LIVE
LATEST THREAT: Space Bears: The Data Extortion Group With a Corporate Aesthetic and MSSQL Focus THREAT ALERT ACTIVE
Intelligence DB / Group Profile RansomHub

RansomHub: Anatomy of the Dominant RaaS Affiliate Program

RansomHub has grown into the most active ransomware-as-a-service operation of 2025–2026, displacing ALPHV/BlackCat and LockBit. An analysis of its affiliate structure, victim statistics, and targeting patterns.

By Ransomware Tracker ·
RansomHubRaaSaffiliatedata extortionvictim statistics
Threat Level
8/10
Sectors Targeted
healthcare
government
finance
critical infrastructure
Ransomware Family
RansomHub

Overview

RansomHub emerged in February 2024 — almost simultaneously with the ALPHV/BlackCat exit scam that stranded hundreds of affiliates after the Change Healthcare attack. The timing was not coincidental. RansomHub’s initial affiliate recruitment messaging explicitly targeted displaced BlackCat affiliates, offering a 90/10 split (significantly above industry standard) and promising that the administrators would never pull an exit scam.

By Q3 2024, RansomHub had become the most prolific ransomware group by victim count. By 2025 it was posting an average of 35–50 new victims per month on its data leak site — a volume that suggests a large, active affiliate base and operational discipline unusual in this ecosystem.

Organisational Structure

Unlike older RaaS groups that maintained tight operational control, RansomHub is highly decentralised. The core team provides the encryptor toolset (cross-platform, with Windows, Linux, ESXi, and FreeBSD variants), a Tor-hosted victim communication platform with automated triage, the leak site for publishing victim data on non-payment, and an affiliate panel for tracking deployments, ransom status, and payouts.

Affiliates supply everything else: initial access, lateral movement, data staging, and deployment. This clean separation is intentional. The RansomHub core team maintains plausible distance from individual intrusions, and affiliates bear the bulk of operational security risk.

Affiliate Recruitment and Vetting

RansomHub operates an open but selective recruitment process on underground forums, primarily on RAMP (Russian Anonymous Marketplace Platform) and several Telegram channels accessible only by referral. Prospective affiliates must demonstrate access to at least one enterprise network, provide references from two existing affiliates or known threat actors, and complete a 0.5 BTC deposit that functions as identity collateral.

RansomHub explicitly prohibits attacks on healthcare organisations in Russia/CIS countries, government entities in Russia/CIS, and non-profit hospitals globally — mirroring policies adopted by other Russian-linked groups to manage political exposure. These prohibitions are enforced through affiliate agreements and are reportedly violated occasionally, generating disputes resolved through the group’s internal arbitration process.

Encryptor Capabilities

The RansomHub encryptor is widely assessed to incorporate code derived from the leaked ALPHV/BlackCat source. Key technical characteristics:

  • Cross-platform Rust implementation providing performance and portability
  • Intermittent encryption — encrypts configurable byte intervals rather than entire files, increasing throughput by 30–40% on large datasets
  • Safe mode reboot capability on Windows — can reboot victim machines into safe mode with networking to disable security tools before encryption
  • Network share enumeration via SMB scanning and mounted drive detection
  • Active Directory integration — some variants accept domain credentials to authenticate against AD and enumerate hosts for lateral spread

The ESXi variant uses the ESXi management API (when credentials are available) to gracefully shut down VMs before encrypting VMDK files, maximising the likelihood of clean encryption and minimising recovery options.

Victim Statistics: 2025–2026

Based on leak site postings, underground forum claims, and third-party intelligence, RansomHub’s victim profile for 2025–2026:

Volume: Approximately 480 confirmed victims posted to leak site in 2025; Q1 2026 pace suggests 550+ annually

Geographic distribution:

  • United States: 58%
  • European Union: 22%
  • Canada/Australia/UK: 11%
  • Rest of world: 9%

Sector breakdown:

  • Healthcare: 21% (hospitals, dental chains, healthcare IT vendors)
  • Government and education: 18%
  • Financial services: 16%
  • Manufacturing: 15%
  • Technology: 12%
  • Other: 18%

Ransom demand range: $500K–$20M initial ask; median settlement approximately $1.2M

Payment rate: Estimated 25–35% of victims pay (higher than industry average, attributed to aggressive negotiation tactics and strong data exfiltration leverage)

Targeting Methodology

RansomHub affiliates show consistent preferences in initial access vectors. Exploiting public-facing applications accounts for roughly 41% of cases (VPN appliances, web apps, Exchange), followed by valid account abuse at 32% (phishing, credential stuffing, purchased IAB access), phishing with payload at 18%, and supply chain or trusted relationship at 9%.

Median dwell time from initial access to ransomware deployment is 11 days. Notable outliers include a confirmed 47-day intrusion at a major healthcare system where the affiliate staged extensive data theft before triggering encryption.

Cobalt Strike remains the dominant post-exploitation framework, but Sliver C2 usage is growing among RansomHub affiliates — likely reflecting law enforcement focus on Cobalt Strike and the availability of open-source alternatives.

The ALPHV Connection

Substantial technical and operational evidence connects RansomHub to former ALPHV/BlackCat affiliates and potentially to ALPHV core developers: overlapping encryptor code structure and configuration formatting, shared infrastructure (IP addresses and ASNs observed in both ALPHV and RansomHub campaigns during the transition period), and affiliate forum handles associated with ALPHV operations appearing in RansomHub recruitment threads. The Change Healthcare affiliate — who received $22M in ALPHV payment before the exit scam — has been tentatively linked to subsequent RansomHub activity.

Whether RansomHub represents a direct rebranding or simply an opportunistic absorption of ALPHV talent remains debated among threat intelligence analysts.

Defensive Posture

RansomHub’s targeting of VPN appliances (particularly Citrix NetScaler, Fortinet FortiGate, and Pulse/Ivanti) makes perimeter patch management critical. Organisations should treat CVEs in these products as emergency-priority patches with 24-hour SLAs. MFA on VPN and remote access reduces the impact of valid account abuse, which accounts for nearly a third of observed initial access.

// Related Intelligence
Group Profile

Space Bears: The Data Extortion Group With a Corporate Aesthetic and MSSQL Focus

Group Profile

Underground Ransomware: Group Profile

Group Profile

Termite Ransomware: Group Profile, Babuk Origins, and High-Impact Supply Chain Targeting