2025

Countries hit

top United States · 325

At a glance

Status: inactive
First seen: 2 years ago
Last activity: 1 year ago
Onion sites: 3 known endpoints
Primary sector: Business Services · 186 hits

About

RansomHub is a financially-motivated ransomware group that emerged in February 2024 and has rapidly established itself as a significant threat, compromising over 1,000 victims within its first year of operation. The group operates as a Ransomware-as-a-Service (RaaS) model, though their specific country of origin and potential affiliations with other cybercriminal organizations remain under investigation by security researchers. RansomHub employs double extortion tactics, stealing sensitive data before encrypting victims' systems and threatening to leak the information if ransom demands are not met, with their attacks primarily targeting organizations in the United States, Brazil, Canada, United Kingdom, and Italy. The group has demonstrated a particular focus on business services, technology, manufacturing, and healthcare sectors, suggesting they prioritize targets with both high revenue potential and critical operational dependencies that increase the likelihood of ransom payment. Despite their recent emergence, RansomHub has quickly gained notoriety for their aggressive targeting approach and high victim count, with security agencies including CISA and FBI monitoring their activities as part of ongoing ransomware threat assessments. As of current reporting, RansomHub remains active and continues to recruit affiliates for their RaaS operation while expanding their victim base across multiple industries and geographic regions.

References

1 link

External sources curated by the MISP threat-intel community.

ransomlook.io/group/ransomhub

Timeline

14 months

2024-02-01T00:00:00+00:002025-03-01T00:00:00+00:00

Top countries

🇺🇸 United States

325

🇧🇷 Brazil

🇨🇦 Canada

🇬🇧 United Kingdom

🇮🇹 Italy

🇩🇪 Germany

🇪🇸 Spain

🇦🇺 Australia

United States dossier →Brazil dossier →Canada dossier →United Kingdom dossier →

Top sectors

Business Services

186

Technology

124

Manufacturing

108

Healthcare

Not Found

Government

Agriculture and Food Production

Transportation/Logistics

Business Services dossier →Technology dossier →Manufacturing dossier →Healthcare dossier →

MITRE ATT&CK

7 techniques · 6 tactics

Tactics

Initial AccessExecutionDefense EvasionCredential AccessExfiltrationImpact

Techniques

T1190Exploit Public-Facing Application
T1566Phishing
T1059Command and Scripting Interpreter
T1562Impair Defenses
T1003OS Credential Dumping
T1486Data Encrypted for Impact
T1048Exfiltration Over Alternative Protocol

Indicators of compromise

CVEs exploited

CVE-2023-3519 CVE-2023-27997 CVE-2020-1472

Known tools

MimikatzPsExecCobalt StrikeNmapPowerShell Empire

Detection · YARA rules

1 rule

RansomHub_Ransomware
Detects RansomHub ransomware
source: CISA AA24-242A

Recent victims

Loading…

Onion infrastructure

3 known

http://fpwwt67hm3mkt6hdavkfyqi42oo3vkaggvjj4kxdr2ivsbzyka5yr2qd.onion
http://ransomgxjnwmu5ceqwo2jrjssxpoicolmgismfpnslaixg3pgpe5qcad.onion
http://ransomxifxwc5eteopdobynonjctkxxvap77yqifu2emfbecgbqdw6qd.onion

Source

Updated 1 year ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.