RansomHub is a newly emerged ransomware group operating as a ransomware-as-a-service (RaaS) with an affiliate model and a policy aimed at rewarding partners, including a 90/10 revenue split and a decryptor promise under certain conditions. Their victimology spans healthcare and other sectors, with connections to ALPHV and a notable targeting of Change Healthcare, suggesting possible rebranding or collaboration dynamics. Hashtags: #RansomHub #ALPHV #ChangeHealthcare #YKP #Kovra #UnitedHealthCare #GhostSec #GhostLocker
Keypoints
- RansomHub launched in February 2024 and has claimed 18 victims (17 claims; leak site shows 14 victims).
- The group positions itself as a RaaS operation with affiliates, enforcing agreements and banning noncompliant members; affiliates receive 90% of proceeds.
- RansomHub recruits from the Russian-populated RAMP forum and claims its strains are rewritten in Golang for ESXi environments.
- Victims are diverse in country and sector, including healthcare, with Change Healthcare highlighted as a former ALPHV-related target.
- There is discussion about potential ties to ALPHV or a rebranding, with implications for leadership dynamics in the ransomware ecosystem.
- Mitigation guidance emphasizes overall ransomware defenses: backups, training, patching, segmentation, access control, email/web security, endpoint protection, IR planning, and regular audits.
MITRE Techniques
- [T1486] Data Encrypted for Impact – The group’s ransomware is capable of encrypting data before exfiltration. ‘The group’s chosen ransomware is evidently capable of encrypting data before exfiltration.’
- [T1041] Exfiltration – Data exfiltration is implied in their workflow, particularly given the claim that encryption occurs prior to exfiltration. ‘The group’s chosen ransomware is evidently capable of encrypting data before exfiltration.’
Indicators of Compromise
- [IOC Type] None named – No explicit IOCs (IPs, domains, file hashes, or filenames) are mentioned in the article.