RansomHub Ransomware: Attack Chain, IOCs, and Incident Response Guide



RansomHub emerged in early 2024 and rapidly became one of the most active ransomware operations globally. By late 2024, multiple threat intelligence vendors ranked RansomHub as one of the highest-volume extortion groups worldwide.
Organizations assessing their exposure should review their ransomware readiness posture before an incident occurs.
What is RansomHub ransomware?
RansomHub is a ransomware-as-a-service (RaaS) operation first observed in February 2024. Security researchers widely believe it was built using code from the defunct Knight (Cyclops) ransomware, though whether the same operators are involved remains disputed across sources.
The group combines file encryption with data theft and threatens to leak data on a Tor-based leak site, a model known as double extortion.
RansomHub recruited displaced affiliates from LockBit, ALPHV/BlackCat, and Knight following law enforcement pressure on those operations. This positioning allowed it to scale quickly using an experienced affiliate base that already understood enterprise intrusion tradecraft.
How the RansomHub RaaS model works
RansomHub operators provide affiliates with payload builders, negotiation portals, leak site infrastructure, and encryption tooling. Affiliates conduct the intrusions themselves. Some threat intelligence reports suggest that affiliates retain around 90% of each ransom payment, though this figure has not been universally confirmed.
This structure creates important forensic implications. The affiliate deploying the ransomware is often not the same actor who built or maintains the infrastructure. In many RansomHub incidents, initial access was purchased from a broker who had compromised the environment days or weeks before encryption began.
Who RansomHub targets
RansomHub targets organizations across healthcare, government, manufacturing, financial services, education, and critical infrastructure, including utilities, logistics, and telecommunications. Most publicly listed victims are located in North America and Western Europe, with additional victims reported across Latin America and Asia-Pacific.
Leak-site claims should be treated cautiously. Public posting does not always equal confirmed compromise, and victim counts vary across trackers depending on timing and methodology.
How a RansomHub attack unfolds
RansomHub intrusions are human-operated and deliberate. Each phase builds on the last, and the detection window narrows as the operation progresses.
Phase 1: Initial access
No single initial access vector dominates across reported RansomHub incidents. Affiliates use phishing, credential theft, exposed RDP, exploitation of unpatched perimeter devices, and purchased access. Stolen credentials sourced from underground markets and credential stealers are a consistent method across incidents.
Phase 2: Privilege escalation
After establishing a foothold, operators dump credentials from LSASS memory using tools such as Mimikatz and LaZagne. Token theft and domain privilege escalation follow. Harvested credentials enable lateral escalation toward domain-level access before any visible security alert is triggered.
Phase 3: Discovery
Operators enumerate domain controllers, file shares, backup systems, hypervisors, and security tooling. Targeting backup infrastructure during this stage is deliberate rather than opportunistic.
Phase 4: Defense evasion
Some RansomHub affiliates have deployed EDRKillShifter, a utility that disables endpoint security tools by abusing vulnerable kernel drivers, a technique known as Bring Your Own Vulnerable Driver (BYOVD).
EDRKillShifter terminates EDR processes, disables antivirus engines, and removes security monitoring before encryption begins.
Not all RansomHub affiliates use EDRKillShifter.
Phase 5: Lateral movement
Affiliates move through the environment using SMB, PsExec, RDP, and WMI, tools that mimic legitimate administrative activities. Batch scripts are also observed in lateral movement workflows.
Phase 6: Data exfiltration
Before encryption, affiliates exfiltrate sensitive data including databases, financial records, legal documents, customer records, and medical information. Exfiltration methods include cloud sync tools such as Rclone and FTP (File Transfer Protocol), as well as archive staging in ZIP, 7z, or RAR formats.
Phase 7: Encryption
RansomHub encrypts workstations, servers, virtual machines, NAS devices, and backup repositories. The malware uses a hybrid encryption model combining Curve25519 and AES with per-file key generation.
Because the encryption is implemented using strong modern cryptography, successful encryption leaves little room for direct cryptographic recovery. Once this stage is complete, restoration typically depends on clean backups, unaffected snapshots, or a working decryptor obtained through negotiation.
Phase 8: Extortion and negotiation
Victims receive a ransom note directing them to a Tor-based negotiation portal with a countdown timer. RansomHub applies aggressive pressure through sample data releases, public shaming on its leak site, and escalating leak threats. Demands range from tens of thousands to millions of dollars, depending on the victim's size. Discounts for rapid payment are a common negotiation tactic.
Because RansomHub infrastructure rotates quickly and affiliates customize tooling, static indicators become unreliable. Detection teams should prioritize behavioral signals over file hashes or domains.
Indicators of compromise
Static IOCs in RaaS operations age quickly. Affiliates customize builds, and infrastructure rotates rapidly. Behavioral indicators are more operationally durable and should form the foundation of detection logic.
File and encryption indicators
Encrypted file extensions vary by affiliate and campaign. Some incidents have been associated with the .RansomHub extension, but randomized and campaign-specific extensions are also reported.
Ransom note filenames vary across affiliates. Documented names include README.txt, HOW_TO_DECRYPT.txt, and RESTORE_FILES.txt, among others.

Command-line IOCs
The following commands are associated with RansomHub pre-encryption activity and should trigger immediate escalation if observed:
vssadmin delete shadows /all /quiet
wbadmin delete catalog -quiet
bcdedit /set {default} recoveryenabled no
These commands destroy Volume Shadow Copies, backup catalogs, and system recovery options before encryption begins.
Tool-based indicators
Associated tooling includes EDRKillShifter, Mimikatz, LaZagne, Rclone, PsExec, and PowerShell scripts.
The MITRE software identifier for RansomHub is S1212.
Early warning signs of RansomHub activity
Because RansomHub affiliates frequently customize payloads and rotate infrastructure, static indicators such as file hashes or IP addresses often become obsolete quickly. Security teams should prioritize behavioral anomalies that may signal an intrusion before encryption begins.
One of the earliest warning signs is unusual access to backup infrastructure. Affiliates commonly enumerate backup servers, hypervisors, and snapshot repositories during the discovery phase to identify recovery mechanisms they can later disable or destroy. Unexpected administrative logins to backup consoles, sudden permission changes, or backup catalog access outside normal maintenance windows should trigger investigation.
Mass authentication failures can also indicate credential-stuffing activity or lateral movement attempts. Repeated failed logins across VPN, RDP, privileged service accounts, or domain administrator accounts may suggest that attackers are testing stolen credentials or attempting privilege escalation within the environment.
Large outbound data transfers, particularly to cloud storage platforms or unfamiliar external hosts, may indicate active exfiltration. Monitoring for spikes in outbound traffic or sustained encrypted transfers outside business hours can help identify double-extortion activity before ransomware deployment occurs.
MITRE ATT&CK mapping
The following MITRE ATT&CK techniques appear most consistently across documented RansomHub intrusions.
| Tactic | Technique | ID |
|---|---|---|
| Initial Access | Phishing | T1566 |
| Initial Access | Valid Accounts | T1078 |
| Execution | PowerShell | T1059.001 |
| Credential Access | OS Credential Dumping (LSASS) | T1003 |
| Defense Evasion | Impair Defenses | T1562 |
| Lateral Movement | SMB/Windows Admin Shares | T1021.002 |
| Exfiltration | Exfiltration Over C2 Channel | T1041 |
| Impact | Data Encrypted for Impact | T1486 |
| Impact | Inhibit System Recovery | T1490 |
What to do if RansomHub is active in your environment
If RansomHub activity is detected, evidence preservation takes priority over restoration. Acting without a clear sequence compresses recovery options and destroys forensic material needed for insurance claims and regulatory compliance.
Immediate containment
Isolate affected servers and endpoints from the network immediately, but do not power them off. Network isolation stops further lateral movement without destroying volatile memory that may contain decryption material or attacker tooling. Disconnect backup infrastructure from the enterprise network before it is targeted. Disable compromised accounts at the directory level.
Evidence preservation
Preserve ransomware evidence before any remediation begins. Capture volatile memory on live systems, image disks from infected endpoints, and export authentication logs, including VPN, RDP, and directory records, before retention windows expire.
Magdy Abdelaziz notes that ransomware encryption is often only the visible end of a much longer intrusion. Initial access may have occurred weeks earlier through stolen credentials or exposed remote services, making historical logs essential for identifying the original compromise and preventing reinfection.
Recovery sequencing
Validate backup integrity before beginning restoration. Verify that backup sets were not accessed, encrypted, or deleted during the intrusion. Rebuild high-risk systems from verified clean images where possible. Maintain active monitoring throughout the recovery window and well beyond it.
As Abdelaziz explains, ransomware deployment often represents the final stage of a much longer intrusion. From a forensic standpoint, this means responders must investigate both the original intrusion and the subsequent ransomware deployment. Limiting analysis to the encryption event can leave the underlying entry point unresolved, increasing the risk of reinfection.
Can files encrypted by RansomHub be recovered?
No public decryptor currently exists for files encrypted by RansomHub. The ransomware uses strong cryptography, and no significant implementation flaws have been publicly disclosed.
Recovery typically depends on one of three paths:
- restoring from offline backups created before the intrusion
- restoring snapshots or replicas that attackers did not reach
- obtaining a functional decryptor through negotiation
If none of these paths are available, full file recovery becomes significantly less likely.
Security checklist
The following controls map directly to RansomHub's observed attack patterns:
- Enforce phishing-resistant MFA on all remote access points including VPN, RDP, and administrative portals. Stolen credentials are a primary vector for RansomHub access.
- Remove direct internet-facing RDP. Route all remote access through MFA-enforced gateways with conditional access controls.
- Maintain an accelerated patch cycle for perimeter devices. VPN appliances and firewalls are consistent initial access targets in RansomHub-affiliated incidents.
- Enable EDR tamper protection and restrict kernel-driver loads. EDRKillShifter abuses vulnerable signed drivers. Approved-list driver controls limit this attack surface.
- Alert on shadow copy deletion and recovery-disabling commands. The vssadmin, wbadmin, and bcdedit commands listed above should trigger immediate escalation.
- Maintain offline, immutable backups with tested restore procedures. Backup catalogs and agents are explicitly targeted during Phase 3 discovery and later destroyed before encryption.

- Isolate backup infrastructure on dedicated network segments with credentials that do not authenticate against the primary domain.
- Retain and centralize logs from endpoints, VPN, IdP, and directory services before an incident occurs. IAB activity predates affiliate deployment and is only recoverable if logs were collected in advance.
- Develop an IR playbook that accounts for a split intrusion timeline. The initial access and the ransomware deployment may be separated by days or weeks and attributed to different actors.
If your organization has detected RansomHub activity or needs to assess readiness against this threat, Proven Data's ransomware recovery and incident response teams are available around the clock.


Written by
Magdy Abdelaziz is a dedicated cybersecurity professional with over 6 years of extensive experience in digital forensics, incident response, reverse engineering, and security operations. He currently serves as Head of Digital Forensics and Incident Response (DFIR) at Proven Data LLC, leading a multinational team to develop and execute incident response strategies, align security initiatives with business objectives, and manage global-scale incidents.






