april 2024

Out of the Shadows: News Surfaces of an Emerging Ransomware Group

RansomHub is a new ransomware group that emerged around February 2024. It has quickly gained attention in the cybersecurity community due to its unique approach and operations. A Ransomware-as-a-Service (RaaS) operation, RansomHub is offering its software to affiliates to conduct attacks, allowing the group to expand its reach and increase its potential for financial gain.


The affiliate model used by RansomHub sets it apart from other ransomware groups. Unlike traditional models where the ransom payments are controlled by the main group, RansomHub's affiliates have control over their own wallets and receive ransom payments directly from their victims. They then pay a 10% fee to the core group. This approach is likely intended to address concerns of "exit scams" or fraudulent activities that have been associated with other ransomware groups.

There is speculation that RansomHub may have been established by disgruntled affiliates of another ransomware group, BlackCat/Alphv. This theory is supported by the fact that RansomHub's operations and affiliate model closely resemble those of BlackCat/Alphv. However, there is no concrete evidence to confirm this connection.

RansomHub has been involved in attacks targeting various industries, including healthcare, in countries such as the United States, Brazil, and Southeast Asia. The group has demonstrated a willingness to target organizations in different sectors, indicating an opportunistic approach rather than a specific focus on a particular industry.


Recent attack history

On February 21, 2024, RansomHub attacked Change Healthcare, mere weeks after it was previously attacked by the ALPHV/BlackCat group. RansomHub claimed to have stolen 4 terabytes of data from Change Healthcare and demanded an extortion payment. They threatened to sell the data to the highest bidder if the payment was not made within 12 days.

The stolen data includes sensitive information such as the personal data of U.S. military personnel, medical records, financial information, and more. RansomHub stated that the data had not been leaked or shared anywhere, although the authenticity of this claim is uncertain.

It is worth noting that Change Healthcare had previously paid a $22 million ransom to the BlackCat group to prevent a data leak and restore their systems. However, the affiliate of BlackCat, who claimed to have stolen the data, alleged that they were cheated out of their share of the ransom. This latest ransom demand by RansomHub is believed to be related to the disgruntled affiliate's attempt to still profit from the attack.

UnitedHealth Group, the parent company of Change Healthcare, has provided temporary financial assistance of about $4.7 billion to healthcare providers affected by the incident. The situation remains complex, with ongoing investigations and negotiations taking place between the involved parties.


RansomHub’s emergence raises concerns for the following reasons:

1.      Ransomware-as-a-Service: The RaaS model used by RansomHub allows for a wider reach and increased frequency of attacks, making it a significant threat to organizations.

2.      Affiliates and Scammed Affiliates: RansomHub affiliates have the ability to carry out attacks on their own, targeting organizations and demanding ransoms. Additionally, there are claims that some affiliates have been scammed by RansomHub or its alleged predecessor, BlackCat/Alphv, leading to the possibility of disgruntled affiliates launching their own attacks. This creates a more complex and unpredictable threat landscape.

3.      Data Theft and Extortion: RansomHub claims to have stolen large amounts of sensitive data from organizations, including medical records, personal information, and source code files, suggesting they have the skills to infiltrate deep into the heart of an organization.

4.      Possible Russian Connections: The group explicitly avoids targeting certain countries, including North Korea, China, Cuba, and the Commonwealth of Independent States (CIS), which consists of former Soviet Union nations. This raises concerns about potential state-sponsored or state-tolerated cybercriminal activities, which can have broader geopolitical implications.


It's important to note that the information on RansomHub is still limited, and the motivations and exact operations of the group are still being investigated. As with any ransomware group, their activities pose a significant threat to organizations and individuals, highlighting the importance of robust cybersecurity measures and proactive defen

You may also like

Ransomhub June BTH

June 10, 2024

Stolen Data from US Telecom Company Frontier is Auctioned by RansomHub

Read more
Lockbit June BTH

June 10, 2024

FBI Encourages LockBit Victims to Claim Decryption Keys

Read more
BreachForums June BTH

June 10, 2024

590Million Customers Affected by 2 Major Attacks: Data Released on BreachForums

Read more