The rise of RansomHub: Uncovering a new ransomware-as-a-service operation

On 25 February 2024, the clock ticked down for RansomHub’s first victim – Brazilian accounting and management firm YKP. It was the first time the ransomware gang had been observed, and four more victims have since followed.

What’s more, unlike the recently self-debunked scam ransomware operation Mogilevich, RansomHub is posting samples of the data its affiliates have exfiltrated and, in one case, has even begun publishing whole tranches of data.

RansomHub appears to be the real deal, so let’s see what we can learn about them.

RansomHub

RansomHub’s darknet site features an index page where all its victims are listed, as well as About and Contact pages.

According to the gang’s About page, RansomHub is a team of hackers from around the world, motivated by one thing – making money. Nothing too radical there, but the gang does say that it does not allow attacks against certain targets.

“We do not allow CIS, Cuba, North Korea and China to be targeted,” the gang’s site said.

It also lists a few general rules that RansomHub follows, as well as rules for its affiliates. RansomHub is a ransomware-as-a-service operation, and it has strict rules. It does not allow non-profit organisations to be targeted, and nor does it allow “re-attacks” – follow-up attacks on victims who have already paid.

VIEW ALL

The group also has a list of guidelines regarding the rights of its victims, especially in regard to the behaviour of its affiliates.

“Affiliates must comply with the agreements reached during the negotiations and the requirements,” RansomHub asserted, “if they don’t, please contact us, we will ban them and never work with them again”.

RansomHub also promises to send victims a decryptor for free if the affiliate does not provide one after it’s received payment or if an organisation that is off-limits is attacked. Whatever ransomware the gang is using is clearly capable of encrypting data before it is exfiltrated.

The gang’s contact page features a contact ID for the Tox messaging app, as well as advice on how to make initial contact.

“With questions about decryption to write only in a chat on the site, if the person who encrypted your network does not answer you more than two days or you have any other problems, you can contact me,” RansomHub’s spokesperson said, suggesting that English is not the first language of the gang.

This also suggests that RansomHub gives its affiliates a wide latitude in how they operate – so long as they don’t break the aforementioned rules.

Criminal affiliations

When it comes to posting victims to the leak site, it appears the affiliates themselves are doing the posting. The way victims are listed differs in the way evidence of each hack is provided and in the language used. In some cases, a link to a hosting service is provided to share proof-of-hack documents, while in others, screenshots are included in the leak post itself.

Of the five victims currently listed on RansomHub’s site, one has had their data published, while another victim’s data was simply sold – who to, the post does not say, but it’s clear that particular affiliate is taking RansomHub’s rules seriously.

“The data has been sold all,” one post read, regarding data belonging to a Romanian pharmacy. “Please note that we are strictly RansomHub’s rules. The data has been sold all and no longer sells for the second time.”

Looking at the wording and structure of the five leak posts published so far, it looks as though four separate affiliates are currently working with RansomHub.

“We stole a lot of confidential data from it, and if you don’t contact us within a specified period of time, we’ll release 30 per cent of it, and 50 per cent again in a few months,” one affiliate posted on two of the still active leak posts.

“One of Vietnam largest companies was attacked by our group,” said what appears to be another affiliate on the third active post. “More than two Terabytes of data were stolen from the company’s servers, not least due to negligence in network security and data storage.”

“You have three days for contact with us to decide this pity mistake, which made your IT department, decide what to do in next step.”

What’s interesting about RansomHub’s leak site is that it does not include any details on how a prospective affiliate can approach the gang. The contact details provided appear to be only for victims taking issue with how a given affiliate is treating them. RansomHub is likely advertising its services elsewhere, quite possibly on a Russian-language hacking forum.

So far, that is about all we know. What we can say, though, is that RansomHub appears to be quite technically proficient, and it prefers to stay away from communist economies.

And it is here to make money.

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.