RansomHub

Also known as: Cyclops, Knight

Affiliation Cybercriminal

Motivation Financial / Ransomware Extortion

Status active

Country Unknown

First Seen 2024

Last Seen 2025

Target Sectors Water and Wastewater, Information Technology, Government Services and Facilities, Healthcare and Public Health, Emergency Services, Food and Agriculture, Financial Services, Commercial Facilities, Critical Manufacturing, Transportation, Communications

Executive Summary

RansomHub is a ransomware-as-a-service operation associated with double-extortion activity. CISA: #StopRansomware: RansomHub Ransomware identified RansomHub as a variant formerly known as Cyclops and Knight and reported that the operation had attracted affiliates from other ransomware variants.

CISA, FBI, MS-ISAC, and HHS reported that since RansomHub’s inception in February 2024, affiliates had encrypted and exfiltrated data from at least 210 victims across water and wastewater, information technology, government services and facilities, healthcare and public health, emergency services, food and agriculture, financial services, commercial facilities, critical manufacturing, transportation, and communications sectors. Unit 42: Extortion and Ransomware Trends January-March 2025 reported that RansomHub was the most active ransomware leak-site name in Unit 42’s vetted January-March 2025 public leak-site dataset.

Notable Campaigns

CISA’s August 2024 advisory describes RansomHub as an affiliate-driven ransomware-as-a-service model rather than a single fixed intrusion set. The advisory states that affiliates use double extortion by encrypting systems and exfiltrating data, while the ransom note generally directs victims to contact the group through a Tor-accessible site rather than listing an initial demand in the note.

ThreatDown: New RansomHub attack uses TDSSKiller and LaZagne, disables EDR reported a September 2024 case in which a RansomHub attack used TDSSKiller and LaZagne in an intrusion chain. ThreatDown described that case as part of a shift in the tools observed in RansomHub activity.

Technical Capabilities

CISA reported that RansomHub affiliates typically compromise internet-facing systems and user endpoints through phishing, exploitation of known vulnerabilities, and password spraying. The advisory also reported affiliate use of proof-of-concept exploit code and cited observed exploitation of multiple known CVEs in exposed products.

Post-access activity described by CISA includes account creation, account manipulation, credential gathering with Mimikatz, lateral movement through Remote Desktop Protocol, and use of tools such as AnyDesk, Cobalt Strike, Metasploit, Rclone, and WinSCP. CISA reported that data exfiltration methods depend on the affiliate conducting the intrusion and that observed methods included PuTTY, Amazon S3 tools, HTTP POST requests, WinSCP, Rclone, Cobalt Strike, and Metasploit.

CISA reported that RansomHub ransomware uses encryption for impact and typically attempts to delete volume shadow copies with vssadmin.exe to inhibit recovery. ThreatDown reported a RansomHub case involving TDSSKiller to interfere with endpoint defense and LaZagne to recover stored credentials.

Attribution

The cited public sources support attribution to a financially motivated cybercriminal ransomware ecosystem. CISA, FBI, MS-ISAC, and HHS identify RansomHub as a ransomware-as-a-service variant and describe affiliate behavior, but the advisory does not identify a state sponsor or a fixed central operator.

RansomHub’s country of origin and any state relationship are unknown in the cited source set.

MITRE ATT&CK Profile

T1566 - Phishing: CISA reported that RansomHub affiliates used mass phishing and spear-phishing emails to obtain initial access.

T1190 - Exploit Public-Facing Application: CISA reported that RansomHub affiliates exploited known vulnerabilities in internet-facing systems.

T1059.001 - PowerShell: CISA reported PowerShell-based living-off-the-land activity for network scanning and intrusion automation.

T1047 - Windows Management Instrumentation: CISA reported affiliate use of Windows Management Instrumentation to execute malicious commands and disable antivirus products.

T1003 - OS Credential Dumping: CISA reported use of Mimikatz on Windows systems to gather credentials.

T1486 - Data Encrypted for Impact: CISA reported that RansomHub affiliates used encryption for ransomware operations.

T1490 - Inhibit System Recovery: CISA reported that RansomHub ransomware deleted volume shadow copies and that affiliates removed backups.

Sources & References

CISA: #StopRansomware: RansomHub Ransomware — CISA, 2024-08-29
ThreatDown: New RansomHub attack uses TDSSKiller and LaZagne, disables EDR — ThreatDown, 2024-09-09
Unit 42: Extortion and Ransomware Trends January-March 2025 — Unit 42, 2025-04-23

Known Tools

RansomHub ransomware Mimikatz AnyDesk Cobalt Strike Metasploit Rclone WinSCP TDSSKiller LaZagne