Ransomware debris: an analysis of the RansomHub operation www.group-ib.com/blog/rans…

This blog post aims to provide a deep dive into the RansomHub partnership program including its recruitment procedures, its extortion and negotiation tactics, as well as an overview of its web platform used by the affiliates.

Since its emergence in February 2024, criminals collaborating with RansomHub have claimed responsibility for a significant number of attacks, causing disruption and financial damages to affected companies. Following a possible acquisition of the web application and ransomware source code of Knight (formerly Cyclops), RansomHub quickly rose in the ransomware scene, thanks to the dynamic features of its multi-platform encryptor and an aggressive, affiliate-friendly model offering substantial financial incentives. This approach successfully attracted former members of groups such as Lockbit and ALPHV, who at the time were under increasing pressure from law enforcement investigations.

This lucrative compensation model, based on a low 10% fee (far below the ransomware industry standard of 20-30%), combined with the stress caused by intensified law enforcement actions, has enticed experienced cybercriminals including members of the Scattered Spider and Evil Corp groups to collaborate with RansomHub’s operation; improving its capabilities, effectiveness of attacks and consequently the group’s income.

[A]lthough it is not clear yet what exactly caused the significant increase in the Qilin’s disclosures in the last 3 months, there is a chance that criminals have moved from Ransomhub to Qilin. In addition to the increase in the disclosures and recent news advertised by Qilin on RAMP forum right after the RansomHub operation went down, we observed that Qilin’s operation has been reorganized with new staff in the support team as well as in the administration of the group.