{ "id": "b80a2981-a415-4a2f-b9c8-c9eee3836ecf", "created_at": "2026-04-06T00:18:24.647578Z", "updated_at": "2026-04-10T03:30:33.490933Z", "deleted_at": null, "sha1_hash": "7a3295756780945d6ed101781bf2582f80aa8c34", "title": "Ransomware Evolution | How Cheated Affiliates Are Recycling Victim Data for Profit", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4252363, "plain_text": "Ransomware Evolution | How Cheated Affiliates Are Recycling\r\nVictim Data for Profit\r\nBy Jim Walter\r\nPublished: 2024-04-24 · Archived: 2026-04-05 16:28:40 UTC\r\nThreat actors consistently alter and develop their schemes in order to further escalate their payoffs. In a new trend,\r\nransomware affiliates are actively re-monetizing stolen data outside of their original RaaS agreements, especially\r\nas financial squabbles between threat actors emerge in the ransomware economy. The affiliates in such instances\r\nare starting to work with third-parties or external data leak services in order to re-extort victims who have already\r\npaid the ransom to the original attackers.\r\nThis blog post examines how affiliate attackers are embracing this new third-party extortion method, illustrated\r\nmost recently by the ostensibly back-to-back cyberattacks on Change Healthcare and the emergence of services\r\nlike RansomHub and Dispossessor.\r\nALPHV Exit Scam \u0026 Re-Extortion by RansomHub\r\nIn February 2024, a subsidiary of healthcare giant UnitedHealth Group (UHG) was forced to take down its IT\r\nsystems and various services. The root of the disruption was a cyberattack by a BlackCat (aka ALPHV) affiliate\r\non Change Healthcare, a healthcare technology platform used by the subsidiary.\r\nPost-attack, ALPHV ransomware operators reportedly took down their data leak blog, servers, and operation\r\nnegotiation sites, and failed to pay the affiliate their agreed share of the ransom.\r\nhttps://www.sentinelone.com/blog/ransomware-evolution-how-cheated-affiliates-are-recycling-victim-data-for-profit/\r\nPage 1 of 10\n\nPurportedly, Change Healthcare paid out the $22 million ransom demand, only to be targeted a second time just\r\nweeks after recovering from the initial attack. This time around, the ransomware attack was claimed by a threat\r\nactor working in conjunction with RansomHub, a new extortion group claiming to hold 4 terabytes of the victim’s\r\nsensitive data including personally identifiable information (PII) of active U.S. military personnel, patient records,\r\nand payment information.\r\nIt is believed that after ALPHV reneged on their payment, the affiliate partnered with RansomHub and re-used the\r\ndata stolen from the initial attack in order to secure a pay off. At the time of writing, Change Healthcare has been\r\nremoved from RansomHub’s DLS on April, 20, 2024, presumably due to payment and cooperation with the threat\r\nactors.\r\nRansomHub and Change Healthcare Posting\r\nRansomHub RaaS\r\nRansomHub emerged in early February 2024 with a simple data leak site (DLS). Their focus mirrors other\r\nhistorically well-known operations such as REvil, ALPHV, and Play with regards to their core values and overall\r\nmission statements.\r\nhttps://www.sentinelone.com/blog/ransomware-evolution-how-cheated-affiliates-are-recycling-victim-data-for-profit/\r\nPage 2 of 10\n\nStandard RansomHub ransom note\r\nRansomHub operates as a ransomware-as-a-service (RaaS), partnering with affiliates that work with a variety of\r\nransomware families, including ALPHV and LockBit. Notably, RansomHub works with other threat actors and\r\ngroups to republish and rebroadcast the availability of victim data. There are multiple, revolving Telegram groups\r\ndedicated to amplifying the reach of RansomHub’s leaks. An example of this is the\r\n“R3dd1sh_34_E4gl3_D4t4l34ks” channel (aka Reddish Eagle Dataleaks).\r\nhttps://www.sentinelone.com/blog/ransomware-evolution-how-cheated-affiliates-are-recycling-victim-data-for-profit/\r\nPage 3 of 10\n\nRandomHub archive amplified by R3dd1sh_34_E4gl3_D4t4l34ks\r\nThis development means that the data leak sites (DLSs) usually associated with a particular threat actor are no\r\nlonger the only avenue of exposure for ransomware victims. Downstream amplification of these leaks is now\r\ncommon and generally open to all non-private Telegram or Discord groups.\r\nhttps://www.sentinelone.com/blog/ransomware-evolution-how-cheated-affiliates-are-recycling-victim-data-for-profit/\r\nPage 4 of 10\n\nInterestingly, according to RansomHub’s own “rules”, it does not allow:\r\nAffiliates to attack entities in the Commonwealth of Independent States (CIS), Cuba, China, Romania, or\r\nNorth Korea,\r\nRe-attacks for targeted companies that have already made payment, nor\r\nAttacks against non-profit organizations.\r\nOriginal RansomHub About Page\r\nHowever, given the current situation faced by Change Healthcare, the second bullet in the list above appears to be\r\na gray area, especially if re-extorting ransomware victims constitutes an attack.\r\nOur research indicates that multiple affiliates are now partnering with RansomHub in an effort to regain\r\nprofitability following the apparent collapse of ALPHV.\r\nDispossessor Data Leak Blog\r\nDispossessor emerged in February of 2024, advertising the availability of previously-leaked data for download\r\nand potential sale. These announcements were placed across multiple forums and markets, including\r\nBreachForums and XSS.\r\nhttps://www.sentinelone.com/blog/ransomware-evolution-how-cheated-affiliates-are-recycling-victim-data-for-profit/\r\nPage 5 of 10\n\nDispossessor announcement on Breachforums (LockBit data)\r\nThe X account @ransomfeednews recently posted regarding this new group, presenting their findings that\r\nindicated how Dispossessor “is not ransomware, but a group of scoundrels trying to monetize (on nothing) using\r\nthe claims of other groups.” The group is also active in Telegram, posting similar announcements across well-trafficked Telegram channels.\r\nDispossessor initially announced the renewed availability of the data from some 330 LockBit victims. This was\r\nclaimed to be reposted data from previously available LockBit victims, now hosted on Dispossessor’s network and\r\nthus not subject to LockBit’s availability restrictions.\r\nDispossessor Blog\r\nhttps://www.sentinelone.com/blog/ransomware-evolution-how-cheated-affiliates-are-recycling-victim-data-for-profit/\r\nPage 6 of 10\n\nDispossessor appears to be reposting data previously associated with other operations with examples ranging from\r\nCl0p, Hunters International, and 8base. We are aware of at least a dozen victims listed on Dispossessor that have\r\nalso been previously listed by other groups.\r\nIn addition, there are apparent links to other aggregate-style operators like Snatch.\r\nDispossessor Blog with Snatch links highlighted\r\nIn many cases, the Dispossessor page links to the Dispossessor-Cloud repository. One victim was originally on\r\nCL0P’s data leak site in early 2023. Dispossessor’s data is identical to that hosted in the original CL0P magnet\r\nlinks for this and other victims.\r\nRabbit Hole Data Leak Site (DLS)\r\nA third emerging service with potential to contribute to the expansion of monetization of previously leaked victim\r\ndata is Rabbit Hole DLS, first observed on March 13, 2024. In an English translation of the site’s About Page,\r\nRabbit Hole is described as a leaks “blog for small and medium-sized teams that do not have their own website”.\r\nThe site is currently promoted in forums and dark markets.\r\nTranslated Rabbit Hole Blog announcement\r\nOriginal Postings (RU):\r\nблог для малых и средних команд у которых нет своего сайта\r\nhttps://www.sentinelone.com/blog/ransomware-evolution-how-cheated-affiliates-are-recycling-victim-data-for-profit/\r\nPage 7 of 10\n\nкроличья нора не является рансом группой, это общий блог для малых и средних команд. данный блог\r\nсоздан в целях оказания давления на корпорации, за счет большого количества публикаций разных команд\r\n— кроличья нора предлагает вам пристанище, где вы можете опубликовать любую утечку [гос\r\nучреждения и больницы являются исключением]\r\nOriginal Postings (EN):\r\nblog for small and medium-sized teams that do not have their own website\r\nrabbit hole is not a ransom group, it is a general blog for small to medium sized teams. this blog was created in\r\norder to put pressure on corporations, due to the large number of publications from different teams – the rabbit\r\nhole offers you a haven where you can publish any leak [government institutions and hospitals are an exception]\r\nOnce a threat actor creates a Rabbit Hole account, victim leaks can be added, updated, and managed through its\r\nweb portal. Each account manages their leaks through what is referred to as a ‘cabinet’ within the Rabbit Hole\r\nblog interface.\r\nRabbit Hole Blog Account “Cabinet”\r\nWhen posting leak data, the user is able to supply information including who they are and who the victim is such\r\nas the name of the company, URL, company description, publish date/deadline, any associated images, and\r\nadditional text to be included with the public leak description upon publication. The download URL for associated\r\nleaked data is also supplied via this interface.\r\nhttps://www.sentinelone.com/blog/ransomware-evolution-how-cheated-affiliates-are-recycling-victim-data-for-profit/\r\nPage 8 of 10\n\nNew Leak creation on Rabbit Hole Blog\r\nOnce all details have been provided, they are submitted to higher level owners and managers of the Rabbit Hole\r\nblog. Moderators are then responsible for the ultimate public posting of the leak. The Rabbit Hole platform, ideal\r\nfor emerging cybercriminals with little to no infrastructure or resources, could easily accommodate multiple\r\nsmall-time actors looking to monetize the same data leaks. We continue to monitor how this site develops.\r\nConclusion\r\nAs larger, established threat groups fold or re-brand, we can expect to see many affiliates cut out of pending\r\npayments. Since threat actors will hold onto exfiltrated data, the likelihood of that data being used to re-extort the\r\nvictims is high and will continue to grow. While it may seem like common sense not to trust threat actors to hold\r\nup their end of a deal, the infosec community may continue to witness the fallout that happens when in-fighting\r\nand disagreements happen between cybercriminals as well as threat service providers and their affiliates.\r\nThe trust model upon which these RaaS agreements are created does not scale well, as most recently highlighted\r\nby security researchers monitoring the relationships between threat actors and affiliates in the ecosystem:\r\n“Additionally, we saw a continuation of long-tailed data exfiltration defaults by threat actors in Q1, i.e., posting\r\nof information on a leak site after payment or “hostage trading” with other groups or individuals, which adds\r\nfurther evidence to the file on the lack of benefits to pay for suppressing a data leak or any confidence in a\r\ncriminal actor keeping their word.”\r\nhttps://www.sentinelone.com/blog/ransomware-evolution-how-cheated-affiliates-are-recycling-victim-data-for-profit/\r\nPage 9 of 10\n\nAs the ransomware and extortion landscape evolves, criminals will do what they need to do to protect their\r\ninvestments and paydays. Since affiliates carrying out a ransomware attack hold the actual data, they have the\r\noption to go elsewhere to monetize the data to collect payment. Organizations continue to be discouraged by\r\nglobal law enforcement agencies from paying ransoms when dealing with a cyberattack and to file a report with\r\nthe IC3, contributing to greater cyber resilience to potential attacks.\r\nIndicators\r\nz5jixbfejdu5wtxd2baliu6hwzgcitlspnttr7c2eopl5ccfcjrhkqid[.]onion\r\nransomxifxwc5eteopdobynonjctkxxvap77yqifu2emfbecgbqdw6qd[.]onion\r\nh6tejafqdkdltppzj7q34enltmfnpxaf7cseslv6djgiukiii573xtid[.]onion\r\ndispossessor[.]com/\r\ndispossessor-cloud[.]com/\r\n205[.]209.102[.]218\r\ntox[:]CE742906B254399832E4ED6EC1DDA50D7942F9A4F3F0FE46C19E1737FF29EF67DDAF3AB87B44\r\ntox[:]36712626ED19B307ECB3E971AFDFAA449607100383DBE4C064CCD5909355D908AECCF6180CDA\r\nactor:DISPOSSESSOR\r\nactor:plzdbmagain1037\r\nactor:ViDoK\r\nSource: https://www.sentinelone.com/blog/ransomware-evolution-how-cheated-affiliates-are-recycling-victim-data-for-profit/\r\nhttps://www.sentinelone.com/blog/ransomware-evolution-how-cheated-affiliates-are-recycling-victim-data-for-profit/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "references": [ "https://www.sentinelone.com/blog/ransomware-evolution-how-cheated-affiliates-are-recycling-victim-data-for-profit/" ], "report_names": [ "ransomware-evolution-how-cheated-affiliates-are-recycling-victim-data-for-profit" ], "threat_actors": [ { "id": "1b1271d2-e9a2-4fc5-820b-69c9e4cfb312", "created_at": "2024-06-07T02:00:03.998431Z", "updated_at": "2026-04-10T02:00:03.64336Z", "deleted_at": null, "main_name": "RansomHub", "aliases": [], "source_name": "MISPGALAXY:RansomHub", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "eb01bdec-5c18-4479-b343-cf58076dacf1", "created_at": "2024-08-10T02:02:56.273673Z", "updated_at": "2026-04-10T02:00:03.773129Z", "deleted_at": null, "main_name": "GOLD CRESCENT", "aliases": [ "Hunters International", "World Leaks" ], "source_name": "Secureworks:GOLD CRESCENT", "tools": [ "Hunters International", "SharpRhino" ], "source_id": "Secureworks", "reports": null }, { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434704, "ts_updated_at": 1775791833, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7a3295756780945d6ed101781bf2582f80aa8c34.pdf", "text": "https://archive.orkl.eu/7a3295756780945d6ed101781bf2582f80aa8c34.txt", "img": "https://archive.orkl.eu/7a3295756780945d6ed101781bf2582f80aa8c34.jpg" } }