RansomHub, a notorious ransomware collective that emerged earlier this year, has rapidly gained momentum within the cyber criminal world, surpassing its counterparts and wreaking havoc on its victims. The group, suspected to be a Knight rebrand, made its debut in February and swiftly recruited affiliates from Lockbit after the latter’s law enforcement takedown. Additionally, RansomHub capitalized on the void left by ALPHV/BlackCat and boasted about enlisting members from both defunct groups through TOX and cyber crime forums.
By August, a mere six months since its inception, RansomHub had victimized 210 organizations, prompting the FBI, CISA, and other government agencies to target cyber criminals. Afflicted entities included prestigious names like Christie’s, Frontier Communications, Rite Aid, Planned Parenthood, and Delaware public libraries, among others. Notably, the group’s malware has become the preferred encryptor for Scattered Spider and other sophisticated cyber criminals, with a record-high of 98 victims reported on its leak site in November.
Despite its rapid rise to infamy, RansomHub’s brazen attacks have also painted a target on its back, along with its affiliates, as law enforcement agencies intensify their efforts to apprehend the perpetrators. While evading capture may be easier for ransomware criminals with protection from Russian authorities, even cyber criminals take breaks, making them vulnerable to police arrests during such moments.
According to Michael McPherson, SVP of Security Operations at ReliaQuest, RansomHub has quickly established itself as the most active and significant ransomware threat currently. The group’s business model, offering affiliates a generous 90–10 split of extortion payments, has enticed many workers to join their cause, enabling them to target multiple victims simultaneously.
Furthermore, the group’s aggressive tactics, including utilizing repurposed Knight code and double-extortion methods, have set them apart in the cyber criminal landscape. ZeroFox analysts have tracked RansomHub’s exponential growth, with the group accounting for a substantial percentage of all ransomware attacks throughout the year. A forecast by the security firm suggests that RansomHub will continue to pose a significant threat in early 2025, attracting experienced affiliates and maintaining its status as the most dangerous ransomware group.
As RansomHub continues its reign of terror, other emerging ransomware gangs like Meow, Play Ransomware, and Hunters International are also poised to become serious threats in the coming year. While the longevity of RansomHub’s dominance remains uncertain, the cybersecurity landscape is rife with collectives waiting to claim the top spot in cyber crime rankings. The cat-and-mouse game between cyber criminals and law enforcement agencies continues as the battle against ransomware intensifies.