{
	"id": "2a6ac882-3a42-4df2-b10e-bf061334ef88",
	"created_at": "2026-04-06T00:09:29.888503Z",
	"updated_at": "2026-04-10T03:29:39.992974Z",
	"deleted_at": null,
	"sha1_hash": "ccfa03a2c0c551065823b57d7f92d9b3a360e798",
	"title": "RansomHub never sleeps episode 1 | Group-IB Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1034343,
	"plain_text": "RansomHub Never Sleeps\r\nEpisode 1: The evolution of\r\nmodern ransomware\r\nDiscover how ransomware has evolved into a sophisticated cyber threat, with groups like\r\nRansomHub leading the charge. Learn more about their adaptability, TTPs, and the rise of\r\nRansomware-as-a-service in this first-of-three-part trilogy.\r\nFebruary 12, 2025 · min to read · Ransomware\r\n← Blog\r\nVito Alfano\r\nHead of DFIR Practice, EU\r\nhttps://www.group-ib.com/blog/ransomhub-never-sleeps-episode-1/\r\nPage 1 of 41\n\nAffiliates DFIR RaaS RansomHub Ransomware\r\nIntroduction\r\nThe cybersecurity threat landscape is a constant arms race between attackers and defenders. As\r\norganizations strengthen their defenses, adversaries evolve their tactics, techniques and\r\nprocedures (TTPs) to exploit emerging vulnerabilities. Among these threats, ransomware operations\r\nhave become increasingly sophisticated and prominent.\r\nIn its early days, ransomware targeted individuals with relatively small demands. However, with\r\ngrowing digital interconnectivity and exposed system vulnerabilities, attackers have shifted to larger\r\ntargets including healthcare, finance, critical infrastructure, and government sectors. The advent of\r\nRansomware-as-a-Service (RaaS) platforms has further lowered barriers for aspiring cybercriminals,\r\nenabling them to access advanced tools in exchange for a share of the profits.\r\nA key driver of ransomware’s growth is its adaptability. Modern groups exploit unpatched\r\nvulnerabilities, use advanced reconnaissance techniques, and leverage automation to scale their\r\noperations. In this first part of a trilogy of Group-IB blogs on ransomware, we’ll deep-dive into\r\nRansomHub, which emerged in early 2024, and how it exemplifies this evolution. Through\r\ninnovation and rapid adaptation, this RaaS group has solidified its position as a significant threat in\r\ntoday’s cybersecurity landscape.\r\nhttps://www.group-ib.com/blog/ransomhub-never-sleeps-episode-1/\r\nPage 2 of 41\n\nKey discoveries in the blog\r\nWho may find this article interesting\r\nWho is RansomHub?\r\nRansomHub emerged in early February 2024 as a Ransomware-as-a-Service (RaaS) coinciding with\r\nthe closure of ALPHV’s operations. ALPHV shut down its infrastructure following the significant\r\nfallout from a disruptive attack on Change Healthcare.\r\nRansomHub’s operators strategically advertised the group’s partnership program on RAMP\r\nforum on February 2, 2024.\r\nRansomHub’s operators took advantage of the impact of law enforcement operations on\r\nLockBit and ALPHV to release a partnership program and recruit affiliates of these groups.\r\nThe threat actors likely acquired the ransomware and web application source code from the\r\nKnight (aka Cyclops) group.\r\nThe ransomware works on different operating systems and architectures including x86, x64 and\r\nARM as well as Windows, ESXi, Linux and FreeBSD.\r\nThe group started to use PCHunter to stop and bypass endpoint security solutions.\r\nRansomHub used Filezilla as an exfiltration tool.\r\nRansomHub’s affiliates have disclosed around 44 healthcare companies including hospitals and\r\nclinics.\r\nAffiliates may eventually threaten and report cyber incidents to regulators such as PDPL\r\n(Personal Data Protection Law).\r\nCybersecurity analysts and corporate security teams\r\nMalware analysts\r\nThreat Intelligence specialists\r\nCyber investigators\r\nComputer Emergency Response Teams\r\nLaw enforcement investigators\r\nCyber Police Forces\r\nhttps://www.group-ib.com/blog/ransomhub-never-sleeps-episode-1/\r\nPage 3 of 41\n\nDuring ongoing law enforcement actions targeting the ALPHV and LockBit ransomware groups,\r\nRansomHub strategically launched its partnership program. This effort was analyzed by Group-IB in\r\nAugust 2024, as noted earlier in this blog.\r\nGroup-IB’s Threat Intelligence and Digital Forensics and Incident Response (DFIR) teams found that\r\nRansomHub capitalized on the void left by its disrupted competitors, focusing on recruiting affiliates\r\nfrom the now-defunct LockBit and ALPHV groups. The group actively sought new members\r\nthrough direct messaging and posts on underground forums like RAMP, XSS, and Exploit.in.\r\nTo expedite its operations, RansomHub acquired the source code and web application sold on the\r\nRAMP forum by the disbanded ransomware group Knight (formerly Cyclops), according to\r\ninformation obtained by Group-IB’s Threat Intelligence team from RansomHub’s affiliates.\r\nEvidence suggests that RansomHub purchased and rebranded Knight’s resources. The similarities\r\nbetween the affiliate panel used by RansomHub and Knight, the overlapping ransomware features,\r\nand the shared code corroborate this theory. The source code had reportedly been offered for sale\r\non RAMP on February 18, 2024.\r\nInitially, it appeared that neither the ransomware nor the affiliate panel offered any novel features, as\r\ncompared to those observed in other RaaS groups that have been analyzed by our threat\r\nintelligence team. However, on July 18, 2024, koley, a RansomHub operator, advertised on RAMP\r\nforum a new strain of the ransomware, which was able to remotely encrypt data via SFTP protocol.\r\nThis new version was announced on RAMP forum a few weeks after security companies published\r\nreports on the group.\r\nFigure 1. RansomHub's partnership program advertisement on RAMP forum\r\nhttps://www.group-ib.com/blog/ransomhub-never-sleeps-episode-1/\r\nPage 4 of 41\n\nFigure 2. Comments from RansomHub’s operator on rule changes after security companies\r\naccessed the affiliate panel\r\nFigure 3. SFTP Locker release on RAMP forum\r\nThe release of this updated ransomware strain appears to have been a strategic move. It not only\r\nintroduced new resources for affiliates but also aimed to mitigate potential reputational damage\r\nafter security firms gained access to the affiliate panel.\r\nAt the time of writing, RansomHub has targeted over 600 organizations globally, spanning sectors\r\nsuch as healthcare, finance, government, and critical infrastructure, firmly establishing it as the most\r\nactive ransomware group in 2024.\r\nThis article shares the details of an incident response case handled by Group-IB’s DFIR team,\r\nincluding new insights into RansomHub’s TTPs and a technical analysis of its ransomware\r\nuncovered by Group-IB’s malware analysts.\r\nhttps://www.group-ib.com/blog/ransomhub-never-sleeps-episode-1/\r\nPage 5 of 41\n\nDissecting a ransomware operation\r\nPicture a strategic operation unfolding, an adversary initiated a covert reconnaissance mission,\r\nsystematically probing publicly exposed services and resources of a targeted organization. The\r\nobjective: to identify weaknesses in the perimeter defenses.\r\nTheir intelligence revealed a critical vulnerability—CVE-2024-3400—impacting Palo Alto Networks\r\nfirewall appliances running an outdated PAN-OS software. This exploit allowed attackers to execute\r\narbitrary code with root privileges, bypassing authentication and gaining a foothold inside the\r\nnetwork.\r\nFigure 4. Extract of security advisory released by Palo Alto\r\nThe attack demonstrated both the sophistication and adaptability of RansomHub affiliates, who\r\nmoved swiftly to weaponize this vulnerability. Notably, the exploit had only recently been used by a\r\nChina-based threat actor targeting critical infrastructures, months before any proof-of-concept\r\ncode was publicly available. This rapid deployment showcased the group’s tactical acumen and\r\nreadiness to capitalize on cutting-edge vulnerabilities before defenders could respond.\r\nhttps://www.group-ib.com/blog/ransomhub-never-sleeps-episode-1/\r\nPage 6 of 41\n\nFigure 5. Extract of logs showing part of the attempts to exploit the vulnerability\r\nGroup-IB’s DFIR analysts conducted a thorough investigation that revealed the source code of the\r\nscript used by the attacker on Github.\r\nhttps://www.group-ib.com/blog/ransomhub-never-sleeps-episode-1/\r\nPage 7 of 41\n\nFigure 6. Source code of the exploit PoC used by the attacker\r\nSurprisingly, this script did not produce the expected result, leaving the attacker empty-handed.\r\nForced to pivot, they resorted to a different approach: a tried-and-true brute force attack based on\r\nan enriched dictionary, against the VPN service provided by the vulnerable Palo Alto firewall.\r\nThis brute force attempt was based on an enriched dictionary of over 5,000 usernames and\r\npasswords. The attacker eventually gained access through a default account frequently used in\r\ndata backup solutions, and the perimeter was finally breached.\r\nhttps://www.group-ib.com/blog/ransomhub-never-sleeps-episode-1/\r\nPage 8 of 41\n\nFigure 7. Extract logs showing the first malicious access\r\nThe unauthorized access rapidly escalated, with the victim experiencing both data encryption and\r\nexfiltration within 24 hours.\r\nSimilar to military tactics which have transcended into cyberspace, the attacker—having gained\r\ninitial access—performed internal reconnaissance using tools like Angry IP Scanner, Nmap, and\r\nPowerShell scripts. By running these tools, the attacker aimed to gather detailed information about\r\nthe perimeter, looking for vulnerable assets and aiming to get the access into the domain controller,\r\nwhich is always considered the most important element of an IT infrastructure based on MS\r\nWindows and the primary goal for any threat actor.\r\nThis technique allowed the attacker to exploit two vulnerabilities in the domain controller: CVE-2021-42278 (sAMAccount Spoofing) and CVE-2020-1472.\r\nThe vulnerability labelled as CVE-2021-42278 enables an attacker with limited domain user\r\ncredentials to obtain a Kerberos service ticket for the domain controller, ultimately allowing them to\r\ncompromise the domain controller.\r\nFigure 8. Screen shot of the extract logs sAMAccount spoofing\r\nA new computer is added to the domain.\r\nThe new computer is renamed with the name of a domain controller, but without the trailing “$”.\r\nA new Kerberos TGT is requested using the newly created computer name.\r\nThe new computer account is then renamed to any other name.\r\nA Kerberos service ticket is requested using the S4U2self extensions and once obtained can be\r\nused to access any service on the domain controller\r\nhttps://www.group-ib.com/blog/ransomhub-never-sleeps-episode-1/\r\nPage 9 of 41\n\nThe second one, labelled with CVE-2020-1472 and known also as ZeroLogon, affects Microsoft’s\r\nActive Directory NetLogon remote Protocol (MS-NRPC), and it allows a malicious actor without user\r\ncredentials to gain the highest privileges in the domain, and take the control of a vulnerable domain\r\ncontroller via NT Lan Manager (NTLM).\r\nFigure 9. Screen shot of the log ZeroLogon attempt\r\nThe exploitation of the above-mentioned vulnerabilities enabled the attacker to gain full privileged\r\naccess to the domain controller, which is the nerve center of a Microsoft Windows-based\r\ninfrastructure.\r\nOnce the attacker had gained full control of the domain, they were able to begin their lateral\r\nmovements across the entire perimeter with any preferred user.\r\nFirst, they accessed one of the main network-attached storage servers and created a new folder,\r\nconfiguring it as a shared resource. They then uploaded the tools that would be used during the\r\nnext phases of the attack to establish a point of persistence and facilitate the movement of\r\nresources across the compromised perimeter.\r\nFigure 10. Toolkit upload schema\r\nhttps://www.group-ib.com/blog/ransomhub-never-sleeps-episode-1/\r\nPage 10 of 41\n\nThis action marks a critical step in the attack lifecycle. The attacker successfully completed the initial\r\ndata gathering and prepared the stage.\r\nAt this point, the attackers are ready to initiate the advanced phase of the attack, which involves\r\nmoving laterally, identifying and targeting critical assets such as NAS and shared folders, along with\r\nbackup systems. The scope is primarily the extraction of the data and subsequently exfiltrate it\r\nthrough external command and control servers.\r\nFigure 11. Critical asset access schema\r\nhttps://www.group-ib.com/blog/ransomhub-never-sleeps-episode-1/\r\nPage 11 of 41\n\nFigure 12. Screenshot of forensic evidence related to a set of shared folders accessed by the\r\nattacker\r\nThe traces left unknowingly by the attacker, as well as the speed of their actions, made it possible to\r\nretrieve all details related to the exfiltration phase, the command and control servers on which the\r\ndata were deposited, and the tool to carry out this operation, with its configuration: Filezilla. This\r\ntool was uploaded to selected critical hosts where sensitive data were stored and then executed to\r\nupload data to external C2 servers.\r\nhttps://www.group-ib.com/blog/ransomhub-never-sleeps-episode-1/\r\nPage 12 of 41\n\nFigure 13. An illustration of the Filezilla upload schema\r\nFigure 14. Extract of a $Jrnl Table record showing the upload of Filezilla\r\nFigure 15. Extract of a MFT Table record showing the upload of Filezilla\r\nFigure 16. UserAssist registry key evidence showing the execution of Filezilla\r\nThe retrieved Filezilla configuration was of significant value due to the information it contained,\r\nincluding command and control server IP addresses, usernames, destination ports and listening\r\nservice configurations. The in-depth, intelligence-driven analysis of these IoCs resulted in a lengthy\r\nresearch activity that produced interesting results. These will be shared in the next episodes of this\r\nblog.\r\nhttps://www.group-ib.com/blog/ransomhub-never-sleeps-episode-1/\r\nPage 13 of 41\n\nFollowing the completion of the exfiltration operations, the attacker prepared the environment for\r\nthe final phase of the attack.\r\nIn this final phase, which included some high-impact actions, the attacker operated to render all\r\ncompany data, saved on the various NAS, completely unreadable and inaccessible, as well as\r\nimpermissible to restore, with the aim of forcing the victim to pay the ransom to get their data back.\r\nThe first action involved completely disabling the backup service implemented by the victim. This\r\nwas done to prevent the restoration of damaged data.\r\nFigure 18. Screen shot of the extract UserAssist RegKey Backup Application access\r\nThe subsequent step involved the upload of a tool known as PCHunter, a small all-in-one toolkit\r\nutility developed to spot and remove malware, including rootkits, which allows access to various\r\nsystem settings such as kernels and kernel modules, processes, network, startup and a whole lot\r\nmore.\r\nFigure 19. Screen shot of the extract MFT table PcHunter upload\r\nFigure 17. Screenshots showing the Extract Filezilla configuration uploaded on different hosts\r\nhttps://www.group-ib.com/blog/ransomhub-never-sleeps-episode-1/\r\nPage 14 of 41\n\nFigure 20. Screen shot of the extract $Jrnl table PcHunter upload\r\nFigure 21. Screen shot of the extract UserAssist RegKey PCHunter execution\r\nIn this case, the attacker took advantage of the tool’s functionality to terminate the EDR,\r\nsubsequently implanting ransomware on the compromised hosts. Indeed, following the execution of\r\nPCHunter, the attacker disabled the endpoint security solution installed on all compromised hosts to\r\nevade ransomware detection.\r\nFigure 22. Screen shots of the extract logs EDR disabling\r\nAt this latest stage, the attacker had almost completed their plan, and the only remaining action was\r\nto upload his malware, named ==locker.exe==, its execution and the consequent initialization of the\r\nencryption of all data stored on the victim’s most critical hosts.\r\nFigure 23. Screen shot of the extract $Jrnl table ransomware upload\r\nAt the end, the attacker proceeded with the execution of the ransomware, which required a manual\r\ninteraction to insert the correct password to decrypt the config file embedded within the same\r\nhttps://www.group-ib.com/blog/ransomhub-never-sleeps-episode-1/\r\nPage 15 of 41\n\nexecutable. The correct parameters were then loaded to encrypt all data, inhibit the system recovery\r\nand to remove any trace of the TA’s actions.\r\nFigure 24. Sample ransomware execution options\r\nThe updated version of the ransomware used by the attacker, included various features, which will\r\nbe dissected in the next section, such as:\r\nIt retrieved information about virtual machines (VMs) and forcefully stops them through the\r\nfollowing embedded base64-encoded command:\r\nFigure 25. Extract Powershell encoded command\r\n1.\r\nhttps://www.group-ib.com/blog/ransomhub-never-sleeps-episode-1/\r\nPage 16 of 41\n\nFigure 26. Screen shot of the extract logs of the Powershell encoded command\r\nIt deleted shadow copy executing the following embedded command:\r\nFigure 27. Extract logs of the Powershell encoded command\r\nFigure 28. Screen shot of the extract logs of the Powershell encoded command\r\nIt deleted system events (Security, System, Application)\r\nFigure 29. Screen shot of the extract logs deletion system events\r\n2.\r\nhttps://www.group-ib.com/blog/ransomhub-never-sleeps-episode-1/\r\nPage 17 of 41\n\nFollowing the conclusion of the attack, the attacker removed some of his digital fingerprints, after\r\nencrypting the data still in the perimeter, and left a message to warn the victim and suggest how to\r\nact to retrieve its own data.\r\nFigure 30. Screen shot of the extract logs deletion application events\r\nFigure 31. Screen shot of the extract logs deletion security events\r\nhttps://www.group-ib.com/blog/ransomhub-never-sleeps-episode-1/\r\nPage 18 of 41\n\nFigure 32. Screen shot of the extract ransom message\r\nThe attack concluded after less than 14 hours. The attacker abandoned the compromised and\r\ndamaged perimeter, however, they left behind a few crumbs, which our DFIR team investigated and\r\nwhich will be addressed in the subsequent episode of this blog.\r\nTo give the reader a better overview of the incident, the DFIR team built a detailed flow, which\r\nincludes all techniques and subtechniques, developed with the MITRE ATT\u0026CK Flow Builder.\r\nhttps://www.group-ib.com/blog/ransomhub-never-sleeps-episode-1/\r\nPage 19 of 41\n\nhttps://www.group-ib.com/blog/ransomhub-never-sleeps-episode-1/\r\nPage 20 of 41\n\nhttps://www.group-ib.com/blog/ransomhub-never-sleeps-episode-1/\r\nPage 21 of 41\n\nFigure 33. A depiction of the enriched Intelligence driven incident\r\nDissecting RansomHub Ransomware\r\nThe ransomware Master Public Key is used to encrypt generated keys for file encryption. By\r\ndefault, it encrypts 1 MB of file content at regular intervals to optimize performance and speed.\r\nDefault interval size: 3 MB (encrypt 1 MB, skip 3 MB), enabling faster encryption for larger files.\r\nAdditionally, the Fast Encryption Mode configured via command-line arguments available in all\r\nversions of the ransomware may be used by affiliates to increase the encryption interval size to 9MB\r\nfor even faster encryption of very large files.\r\nAdditionally, each encrypted file is appended with a custom extension (e.g., .6706c3). At the end of\r\nthe encryption process, there will be a ransom note (README_\u003crandom\u003e.txt) in each encrypted\r\ndirectory.\r\nRansomware variants and cli options\r\nThe RansomHub ransomware comes in multiple variants, each tailored for specific platforms and\r\narchitectures, offering distinct sets of features and command-line options to optimize its\r\nfunctionality for various environments. Below are the command line switches of each version:\r\nMicrosoft Windows variant\r\nThe Windows variant of the ransomware is distributed as EXE files and includes a comprehensive\r\nset of command-line options for full control over its execution. This version supports advanced\r\ntargeting, Safe Mode execution, and encryption of local and networked files (SMB shares).\r\nCommand Switch Description\r\n-cmd Execute a specific command before encryption.\r\n-disable-net Disable network interfaces before starting encryption.\r\n-fast Enable fast encryption mode for quicker processing.\r\nhttps://www.group-ib.com/blog/ransomhub-never-sleeps-episode-1/\r\nPage 22 of 41\n\n-file Encrypt specific files only. Example: -file C://1.txt -file D://2.txt.\r\n-host\r\nTarget only specific network shares. Example: -host 10.10.10.10 -host\r\n10.10.10.11\r\n-no-folder-filter Disable folder filtering, allowing all folders to be targeted.\r\n-only-local Restrict encryption to local disks only.\r\npass Specify a passphrase for execution\r\nLinux and FreeBSD variant\r\nThis variant targets Linux and FreeBSD systems. It provides fewer options than the Windows\r\nversion, focusing on encrypting files in specified directories. Without a specified path, the\r\nransomware does not encrypt any files.\r\nCommand\r\nSwitch\r\nDescription\r\n-background Run the ransomware in the background.\r\n-fast Enable fast encryption mode.\r\n-pass Specify a passphrase for execution.\r\n-path\r\nEncrypt files in specific directories. Example: -path /var/www -path\r\n/var/sqldata.\r\n-verbose Log actions to the console.\r\n-sleep Introduce a delay (in minutes) before execution.\r\nVmware variant\r\nThis version targets VMware ESXi servers, encrypting files in the /vmfs/volumes directory by\r\ndefault. It includes a feature to ignore specific running virtual machines from the encryption\r\nprocess.\r\nhttps://www.group-ib.com/blog/ransomhub-never-sleeps-episode-1/\r\nPage 23 of 41\n\nCommand\r\nSwitch\r\nDescription\r\n-pass Specify a passphrase for execution.\r\n-path\r\nSpecify the directory to encrypt (default is /vmfs/volumes). Example: -path\r\n/vmfs/other.\r\n-sleep Introduce a delay (in minutes) before execution.\r\n-skip_vms Skip stopping and encrypting VMs listed in a file. Example: -skip_vms skip.txt.\r\n-fast Enable fast encryption mode.\r\n-verbose Output encryption logs to the console.\r\nSftp variant\r\nThis variant encrypts files on a remote SFTP server. It can connect directly or through a proxy\r\nserver. It supports multi-threaded encryption for faster processing.\r\nCommand\r\nSwitch\r\nDescription\r\n-cmd Execute a specific command before encryption.\r\n-fast Enable fast encryption mode.\r\n-host Specify the target SFTP host. Default: 10.10.10.10:22.\r\n-pass Specify the passphrase for execution.\r\n-path Encrypt files in specific directories. Example: -path /volume1 -path /volume2.\r\n-proxy\r\nUse a proxy for connecting to the SFTP server. Example: -proxy\r\nsocks5://127.0.0.1:1090.\r\n-skip_vm Skip encrypting specific virtual machine files. Example: -skip_vm “VM1”.\r\n-thread Set the number of encryption threads (default is 8).\r\nhttps://www.group-ib.com/blog/ransomhub-never-sleeps-episode-1/\r\nPage 24 of 41\n\nWindows Ransomware Internals\r\nWhen the malware is executed, it parses the command-line arguments to locate the -pass\r\nparameter, which is critical for its operation. The provided passphrase is used to decrypt the\r\nconfiguration file, enabling the malware to access its essential parameters. Without the correct -\r\npass, the malware will terminate and print “bad config” to the console.\r\nPlease find below the ransomware settings:\r\nhttps://www.group-ib.com/blog/ransomhub-never-sleeps-episode-1/\r\nPage 25 of 41\n\nFigure 34. Screen shot of the ransomware configuration file\r\nhttps://www.group-ib.com/blog/ransomhub-never-sleeps-episode-1/\r\nPage 26 of 41\n\nAfter the ransomware starts, it checks whether the current machine is included in the whitelisted\r\nmachines previously specified in its configuration in the affiliate panel. If the machine is whitelisted,\r\nthe ransomware will terminate without proceeding with encryption. Otherwise, it continues its\r\noperation.\r\nNext, based on the configuration settings, the ransomware determines whether to self-delete. If\r\nthe self_delete flag is set to true, the ransomware will delete itself using the following steps:\r\nThis sequence ensures the file is marked for deletion and will be removed. This technique allows the\r\nransomware to erase traces of its presence while still running.\r\nFigure 35. Screen shot of the ransomware self-delete procedures\r\nAfter completing its initial checks, the ransomware executes any command specified in the -cmd\r\ncommand-line argument, if provided.\r\nFollowing this, its default behavior is to stop all running virtual machines (VMs). However, VMs listed\r\nin the -skip-vm command-line argument are excluded from this operation, allowing specific VMs to\r\ncontinue running while others are forcibly stopped.\r\nFigure 36. The command to shut down virtual machines on Hyper-V\r\n1. Open a handle to its executable file.\r\n2. Rename the file to “amd64.exe:dea”.\r\n3. Close the handle.\r\n4. Reopen the file handle and set the delete-on-close flag.\r\n5. Close the handle again.\r\nhttps://www.group-ib.com/blog/ransomhub-never-sleeps-episode-1/\r\nPage 27 of 41\n\nFigure 37. White listed machines\r\nNext, the ransomware proceeds to delete all Shadow Copies,modify the SymLink Evaluation\r\nbehavior to Enables remote to local symbolic links and remote to remote symbolic links, and deletes\r\nsecurity, system and Application Event Logs by executing the following commands:\r\nPlease note that the commands related to modification of symLink evaluation behavior are also\r\npresent in the BlackCat and Cicada3301 ransomware.\r\nAfterward, it terminates or stops the services and processes specified in its configuration, ensuring\r\nminimal interference during encryption.\r\nExecuting in Safe Mode:\r\nWhen the –safeboot parameter is provided in the command line argument the ransomware will\r\nchange system configuration using bcdedit to enable safe mode (bcdedit /set {default} safeboot\r\nnetwork) and also enable autologin to the system with the credential from the configuration.\r\nAdditionally, it creates autorun registry key for the ransomware with the following command line\r\nargument -safeboot-instance -pass\r\npowershell.exe -Command PowerShell -Command “\\”Get-CimInstance Win32_ShadowCopy |\r\nRemove-CimInstance\\””\r\ncmd.exe /c “\\”vssadmin.exe Delete Shadows /all /quiet\\””\r\ncmd.exe /c “\\”fsutil behavior set SymlinkEvaluation R2L:1\\””\r\ncmd.exe /c “\\”fsutil behavior set SymlinkEvaluation R2R:1\\””\r\ncmd.exe /c wevtutil cl security\r\ncmd.exe /c wevtutil cl system\r\ncmd.exe /c wevtutil cl application\r\nhttps://www.group-ib.com/blog/ransomhub-never-sleeps-episode-1/\r\nPage 28 of 41\n\nFigure 38. Screen shot that shows the capability of the ransomware to enable the\r\nautologon changing a system registry key\r\nFigure 39. A screenshot of setting the registry key for the username and password and\r\nautorun registry\r\nFigure 40. User credential for autologin\r\nFigure 41. Enabling safe mode\r\nNetwork Spreading (encrypting other machines): \r\nIf the net_spread flag is set to true, the ransomware initiates network propagation. It enumerates all\r\naccessible machines from the currently infected system and uses the credentials provided in its\r\nconfiguration to establish connections to those machines via SMBv2.\r\nOnce connected, the ransomware:\r\n1. Enumerates all accessible files on the remote machines.\r\n2. Encrypts the files using its encryption algorithm.\r\nhttps://www.group-ib.com/blog/ransomhub-never-sleeps-episode-1/\r\nPage 29 of 41\n\nThis network spreading capability allows the ransomware to extend its impact across the\r\nenvironment, targeting multiple systems simultaneously.\r\nFigure 42. Getting accessible files on the remote host\r\nFigure 43. Writing the ransome note to the remote host\r\nFigure 44. Requesting access to files and directory\r\n3. Writes the ransom note to inform the victim about the attack and payment instructions.\r\nhttps://www.group-ib.com/blog/ransomhub-never-sleeps-episode-1/\r\nPage 30 of 41\n\nFiles Encryption:\r\nAfter parsing all command-line switches and reading its configuration, the ransomware determines\r\nits mode of operation: whether to encrypt local files only, remote shares, or both, and whether it\r\nwill perform network propagation.\r\nIt then enumerates all directories, dropping the ransomware note in each one before beginning the\r\nencryption process. For each file, the ransomware:\r\nGenerates a random key:\r\nEncrypts and stores metadata:\r\nEncrypts file content:\r\nFinalizes the file:\r\nThis random key is used to encrypt the file.\r\nThe key itself is then encrypted using the master public key from the configuration.\r\nThe ransomware calculates the number of blocks in the file based on its size and the interval size\r\n(default: encrypt 1 MB, skip 3 MB).\r\nThe metadata—comprising the encrypted key, block count, and the master public key—is written\r\nto the end of the file.\r\nReads the file content (including the metadata already written).\r\nEncrypts the content using AES-CBC mode encryption.\r\nRewrites the metadata at the end of the file after completing the encryption process.\r\nhttps://www.group-ib.com/blog/ransomhub-never-sleeps-episode-1/\r\nPage 31 of 41\n\nSFTP Ransomware Internals\r\nThis version of the ransomware is specifically designed to target SFTP servers and does not\r\nencrypt any local files. It connects to the target server either directly, which is the default operation,\r\nor through a proxy server which is passed in the command line argument -proxy socks5://IP:PORT,\r\nensuring the attacker’s IP address remains hidden.\r\nOnce connected, the ransomware:\r\nRansomware killer\r\nThis killer tool acts as a terminator that abuses a vulnerable driver that has exposed interface to kill\r\nsecurity producers. It has two stages: the loader and the final payload.\r\nLoader:\r\nIt first checks the “–pass” command line switch and make sure it is 64 characters then get the\r\nshellcode from the resources section and write it to disk under the name config.bin\r\nFigure 45. A screenshot showing the ransom note\r\nAuthenticates with the SFTP server using the username and password it requests or retrieves\r\nfrom its configuration.\r\n1.\r\n2. Enumerates files within the root directory of the SFTP server.\r\nEncrypts the files, rendering them inaccessible to the server’s users.\r\nFigure 46. Requesting credentials to access the SFTP server\r\n3.\r\nhttps://www.group-ib.com/blog/ransomhub-never-sleeps-episode-1/\r\nPage 32 of 41\n\nFigure 47. A screenshot of the encrypted Shellcode drop\r\nThen it reads and decrypts the shellcode from the config.bin file on disk and executes it. It reads\r\nthe encrypted shellcode from disk then calculates the sha256 for the key (the argument for the –\r\npass switch) then uses this hash as the decryption key for the shellcode using AES algorithm.\r\nFigure 48. A screenshot showing the encrypted shellcode being deleted from disk and\r\nexecuting the decrypted version\r\nhttps://www.group-ib.com/blog/ransomhub-never-sleeps-episode-1/\r\nPage 33 of 41\n\nFigure 49. A screenshot of the decrypted shellcode\r\nFinal payload (terminator)\r\nThe final payload first drops a vulnerable kernel driver in the %TEMP% directory under the name\r\n“1732723226.sys” then creates the mutex “DriverInstallMutex” to make sure that only one\r\ninstance of the terminator is running, then installs the kernel driver on the system as service with the\r\nname “Kill1732723226”.\r\nFigure 50. The vulnerable driver description and info\r\nhttps://www.group-ib.com/blog/ransomhub-never-sleeps-episode-1/\r\nPage 34 of 41\n\nFigure 51.The vulnerable driver signature\r\nFigure 52. Installing the driver\r\nThen it goes in a loop to get all running processes: It compares its list of security processes to be\r\nterminated and when the process starts again, the tool detects it and kills it again.\r\nhttps://www.group-ib.com/blog/ransomhub-never-sleeps-episode-1/\r\nPage 35 of 41\n\nFigure 53. A screenshot showing communication with the kernel driver to kill the AV process\r\nFigure 54. A list of AV/EDR process to kill\r\nFigure 55. A screenshot of the console Message\r\nList of AV/EDR to kill:\r\nProcess Name\r\nMsMpEng.exe AmSvc.exe TaniumCX.exe Ntrtscan.exe\r\nMsSense.exe CrAmTray.exe Traps.exe TmWSCSvc.exe\r\nhttps://www.group-ib.com/blog/ransomhub-never-sleeps-episode-1/\r\nPage 36 of 41\n\nProcess Name\r\nSenseIR.exe CrsSvc.exe cyserver.exe PccNTMon.exe\r\nSenseNdr.exe CybereasonAV.exe CyvrFsFlt.exe TMBMSRV.exe\r\nwinlogbeat.exe RepMgr.exe fortiedr.exe CNTAoSMgr.exe\r\nelastic-agent.exe RepUtils.exe EIConnector.exe TmCCSF.exe\r\nfilebeat.exe RepUx.exe hurukai.exe SophosClean.exe\r\nConclusions\r\nThe insights shared by Group-IB’s Cyber Threat Intelligence group, combined with the findings from\r\nthe Incident Response case handled by the DFIR team highlight the dynamic nature of the\r\nransomware landscape.\r\nThe origins of the RansomHub group, its offensive operations, and its overlapping characteristics\r\nwith other groups confirm the existence of a vivid cybercrime ecosystem. This environment thrives\r\non the sharing, reusing, and rebranding of tools and source codes, fueling a robust underground\r\nmarket where high-profile victims, infamous groups, and substantial sums of money play central\r\nroles.\r\nWithin this dynamic context, Ransomhub has quickly become a point of reference among\r\nresearchers, responders and affiliates-along with its unfortunate victims. The group has\r\ndemonstrated the ability to rapidly adapt and evolve its TTPs, tools, and capabilities, often surprising\r\neven seasoned professionals in the field.\r\nIt is evident that this landscape will continue to evolve, particularly with the growing influence of\r\ngenerative AI platforms. This evolution will undoubtedly present a significant challenge for security\r\nresearchers for years to come.\r\nGroup-IB remains committed to its research and knowledge-sharing efforts and will release further\r\ndetails in the upcoming episodes of this RansomHub-focused trilogy.\r\nhttps://www.group-ib.com/blog/ransomhub-never-sleeps-episode-1/\r\nPage 37 of 41\n\nMitre Att\u0026ck Mapping\r\nYara Rules for Ransomhub\r\nTo be able to detect in real-time any sample related to the ransomware developed by RansomHub,\r\nGroup-IB’s analysts built an ad-hoc yara.\r\nrule RansomHub_AVKiller\r\n{\r\nmeta:\r\ncompany = \"Group-IB\"\r\nauthor = \"Mahmoud Zohdy\"\r\ndate = \"2024-09-26\"\r\ndescription = \"Detection for RansomeHub AV Killer\"\r\nhttps://www.group-ib.com/blog/ransomhub-never-sleeps-episode-1/\r\nPage 38 of 41\n\nhash0 = \"c618c943840269eb753cb389029d331c\"\r\nstrings:\r\n$Argument_1 = \"-pass\" nocase\r\n$Argument_2 = \"-key\" nocase\r\n$PDB_1 = \"Loader.pdb\" nocase\r\n$PDB_2 = \"C:\\\\Users\\\\Private\\\\Source\\\\repos\\\\Loader\\\\\" nocase\r\n$InternalName_1 = \"Loader.exe\" wide nocase\r\n$InternalName_2 = \"Config.exe\" wide nocase\r\n$ProductName = \"-Game\" wide nocase\r\n$EncryptedShellCode_1 = \"Config.bin\" wide nocase\r\n$EncryptedShellCode_2 = \"Data.bin\" wide nocase\r\n$FileDescription = \"Loader Config\" wide nocase\r\ncondition:\r\n6 of them\r\n}\r\nrule ransomehub_ransome\r\n{\r\nmeta:\r\nauthor = \"M.Zohdy Group-ib\"\r\ndate = \"2025-01-29\"\r\ndescription = \"Detect RansomeHub Ransomware\"\r\nhash0 = \"2b7a13837039f4f5ff6aeaa0b135e712\"\r\nhash1 = \"35353c1c33c6e8a9c5944ae1b1541512\"\r\nhash2 = \"7ea71f9c62e5067da16df949542148da\"\r\nhash3 = \"271c4158f9a807fd92bfe65bbd4744cf\"\r\nhash4 = \"4b194e9b87c14d1c24aa0603b5bae00f\"\r\nhash5 = \"53987a86915d63db7c70998957d5a58d\"\r\nhash6 = \"4c6616c79ef2904b238dd9ed45ac6054\"\r\nhash7 = \"389c64831dd5d409153eaf352f5537e1\"\r\nstrings:\r\n$string0 = \"extension\"\r\n$string1 = \"settings\"\r\n$string2 = \"master_public_key\"\r\n$string3 = \"remove\"\r\n$string4 = \"note_full_text\"\r\n$string5 = \"note_file_name\"\r\ncondition:\r\n5 of them\r\n}\r\nhttps://www.group-ib.com/blog/ransomhub-never-sleeps-episode-1/\r\nPage 39 of 41\n\nShare this article\r\nFound it interesting? Don't hesitate to share it to wow your friends or colleagues\r\nResources\r\nResearch Hub\r\nSuccess Stories\r\nKnowledge Hub\r\nCertificates\r\nWebinars\r\nPodcasts\r\nTOP Investigations\r\nRansomware Notes\r\nAI Cybersecurity Hub\r\nProducts\r\nThreat Intelligence\r\nFraud Protection\r\nManaged XDR\r\nAttack Surface Management\r\nDigital Risk Protection\r\nBusiness Email Protection\r\nCyber Fraud Intelligence\r\nPlatform\r\nUnified Risk Platform\r\nIntegrations\r\nPartners\r\nPartner Program\r\nMSSP and MDR Partner\r\nProgram\r\nTechnology Partners\r\nPartner Locator\r\nCompany\r\nAbout Group-IB\r\nTeam\r\nCERT-GIB\r\nCareers\r\nhttps://www.group-ib.com/blog/ransomhub-never-sleeps-episode-1/\r\nPage 40 of 41\n\nInternship\r\nAcademic Aliance\r\nSustainability\r\nMedia Center\r\nContact\r\nAPAC: +65 3159 3798\r\nEU \u0026 NA: +31 20 226 90 90\r\nMEA: +971 4 568 1785\r\ninfo@group-ib.com\r\n© 2003 – 2026 Group-IB is a global leader in the fight against cybercrime, protecting customers\r\naround the world by preventing breaches, eliminating fraud and protecting brands.\r\nTerms of Use Cookie Policy Privacy Policy\r\nSubscription plans Services Resource Center\r\nSubscribe to stay up to date with the\r\nlatest cyber threat trends\r\nContact\r\nhttps://www.group-ib.com/blog/ransomhub-never-sleeps-episode-1/\r\nPage 41 of 41",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MITRE"
	],
	"references": [
		"https://www.group-ib.com/blog/ransomhub-never-sleeps-episode-1/"
	],
	"report_names": [
		"ransomhub-never-sleeps-episode-1"
	],
	"threat_actors": [
		{
			"id": "1b1271d2-e9a2-4fc5-820b-69c9e4cfb312",
			"created_at": "2024-06-07T02:00:03.998431Z",
			"updated_at": "2026-04-10T02:00:03.64336Z",
			"deleted_at": null,
			"main_name": "RansomHub",
			"aliases": [],
			"source_name": "MISPGALAXY:RansomHub",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b",
			"created_at": "2022-10-25T16:07:23.303713Z",
			"updated_at": "2026-04-10T02:00:04.530417Z",
			"deleted_at": null,
			"main_name": "ALPHV",
			"aliases": [
				"ALPHV",
				"ALPHVM",
				"Ambitious Scorpius",
				"BlackCat Gang",
				"UNC4466"
			],
			"source_name": "ETDA:ALPHV",
			"tools": [
				"ALPHV",
				"ALPHVM",
				"BlackCat",
				"GO Simple Tunnel",
				"GOST",
				"Impacket",
				"LaZagne",
				"MEGAsync",
				"Mimikatz",
				"Munchkin",
				"Noberus",
				"PsExec",
				"Remcom",
				"RemoteCommandExecution",
				"WebBrowserPassView"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434169,
	"ts_updated_at": 1775791779,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ccfa03a2c0c551065823b57d7f92d9b3a360e798.pdf",
		"text": "https://archive.orkl.eu/ccfa03a2c0c551065823b57d7f92d9b3a360e798.txt",
		"img": "https://archive.orkl.eu/ccfa03a2c0c551065823b57d7f92d9b3a360e798.jpg"
	}
}