{
	"id": "cae74a9c-cc47-4ca4-9ce2-7c1e82005826",
	"created_at": "2026-04-06T00:12:50.370063Z",
	"updated_at": "2026-04-10T03:25:24.208088Z",
	"deleted_at": null,
	"sha1_hash": "6398adde288ab0e0b3ea0e4d0272ad7dadcc3971",
	"title": "New Ransomware Group: RansomHouse - Is it Real or Fake? | Webz.io",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1118920,
	"plain_text": "New Ransomware Group: RansomHouse - Is it Real or Fake? |\r\nWebz.io\r\nBy Maya Rotenstreich Senior Cyber Analyst\r\nArchived: 2026-04-05 14:41:49 UTC\r\nThe first quarter of 2022 has seen a lot of cyberattacks, with RaaS (Ransomware as a Service) being the most\r\ncommon form of cyberattacks these days.\r\nThe deep and dark web continues to be a favorite space for new ransomware gangs, whether they are brand new\r\ngroups with new infrastructure or re-brand of an existing group. Whether they are old or new, most ransomware\r\ngroups operate very similarly. For example, some of those have already built their own Tor site, where they\r\npublish the targeted organizations they’ve allegedly attacked, including leaking some of the databases they claim\r\nto have compromised (assuming that the negotiation for getting a ransom by the victim failed).\r\nBut a question that has been recently raised is whether these are real or fake ransomware gangs?\r\nOne of the new ransomware groups whose credibility has been put in question is RansomHouse. So far, the group\r\nhas published 4 samples of alleged stolen data from 4 companies (see image below) on their site on Tor. These\r\ncompanies are:\r\nSLGA, a local Canadian liquor and gaming authority\r\nJefferson CU, a local U.S. bank\r\nAHS, a German handling service provider\r\nDellner, a Swedish railroad equipment manufacturer\r\nhttps://webz.io/dwp/new-ransomware-group-ransomhouse-is-it-real-or-fake/\r\nPage 1 of 7\n\nUsers on Twitter, Telegram, and dark web forums have been debating whether RansomHouse is a real ransomware\r\ngang that is responsible for attacking and stealing those databases, or an extortion group that buys leaked\r\ndatabases from a third party and tries to extort the victims by demanding a ransom fee in return for not leaking the\r\ndata to the public.\r\nHow can you verify whether a ransomware group is real or fake?\r\nStep #1: Use Publicly available records and announcements\r\nThe very first step should be to check the details that are publicly available. For example, have the companies\r\nsuffered a ransomware attack?\r\nhttps://webz.io/dwp/new-ransomware-group-ransomhouse-is-it-real-or-fake/\r\nPage 2 of 7\n\nAccording to an announcement made by Jefferson Credit Union, they admitted that they were hit by a ransomware\r\nattack, in which the company’s files were encrypted. According to CBC News, RansomHouse affiliates contacted\r\nSLGA, claiming to have encrypted the authority’s system using ransomware.\r\nAs for AHS, they were targeted by a cyberattack but whether it was a ransomware attack remains unknown.\r\nDeliner has not yet clarified whether they suffered a cyberattack at all.\r\nNone of these announcements are damning evidence that the RansomHouse group was behind the attack. They\r\ncould’ve hired ransomware from a different gang to carry out the attack, or they could not have even been\r\ninvolved in these attacks at all.\r\nIn order to get proof that this ransomware group is a valid, real ransomware group, we need to turn to the spaces\r\nwhere ransomware and other cybercriminal groups operate every day – the deep and dark web. Using Webz.io’s\r\nCyber API, we took a closer look at RansomHouse in an effort to trace their activities and find out whether they\r\nare a real ransomware group or not.\r\nStep #2: Use Deep and Dark Web to trace the activities of ransomware groups \r\nThere are various places on the deep and dark web where you can start studying ransomware groups more closely.\r\nWe first started with the obvious option- their site.\r\nThe site of the RansomHouse group\r\nWe found the official site of the RansomHouse group on the Tor network. Here was the very first unusual finding\r\nwe traced. If you look at the images below, you can see a strong resemblance between the design and layout of the\r\nsite used by the RansomHouse group and the one Hive ransomware gang uses. Some would say that it could be an\r\nindication that the RansomHouse group is either an extension of Hive or that they work for a group that is also\r\nbehind the Hive ransomware.\r\nhttps://webz.io/dwp/new-ransomware-group-ransomhouse-is-it-real-or-fake/\r\nPage 3 of 7\n\nRansomHouse on Telegram\r\nNext, we turned to the deep web and took a look at Telegram, where RansomHouse, like many other\r\ncybercriminals groups, including ransomware gangs, also operates.\r\nHow do they use Telegram?\r\n1. A private user – the group is operating a private user on Telegram to allegedly communicate and negotiate\r\nwith the victims regarding the ransom fee\r\nhttps://webz.io/dwp/new-ransomware-group-ransomhouse-is-it-real-or-fake/\r\nPage 4 of 7\n\n2. A Telegram channel – is used to announce the names of the companies they attacked and threaten to\r\nexpose their data.\r\n3. A group – this is a highly unusual group RansomHouse use for PR relations, where they’re\r\ncommunicating with verified journalists and share exclusive information a few hours or even days before\r\nthe leak is published on the platforms they maintain.\r\nIn the image below, you can see that one of the members on the PR group RansomHouse maintains on Telegram,\r\nhas recently asked the ransomware group if they are responsible for the cyberattacks they mention on their\r\nplatforms or if they just publish data from other ransomware groups. So far, RansomHouse hasn’t responded.\r\nhttps://webz.io/dwp/new-ransomware-group-ransomhouse-is-it-real-or-fake/\r\nPage 5 of 7\n\nThe group also uses Telegram for other PR campaigns. For example, they post messages on several cyber groups\r\non Telegram where they announce the names of the latest data leak victims and publicize their Tor sites and\r\nTelegram groups.\r\nYou can see an example of these types of “PR campaigns” on Telegram in the following image, where\r\nRansomHouse gang announces that the leak of SLGA’s data is up on the “Cyber Security experts” group on\r\nTelegram:\r\nMany of these posts were quietly removed by the admins of the groups, shortly after they were published. Because\r\neven on the dark and deep web, threat actors are reported and blocked if they violate the terms of the community.\r\nIn the next image you can see how several members reported on Ransomhouse on one of the Telegram groups\r\nthey posted their “PR messages”:\r\nIt is important to note that RansomHouse have never explicitly claimed that they were the group who hacked the\r\nvictims, which puts in question their status as a “ransomware group”.\r\nhttps://webz.io/dwp/new-ransomware-group-ransomhouse-is-it-real-or-fake/\r\nPage 6 of 7\n\nBecause of their avoidance of the topic and the lack of clear proof that they are hacking unknowing victims, the\r\ndebate continues to roll on the deep and dark web.\r\nFor example, a user of a popular hacking forum, XSS.IS, called Snaz claims that RansomHouse is only a data leak\r\nsite, which is pretty common these days:\r\nWhether RansomHouse is responsible for the attacks or not, it’s very important to closely monitor their activities\r\nand the activity of other cybercriminal groups. A broad coverage of the deep and dark web helps conduct deep\r\nactor profiling and gain relevant context to prevent emerging cyber threats.\r\nSource: https://webz.io/dwp/new-ransomware-group-ransomhouse-is-it-real-or-fake/\r\nhttps://webz.io/dwp/new-ransomware-group-ransomhouse-is-it-real-or-fake/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MISPGALAXY"
	],
	"references": [
		"https://webz.io/dwp/new-ransomware-group-ransomhouse-is-it-real-or-fake/"
	],
	"report_names": [
		"new-ransomware-group-ransomhouse-is-it-real-or-fake"
	],
	"threat_actors": [
		{
			"id": "921cea27-4410-42e4-8c11-7d40ba313225",
			"created_at": "2023-01-06T13:46:39.375789Z",
			"updated_at": "2026-04-10T02:00:03.307063Z",
			"deleted_at": null,
			"main_name": "RansomHouse",
			"aliases": [],
			"source_name": "MISPGALAXY:RansomHouse",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434370,
	"ts_updated_at": 1775791524,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6398adde288ab0e0b3ea0e4d0272ad7dadcc3971.pdf",
		"text": "https://archive.orkl.eu/6398adde288ab0e0b3ea0e4d0272ad7dadcc3971.txt",
		"img": "https://archive.orkl.eu/6398adde288ab0e0b3ea0e4d0272ad7dadcc3971.jpg"
	}
}