{ "id": "9399ee73-7a26-481c-8530-99daec516e8d", "created_at": "2026-04-06T00:22:17.118293Z", "updated_at": "2026-04-10T13:12:47.430067Z", "deleted_at": null, "sha1_hash": "d8ff6f12abff62c096145208ce3ecaf85d87f09c", "title": "RansomHub: New Ransomware has Origins in Older Knight", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 46024, "plain_text": "RansomHub: New Ransomware has Origins in Older Knight\r\nBy About the Author\r\nArchived: 2026-04-05 15:46:05 UTC\r\nRansomHub, a new Ransomware-as-a-Service (RaaS) that has rapidly become one of the largest ransomware\r\ngroups currently operating, is very likely an updated and rebranded version of the older Knight ransomware. \r\nAnalysis of the RansomHub payload by Symantec, part of Broadcom, revealed a high degree of similarity\r\nbetween the two threats, suggesting that Knight was the starting point for RansomHub. \r\nDespite shared origins, it is unlikely that Knight’s creators are now operating RansomHub. Source code for Knight\r\n(originally known as Cyclops) was offered for sale on underground forums in February 2024 after Knight’s\r\ndevelopers decided to shut down their operation. It is possible that other actors bought the Knight source code and\r\nupdated it before launching RansomHub. \r\nRansomHub and Knight compared\r\nBoth payloads are written in Go and most variants of each family are obfuscated with Gobfuscate.  Only some\r\nearly versions of Knight are not obfuscated. \r\nThe degree of code overlap between the two families is significant, making it very difficult to differentiate\r\nbetween them.  In many cases, a determination could only be confirmed by checking the embedded link to the\r\ndata leak site.\r\nThe two families have virtually identical help menus available on the command line. The sole difference is the\r\naddition of a sleep command in RansomHub.\r\nFigure 1. Knight command-line help menu.\r\nFigure 1. Knight command-line help menu.\r\nFigure 2. RansomHub command-line help menu.\r\nFigure 2. RansomHub command-line help menu.\r\nBoth threats employ a unique obfuscation technique, where important strings are each encoded with a unique key\r\nand decoded at runtime. For example, in the command “cmd.exe /c iisreset.exe /stop”, only the iisrest.exe string is\r\nencrypted with a unique key.\r\nFigure 3. RansomHub string encoding. Only the iisrest.exe string is encrypted with a unique key.\r\nFigure 3. RansomHub string encoding. Only the iisrest.exe string is encrypted with a unique key.\r\nThere are significant similarities between the ransom notes left by both payloads, with many phrases used by\r\nKnight appearing verbatim in the RansomHub note, suggesting that the developers simply edited and updated the\r\noriginal note.\r\nhttps://symantec-enterprise-blogs.security.com/threat-intelligence/ransomhub-knight-ransomware\r\nPage 1 of 4\n\nFigure 4. Knight ransom note.\r\nFigure 4. Knight ransom note.\r\nFigure 5. RansomHub ransom note.\r\nFigure 5. RansomHub ransom note.\r\nOne of the main differences between the two ransomware families is the commands run through cmd.exe. These\r\ncommands may be configured when the payload is built or during configuration.  Although the commands\r\nthemselves are different, the way and order in which they are called relative to other operations is the same.  \r\nA unique feature present in both Knight and RansomHub is the ability to restart an endpoint in safe mode before\r\nstarting encryption. This technique was previously employed by Snatch ransomware in 2019 and allows\r\nencryption to progress unhindered by operating system or other security processes. Snatch is also written in Go\r\nand has many similar features, suggesting it could be another fork of the same original source code used to\r\ndevelop Knight and RansomHub. However, Snatch contains significant differences, including an apparent lack of\r\nconfigurable commands or any sort of obfuscation.\r\nAnother ransomware family that restarts the affected computer in safe mode before encryption is Noberus\r\nInterestingly, the encryptor stores its configuration in a JSON where keywords match what was observed in\r\nRansomHub.\r\nRansomHub attacks\r\nIn recent RansomHub attacks investigated by Symantec, the attackers gained initial access by exploiting the\r\nZerologon vulnerability (CVE-2020-1472), which can allow an attacker to gain domain administrator privileges\r\nand take control of the entire domain.\r\nThe attackers used several dual-use tools before deploying the ransomware. Atera and Splashtop were used to\r\nfacilitate remote access, while NetScan was used to likely discover and retrieve information about network\r\ndevices. The RansomHub payload leveraged the iisreset.exe and iisrstas.exe command-line tools to stop all\r\nInternet Information Services (IIS) services. \r\nRapid growth\r\nDespite only first appearing in February 2024, RansomHub has managed to grow very quickly and, over the past\r\nthree months, was the fourth most prolific ransomware operator in terms of numbers of attacks publicly claimed.\r\nThe group last week claimed responsibility for an attack on UK auction house Christies. \r\nFigure 6. Most prolific ransomware operations by claimed attacks, March-May 2023.\r\nFigure 6. Most prolific ransomware operations by claimed attacks, March-May 2023.\r\nOne factor contributing to RansomHub’s growth may be the group’s success in attracting some large former\r\naffiliates of the Noberus (aka ALPHV, Blackcat) ransomware group, which closed earlier this year. One former\r\nNoberus affiliate known as Notchy is now reportedly working with RansomHub. In addition to this, tools\r\npreviously associated with another Noberus affiliate known as Scattered Spider, were used in a recent RansomHub\r\nattack.\r\nhttps://symantec-enterprise-blogs.security.com/threat-intelligence/ransomhub-knight-ransomware\r\nPage 2 of 4\n\nThe speed at which RansomHub has established its business suggests that the group may consist of veteran\r\noperators with experience and contacts in the cyber underground.\r\nProtection/Mitigation\r\nFor the latest protection updates, please visit the Symantec Protection Bulletin.\r\nIndicators of Compromise\r\nIf an IOC is malicious and the file is available to us, Symantec Endpoint products will detect and block that file.\r\nSHA-256 hash Description\r\n02e9f0fbb7f3acea4fcf155dc7813e15c1c8d1c77c3ae31252720a9fa7454292 RansomHub\r\n34e479181419efd0c00266bef0210f267beaa92116e18f33854ca420f65e2087 RansomHub\r\n7539bd88d9bb42d280673b573fc0f5783f32db559c564b95ae33d720d9034f5a RansomHub\r\n8f59b4f0f53031c555ef7b2738d3a94ed73568504e6c07aa1f3fa3f1fd786de7 RansomHub\r\nea9f0bd64a3ef44fe80ce1a25c387b562a6b87c4d202f24953c3d9204386cf00 RansomHub\r\n104b22a45e4166a5473c9db924394e1fe681ef374970ed112edd089c4c8b83f2 Knight\r\n2f3d82f7f8bd9ff2f145f9927be1ab16f8d7d61400083930e36b6b9ac5bbe2ad Knight\r\n36e5be9ed3ec960b40b5a9b07ba8e15d4d24ca6cd51607df21ac08cda55a5a8e Knight\r\n595cd80f8c84bc443eff619add01b86b8839097621cdd148f30e7e2214f2c8cb Knight\r\n7114288232e469ff368418005049cf9653fe5c1cdcfcd63d668c558b0a3470f2 Knight\r\ne654ef69635ab6a2c569b3f8059b06aee4bce937afb275ad4ec77c0e4a712f23 Knight\r\nfb9f9734d7966d6bc15cce5150abb63aadd4223924800f0b90dc07a311fb0a7e NetScan\r\nf1a6e08a5fd013f96facc4bb0d8dfb6940683f5bdfc161bd3a1de8189dea26d3 Splashtop\r\na96a0ba7998a6956c8073b6eff9306398cc03fb9866e4cabf0810a69bb2a43b2 Atera\r\nRansomHub: New Ransomware has Origins in Older Knight\r\nThreat Hunter Team\r\nThreat Hunter Team\r\nSymantec and Carbon Black\r\nhttps://symantec-enterprise-blogs.security.com/threat-intelligence/ransomhub-knight-ransomware\r\nPage 3 of 4\n\nSource: https://symantec-enterprise-blogs.security.com/threat-intelligence/ransomhub-knight-ransomware\r\nhttps://symantec-enterprise-blogs.security.com/threat-intelligence/ransomhub-knight-ransomware\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://symantec-enterprise-blogs.security.com/threat-intelligence/ransomhub-knight-ransomware" ], "report_names": [ "ransomhub-knight-ransomware" ], "threat_actors": [ { "id": "1b1271d2-e9a2-4fc5-820b-69c9e4cfb312", "created_at": "2024-06-07T02:00:03.998431Z", "updated_at": "2026-04-10T02:00:03.64336Z", "deleted_at": null, "main_name": "RansomHub", "aliases": [], "source_name": "MISPGALAXY:RansomHub", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9ddc7baf-2ea7-4294-af2c-5fce1021e8e8", "created_at": "2023-06-23T02:04:34.386651Z", "updated_at": "2026-04-10T02:00:04.772256Z", "deleted_at": null, "main_name": "Muddled Libra", "aliases": [ "0ktapus", "Scatter Swine", "Scattered Spider" ], "source_name": "ETDA:Muddled Libra", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "7da6012f-680b-48fb-80c4-1b8cf82efb9c", "created_at": "2023-11-01T02:01:06.643737Z", "updated_at": "2026-04-10T02:00:05.340198Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "Scattered Spider", "Roasted 0ktapus", "Octo Tempest", "Storm-0875", "UNC3944" ], "source_name": "MITRE:Scattered Spider", "tools": [ "WarzoneRAT", "Rclone", "LaZagne", "Mimikatz", "Raccoon Stealer", "ngrok", "BlackCat", "ConnectWise" ], "source_id": "MITRE", "reports": null }, { "id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0", "created_at": "2023-10-03T02:00:08.510742Z", "updated_at": "2026-04-10T02:00:03.374705Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "UNC3944", "Scattered Swine", "Octo Tempest", "DEV-0971", "Starfraud", "Muddled Libra", "Oktapus", "Scatter Swine", "0ktapus", "Storm-0971" ], "source_name": "MISPGALAXY:Scattered Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null }, { "id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9", "created_at": "2023-10-14T02:03:13.99057Z", "updated_at": "2026-04-10T02:00:04.531987Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "0ktapus", "LUCR-3", "Muddled Libra", "Octo Tempest", "Scatter Swine", "Scattered Spider", "Star Fraud", "Storm-0875", "UNC3944" ], "source_name": "ETDA:Scattered Spider", "tools": [ "ADRecon", "AnyDesk", "ConnectWise", "DCSync", "FiveTran", "FleetDeck", "Govmomi", "Hekatomb", "Impacket", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Lumma Stealer", "LummaC2", "Mimikatz", "Ngrok", "PingCastle", "ProcDump", "PsExec", "Pulseway", "Pure Storage FlashArray", "Pure Storage FlashArray PowerShell SDK", "RedLine Stealer", "Rsocx", "RustDesk", "ScreenConnect", "SharpHound", "Socat", "Spidey Bot", "Splashtop", "Stealc", "TacticalRMM", "Tailscale", "TightVNC", "VIDAR", "Vidar Stealer", "WinRAR", "WsTunnel", "gosecretsdump" ], "source_id": "ETDA", "reports": null }, { "id": "e424a2db-0f5a-4ee5-96d2-5ab16f1f3824", "created_at": "2024-06-19T02:03:08.062614Z", "updated_at": "2026-04-10T02:00:03.655475Z", "deleted_at": null, "main_name": "GOLD HARVEST", "aliases": [ "Octo Tempest ", "Roasted 0ktapus ", "Scatter Swine ", "Scattered Spider ", "UNC3944 " ], "source_name": "Secureworks:GOLD HARVEST", "tools": [ "AnyDesk", "ConnectWise Control", "Logmein" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434937, "ts_updated_at": 1775826767, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d8ff6f12abff62c096145208ce3ecaf85d87f09c.pdf", "text": "https://archive.orkl.eu/d8ff6f12abff62c096145208ce3ecaf85d87f09c.txt", "img": "https://archive.orkl.eu/d8ff6f12abff62c096145208ce3ecaf85d87f09c.jpg" } }