Skip to Main Content


RansomHub: An Emerging Ransomware-as-a-Service


RansomHub RaaS group exploits ZeroLogon vulnerability.

Since first emerging in February 2024, ransomware-as-a-service (RaaS) group RansomHub has added over 75 victims to its data leak site (DLS). Believed by the intelligence community to be a rebrand of the short-lived “Knight” ransomware group, RansomHub has already made a more significant impact than its alleged predecessor, based on the number of victims and high-profile targets. Recently, RansomHub was observed exploiting the Windows ZeroLogon vulnerability (CVE-2020-1472) for initial access into victim environments. 

The Knight Ransomware Connection 

Many intelligence communities believe RansomHub is a rebrand of Knight ransomware, which may be correct. However, there is an interesting timeline that paints the possibility of an alternate scenario. 

  • Advertisements for the RansomHub RaaS began in the cyber underground on February 2. They cited an encryptor written in the C++ and Go programming languages and offered adjustable encryption algorithms based on affiliate requirements. A new DLS showcasing the RansomHub brand accompanied the dark web advertisements. 
  • The Knight ransomware source code was listed for sale on the underground RAMP forum on February 18, 2024. 
  • The source code is believed to have been sold two days later, on February 20, to an unknown buyer. 
  • RansomHub listed the first victim on its DLS on February 21, one day after the believed sale of the Knight ransomware source code. 

While Arete cannot say for sure whether the threat actors behind RansomHub are the same as those behind Knight ransomware, we are certain that the RansomHub encryptor is based on the Knight ransomware source code. Considering the above timeline, the two most plausible hypotheses are that the actors behind Knight ransomware were waiting to sell their source code before officially launching the rebrand or that the actors behind RansomHub immediately began leveraging their recently purchased encryption capability to target victims in the wild. 


Since its emergence, RansomHub has targeted several high-profile targets and caused a broad impact across multiple sectors: 

  • Frontier: RansomHub extorted telecom giant Frontier and threatened to release 750,000 social security numbers from its customer base. 
  • Christie’s: RansomHub extorted the auction house for the wealthy with the threat of releasing data on 45,000 clients. 
  • Change Healthcare: Following a data security incident, RansomHub attempted to sell PHI stolen from the healthcare giant on the dark web. 

These incidents demonstrate that RansomHub doesn’t shy away from “big game hunting” or sensitive sectors amidst the recent wave of law enforcement actions against ransomware groups. They also showcase that the group is opportunistic when it comes to monetizing its efforts. Most ransomware groups will not invest the time or effort to sell data on the dark web in favor of simply demanding ransoms from their victims. However, RansomHub took the approach of selling the allegedly stolen data from Change Healthcare.  

Should the actors behind RansomHub prove to be the same as those behind Knight ransomware, it should be noted that Knight’s tenure in cybercrime was short lived, as the group was only active for seven months before the source code was listed for sale on RAMP forums.

While not certain, the intent of a hasty exit and rebrand could explain the motivation behind the group’s bold targeting of victims. 

Analyst Comments 

Regardless of the threat actors behind the operation or how long the group will remain active, RansomHub is currently one of the most prolific cybercrime groups active in the threat landscape. The group has targeted a wide range of high-profile victims in its short tenure thus far, and the actors are clearly not afraid to monetize their efforts in any way possible. Arete will continue monitoring for any change of tactics, dark web chatter, or the indication of a possible rebrand for the group. 


Change Healthcare’s New Ransomware Nightmare Goes From Bad to Worse

Christie’s confirms RansomHub crooks stole data on 45K clients

RansomHub: New Ransomware has Origins in Older Knight

Dark Web Profile: RansomHub