RansomHub Never Sleeps Episode 1: The evolution of modern ransomware www.group-ib.com/blog/rans…

RansomHub emerged in early February 2024 as a Ransomware-as-a-Service (RaaS) coinciding with the closure of ALPHV’s operations. ALPHV shut down its infrastructure following the significant fallout from a disruptive attack on Change Healthcare.

During ongoing law enforcement actions targeting the ALPHV and LockBit ransomware groups, RansomHub strategically launched its partnership program. This effort was analyzed by Group-IB in August 2024, as noted earlier in this blog.

Group-IB’s Threat Intelligence and Digital Forensics and Incident Response (DFIR) teams found that RansomHub capitalized on the void left by its disrupted competitors, focusing on recruiting affiliates from the now-defunct LockBit and ALPHV groups. The group actively sought new members through direct messaging and posts on underground forums like RAMP, XSS, and Exploit.in.