S1212 RansomHub
RansomHub is a ransomware-as-a-service (RaaS) offering with Windows, ESXi, Linux, and FreeBSD versions that has been in use since at least 2024 to target organizations in multiple sectors globally. RansomHub operators may have purchased and rebranded resources from Knight (formerly Cyclops) Ransomware which shares infrastructure, feature, and code overlaps with RansomHub.21
| Item | Value |
|---|---|
| ID | S1212 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 17 March 2025 |
| Last Modified | 27 March 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | RansomHub has created an autorun Registry key through the -safeboot-instance -pass command line argument.1 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | RansomHub can use PowerShell to delete volume shadow copies.1 |
| enterprise | T1059.003 | Windows Command Shell | RansomHub can use cmd.exe to execute multiple commands on infected hosts.1 |
| enterprise | T1486 | Data Encrypted for Impact | RansomHub can use Elliptic Curve Encryption to encrypt files on targeted systems.2 RansomHub can also skip content at regular intervals (ex. encrypt 1 MB, skip 3 MB) to optomize performance and enable faster encryption for large files.1 |
| enterprise | T1491 | Defacement | - |
| enterprise | T1491.001 | Internal Defacement | RansomHub has placed a ransom note on comrpomised systems to warn victims and provide directions for how to retrieve data.2 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | RansomHub can use a provided passphrase to decrypt its configuration file.1 |
| enterprise | T1480 | Execution Guardrails | RansomHub will terminate without proceeding to encryption if the infected machine is on a list of allowlisted machines specified in its configuration.1 |
| enterprise | T1083 | File and Directory Discovery | RansomHub has the ability to only encrypt specific files.1 |
| enterprise | T1562 | Impair Defenses | - |
| enterprise | T1562.009 | Safe Mode Boot | RansomHub can reboot targeted systems into Safe Mode prior to encryption.1 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.001 | Clear Windows Event Logs | RansomHub can delete events from the Security, System, and Application logs.1 |
| enterprise | T1070.004 | File Deletion | RansomHub has the ability to self-delete.1 |
| enterprise | T1490 | Inhibit System Recovery | RansomHub has used vssadmin.exe to delete volume shadow copies.21 |
| enterprise | T1135 | Network Share Discovery | RansomHub has the ability to target specific network shares for encryption.1 |
| enterprise | T1027 | Obfuscated Files or Information | - |
| enterprise | T1027.013 | Encrypted/Encoded File | RansomHub has an encrypted configuration file.1 |
| enterprise | T1057 | Process Discovery | RansomHub can stop processes associated with files currently in use to maximize the impact of encryption.2 |
| enterprise | T1090 | Proxy | RansomHub can use a proxy to connect to remote SFTP servers.1 |
| enterprise | T1021 | Remote Services | - |
| enterprise | T1021.002 | SMB/Windows Admin Shares | RansomHub can use credentials provided in its configuration to move laterally from the infected machine over SMBv2.1 |
| enterprise | T1018 | Remote System Discovery | RansomHub can enumerate all accessible machines from the infected system.1 |
| enterprise | T1489 | Service Stop | RansomHub has the ability to terminate specified services.1 |
| enterprise | T1082 | System Information Discovery | RansomHub can retrieve information about virtual machines.1 |
| enterprise | T1497 | Virtualization/Sandbox Evasion | - |
| enterprise | T1497.003 | Time Based Checks | RansomHub can sleep for a set number of minutes before beginning execution.1 |