BlackCat [offline]
The RaaS group BlackCat (also known as ALPHV or Noberus) is believed to include developers and money launderers from the former DarkSide ransomware group, most infamous for the Colonial Pipeline attack.
Its representatives have been spotted recruiting affiliates on dark web forums, offering a fixed 10 percent fee and the option to collect ransom payments directly from victims before paying the core group.
RansomHub’s rapid rise to prominence can potentially be explained by links to BlackCat, an extremely prolific ransomware group that retired earlier this year after attacking the healthcare technology company Change Healthcare. It is suspected that RansomHub could contain former affiliates of the BlackCat ransomware group, especially as the group also listed Change Healthcare as a victim.
Its “affiliate-friendly” model could also be seen as a direct response to BlackCat’s retirement, where it is believed that the operators of the group perpetrated an “exit scam”, taking the entire ransom payment from Change Healthcare without properly compensating the affiliate responsible for the attack. Most of RansomHub’s victims are located in the United States.