RansomHub

RansomHub

Active Since

February 2024

Total Victims as of July 2024

173

Known Forum Aliases

koley

Active Forum Accounts

RAMP

Target Geographies

US, Brazil, Italy

Despite only emerging in February 2024, RansomHub has quickly become one of the most active RaaS operations we track.

Its representatives have been spotted recruiting affiliates on dark web forums, offering a fixed 10 percent fee and the option to collect ransom payments directly from victims before paying the core group.

RansomHub’s rapid rise to prominence can potentially be explained by links to BlackCat, an extremely prolific ransomware group that retired earlier this year after attacking the healthcare technology company Change Healthcare. It is suspected that RansomHub could contain former affiliates of the BlackCat ransomware group, especially as the group also listed Change Healthcare as a victim.

Its “affiliate-friendly” model could also be seen as a direct response to BlackCat’s retirement, where it is believed that the operators of the group perpetrated an “exit scam”, taking the entire ransom payment from Change Healthcare without properly compensating the affiliate responsible for the attack. Most of RansomHub’s victims are located in the United States.