RansomHub

RansomHub is a ransomware-as-a-service (RaaS) operation that emerged in February 2024 and rapidly became one of the most active ransomware brands of 2024. It is also referred to as Spoiled Scorpius. Reporting in the provided content describes RansomHub as the volume leader in 2024 with 801 victims in 322 days, and as having absorbed many displaced operators after the disruption of LockBit and the collapse or exit scam of ALPHV/BlackCat. Multiple sources in the content state that RansomHub became dormant or ceased operations in early 2025, with dormancy noted since April 2025, and that affiliates subsequently migrated to other groups including Qilin and DragonForce. RansomHub operated an affiliate-based model with favorable terms for affiliates. ESET states it advertised on the Russian-speaking RAMP forum on February 2, 2024, offered affiliates direct receipt of ransom payments, a 90% revenue share, and support for Windows, Linux, and ESXi encryptors. The same reporting says its rules prohibited attacks against the Commonwealth of Independent States, Cuba, North Korea, and China. ESET further states that its encryptor was built from repurposed Knight source code and that its builder generated password-protected encryptors requiring a unique 64-character password for execution. On June 21, 2024, it reportedly tightened affiliate rules and required a US$5,000 deposit. The content links RansomHub to development and maintenance of the custom EDR killer EDRKillShifter, introduced to affiliates in May 2024 and later improved in June 2024. EDRKillShifter is described as using BYOVD techniques with known vulnerable drivers. ESET also reports tooling and affiliate overlaps between RansomHub, Play, Medusa, and BianLian, and attributes a cross-brand affiliate cluster called QuadSwitcher to intrusions involving RansomHub tooling. The content also notes use of mixed intrusion vectors such as callback phishing and voice phishing, and broader ransomware tradecraft associated with affiliates includes reconnaissance, credential abuse, lateral movement, and data exfiltration. Targets mentioned in the content span multiple sectors and geographies, including healthcare, government, manufacturing, legal, technology, finance, and business services. The healthcare sector is especially prominent in the supplied reporting: Trellix states RansomHub’s affiliate model enabled some of the most damaging healthcare attacks in 2025, and other reporting attributes or associates RansomHub with incidents involving Change Healthcare, MediSecure, and possibly Harvest through an affiliate. In the Change Healthcare case, the content states that by mid-April 2024 an aggrieved ALPHV affiliate formed RansomHub, retained data stolen from Change Healthcare, and attempted a second extortion against UnitedHealth. The content also notes claims that RansomHub stole 4 TB of Change Healthcare data and threatened publication. The content further associates RansomHub with collaboration or overlap involving other criminal ecosystems. Several sources state that Scattered Spider partnered with Russian ransomware gangs including RansomHub, and one report says some high-profile DragonForce-linked attacks involved actors formerly associated with RansomHub operations. Another source says DragonForce seemingly took over and later shut down RansomHub’s operation after infighting in April 2025. Known aliases and related naming in the provided content: RansomHub, Spoiled Scorpius.