RansomHub, a player in the ransomware-as-a-service (RaaS) industry, is currently facing significant internal conflict as affiliates lost access to negotiation chat portals on April 1st, 2025. This sudden disruption has caused affiliates to redirect victim communications to alternative platforms, including those of competing ransomware groups, leading to confusion in ongoing extortion attempts and potentially jeopardizing ransom payments in progress.
Establishing itself in early 2024, RansomHub differentiated itself from competitors by offering favorable payment terms to attract skilled affiliates. Unlike many RaaS operators, RansomHub directed ransom payments either directly to affiliates or split them at the point of transaction, minimizing the risk of “exit-scamming” where administrators abscond with entire ransoms, leaving affiliates empty-handed.
On April 1st, signs of trouble emerged when client chat portals used for ransom negotiations suddenly went offline, as noted by GuidePoint Security’s Research and Intelligence Team (GRIT) researchers. Intelligence partners observed similar disruptions across RansomHub’s infrastructure, hinting at widespread internal conflict rather than isolated technical glitches.
The repercussions of this turmoil extend beyond RansomHub itself, casting uncertainty over ongoing negotiations and ransom payments for victims. Organizations dealing with RansomHub ransom notes now face additional challenges due to unreliable communication channels and doubts about the group’s ability to provide decryption tools.
Adding complexity to the situation, rival RaaS operator DragonForce claimed on April 2nd that RansomHub had shifted to their infrastructure under a new option. This announcement on the RAMP forum was met with skepticism, with users questioning whether DragonForce had taken down RansomHub or if it was an opportunistic marketing move.
The uncertainty was further accentuated when DragonForce urged RansomHub to consider their offer, suggesting a possible marketing ploy during a vulnerable moment for RansomHub. The situation was muddled by DragonForce showcasing what they purported to be a new RansomHub affiliate portal, prompting queries from users seeking clarity on the situation.
This instability mirrors the demise of other ransomware groups plagued by internal conflicts, such as Conti, Alphv, and Black Basta, which collapsed due to disagreements ranging from geopolitical tensions to affiliate disputes.
The evolving situation within RansomHub and the involvement of DragonForce underscore the volatile nature of the ransomware landscape and the ongoing challenges faced by both criminal organizations and their victims. Stay updated on this developing story by following us on Google News, LinkedIn, and X for instant updates.