Report
Malware Spotlight: RansomHub Ransomware
Arete Analysis

Download The Report
Executive Summary
In 2024, Arete’s Incident Response (IR) team responded to dozens of incidents attributed to the RansomHub threat actor group. Engagements attributed to RansomHub increased rapidly since Arete first observed them in May 2024, and the group quickly established itself as one of the top three threat actor groups since
July 2024.
RansomHub has impacted multiple sectors across Arete engagements, including professional services, public services, healthcare, high technology, financial services, and manufacturing. The group has targeted several high-profile targets since its emergence, including telecom giant Frontier and British auction house Christie’s. RansomHub also claimed to possess data stolen from Change Healthcare, which was the victim of an ALPHV/BlackCat ransomware attack in February 2024. RansomHub announced the sale of Change’s data after leaking some of the alleged data a day beforehand.
Advertisements for the RansomHub Ransomware-as-a-Service (RaaS) appeared on cybercriminal forums on February 2, 2024, highlighting an encryptor developed using the C++ and Go programming languages. The use of Go makes it easier for ransomware groups to target a wide variety of operating systems without needing to rewrite significant portions of the malware, as Go allows developers to compile executables for Windows, Linux, and macOS platforms from a single codebase. These advertisements were accompanied by
a new data leak site (DLS) under the RansomHub branding on the dark web.
RansomHub is suspected to be a re-brand of the “Knight” ransomware group, whose source code was listed for sale on the underground RAMP forum on February 18, 2024. From research, Arete can confirm various similarities between RansomHub and Knight’s encryptors.
This spotlight explores the ransomware group’s observed behavior, background information on the threat actor, and statistics from Incident Response engagements, along with a technical analysis of RansomHub’s ransomware executable. Finally, we discuss security recommendations to better defend against this evolving cyber threat and mitigate the risk of financial and reputational losses.
Incident Response Data on the RansomHub Ransomware Group
Background
RansomHub became a notable ransomware operation in 2024, and, alongside Akira, represented a verysignificant percentage of Arete Incident Response engagements in Q3 of 2024.

Source: Arete's Q3 2024 Crimeware Report
The group utilizes both Windows and Linux variants of encryptors, which increases its operational capability to target a wide range of victims of various sectors and sizes. RansomHub operates under a double extortion model, which involves exfiltrating sensitive data and encrypting the victims’ systems to coerce a payment for
a decryptor and data deletion.
Technical Analysis
Malware analysis revealed that RansomHub ransomware:
Supports multiple command-line arguments.
Requires a password to properly execute and encrypt files.
Encrypts files on the system and mounted shares.
Creates a ransom note with the following filename: .README_.txt
Self-identifies the group as RansomHub in the ransom note.
References a data leak site in the ransom note that, when accessed, self-identifies the group as RansomHub.
Kills a list of processes and services.
Maintains a list of whitelisted files and directories to make sure it will not render the system unusable, preventing recovery when running a decryptor.
Attempts to prevent system recovery by deleting the system’s volume shadow copies.
Clears the Windows event logs.
Creates a desktop wallpaper image in the “%temp%\” directory and later modifies a registry key to change desktop wallpaper.
Execution Pattern/Arguments
The RansomHub ransomware needs command line arguments to execute and encrypt files in the system.
Command line arguments supported:
Command line arguments | Description |
|---|---|
-cmd | CMD to be executed before encryption. |
-disable-net | Disable network before running. |
-fast value | Fast encryption mode. |
-file value | Only process file inside defined files. For example, -file C://1.txt, -file D://2.txt. |
-host value | Only process net share inside defined hosts. -host 10.10.10.10 -host 10.10.10.11. |
-only-local | Only encrypt local disks. |
-pass [SHA256 string] | Password needed to execute the ransomware. A 64-character string. |
-path value | Only process files inside defined paths. -path C:// -path D:// -path //10.10.10.10/d/ |
-safeboot | Reboot in Safe Mode before running. |
-safeboot-instance | Run as Safe Mode instance. |
-skip-vm value | Skip shutting down VMs. Example: -skip-vm “Ubuntu 22.04 LTS”, -skip-vm “Windows Server 2012”. |
-sleep [integer value] | Sleep for a period of time to run (minute). |
-verbose | Log to console. |
Ransomware execution with the command line argument –help:

Figure 1. Command line arguments supported by the ransomware
The ransomware will not execute in the system without the “-pass” argument followed by a SHA-256 value that is unique in each engagement. Execution of ransomware to encrypt files:
RansomHub.exe -pass [SHA-256] Example: 7ac8cd689f5d9f4c1ddca14ec84965ed42b17343ebe086076ba0e7a46a80f81f |
|---|
Once the SHA-256 password value is provided, the ransomware will decrypt a JSON based ransomware configuration at the run time.

Decrypted JSON field name and descriptions:
Name | Description |
|---|---|
master_public_key | Curve25519 public key used in the file encryption process. |
extension | Extension added to encrypted files. |
note_file_name | Ransom note file name, default value is .README<encrypted_file_extension>.txt |
note_full_text | Ransom note content. |
settings | Ransomware operation setting. |
credentials | Contains common or locally stolen credentials which are used for propagation and further infection. |
kill_services | Terminates list of services. |
kill_processes | Terminates list of processes. |
white_folders | Excludes listed directories. |
white_files | Excludes listed files. |
white_hosts | Excludes listed hosts. |
Stop Services and Processes
Before file encryption, the ransomware terminates a pre-determined list of processes and services to encrypt as many files as possible.
Process names:
“agntsvc.exe”, “dbeng50.exe”, “dbsnmp.exe”, “encsvc.exe”, “excel.exe”, “firefox.exe”, “infopath.exe”, “isqlplussvc.exe”, | ||
|---|---|---|
Services names:
“mepocs”, “memtas”, “veeam”, “svc$”, “backup”, “sql”, “vss”, “sql$”, “mysql”, “mysql$”, “sophos”, “MSExchange”, | ||
|---|---|---|
The ransomware also tries to list and stop VMs by executing the following PowerShell command.
powershell.exe -Command PowerShell -Command “{ Get-VM | Stop-VM -Force }” | ||
powershell.exe Get-VM | Stop-VM -Force -inputFormat xml -outputFormat text |
File and Directory Exclusions
The ransomware excludes system-related files and folders, ransomware-related files, and whitelisted extensions during encryption.
Excluded file and extensions:
“NTUSER.DAT”, “autorun.inf”, “boot.ini”, “desktop.ini”, “thumbs.db”, “*.deskthemepack”, “*.themepack”, “*.theme”, | ||
|---|---|---|
Excluded directories:
“*\\$windows.~ws*”, “*\\$windows.~bt*”, “*\\windows\\*”, “*\\windows.old*”, “*\\system volume information*”, | ||
|---|---|---|
Inhibit System Recovery
Windows operating systems contain features that can help fix corrupted system files, including shadow copies, which are backups of files created by the Volume Shadow Copy Service (VSS). By deleting shadow copies, the ransomware can prevent victims from restoring files from backups, making it more difficult for them to recover their data without paying the ransom.
The ransomware deletes volume shadow copies before file encryption by starting the following process:
powershell.exe -Command PowerShell -Command “\”Get-CimInstance Win32_ShadowCopy | Remove-CimInstance\”” | ||
|---|---|---|
System Network Connections Discovery
The ransomware can enumerate network-mounted shares by scanning the network interfaces.
Data Encrypted for Impact
The ransomware initially finds available drives, then loads the files one by one using the Windows API “FindFirstFileW“ and “FindNextFileW”. The ransomware generates random keys to encrypt the files, and after encrypting them, the keys are encrypted using a public key. To encrypt files, the ransomware uses a combination of a decrypted Curve 25519 public key and AES algorithms.
The default extension value is the first six characters of the Curve 25519 public key.

Figure 2. Extension added to the encrypted files
Files smaller than 0x100000 bytes are completely encrypted. If the file size is larger than 0x100000 bytes, the ransomware encrypts the file in 0x100000 bytes blocks and skips every 0x200000 bytes of data in between encrypted chunks.

Figure 3. 0x100000 bytes encrypted file.
Upon successful execution, the ransomware creates ransom notes with the file name “README_[encrypted_file_extension].txt”

Figure 4. RansomHub ransom note
Ransom note content:
We are the RansomHub. Your company Servers are locked and Data has been taken to our servers. This is serious. | ||
|---|---|---|
Modify Registry
The ransomware performs a registry key modification to change the desktop wallpaper.
Registry key change:
Registry key | Value name | Value data |
|---|---|---|
Computer\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\ CurrentVersion\Explorer\Wallpapers | BackgroundHistory | C:\Users\%USERNAME%\ |
Screenshot showing the registry key modification:

Wallpaper image content from the
C:\Users\%USERNAME%\AppData\Local\Temp\MkgXoB.png file:

Mutex
The mutex is the fundamental tool for managing shared resources between multiple threads or processes. Typically, ransomware uses a mutex to avoid reinfecting the victim system and causing multiple layers of encryption. The ransomware did not create a mutex during execution.
Network Activity
The ransomware did not try to communicate with a remote server other than encrypting data from mounted shares.
Indicator Removal
The ransomware clears Windows Event Logs to hide its malicious activity. Windows Event Logs keep a record of a computer’s alerts and notifications. The ransomware runs the following commands to clear the logs:
cmd.exe /c wevtutil cl security | ||
|---|---|---|
File and Directory Permissions Modification
The ransomware uses the fsutil tool to redirect file system access to a different location after gaining access to a compromised network. The ransomware uses the following command line to redirect file system access, enabling remote to remote and remote to local symbolic links:
fsutil behavior set SymlinkEvaluation R2L:1 | ||
|---|---|---|
Indicators of Compromise
Indicator | Type | Context |
|---|---|---|
de7913504efe4584bdd9dd1ec13c4de4152a84df5e1cb-c31d0dd8fe70c88b5e0 | SHA256 hash | RansomHub ransomware |
README_<encrypted_file_extension>.txt | File name | RansomHub ransom note |
powershell.exe -Command PowerShell -Command “{ Get-VM | Stop-VM -Force }” | Process | Retrieve information about VMs and forces a shutdown |
powershell.exe -Command PowerShell -Command ” | Process | Volume Shadow Copy deletion |
cmd.exe /c wevtutil cl security | Process | Clearing Windows Event Logs |
cmd.exe /c “\\”fsutil behavior set SymlinkEvaluation R2L:1\\”” | Process | Enable remote to remote and remote to local symbolic links |
Key: Computer\HKEY_CURRENT_USER\SOFTWARE\Microsoft\ | Registry | Desktop wallpaper modification |
ransomxifxwc5eteopdobynonjctkxxvap77yqifu2emfbecgbqdw6qd[.] | URL | TA data leak site (DLS) |
Ransomware Configuration
RansomHub decrypted configuration information extracted:
Data Leak Site
The RansomHub ransom note contains a data leak site (DLS) that displayed the following page, self-identifying the group as RansomHub:

Figure 5. TOR DLS
Similarities with Other Ransomware
During our analysis, we observed some similarities between RansomHub, ALPHV/BlackCat, and Knight ransomware executables.
The following table highlights some of the similarities:
Malware Family | Common Arguments | Password | JSON Configuration |
|---|---|---|---|
RansomHub | pass | SHA256 strings value | extension |
ALPHV/BlackCat | –access-token (similar to -pass in RansomHub and Knight) | SHA256 strings value | extension |
Knight | pass | SHA256 strings value | extension |
Detection Mechanisms
Custom Detections and Blocking with Arete Bloktd℠
Note: These threat hunting queries may need to be tuned for your specific network environment. | ||
|---|---|---|
Yara
rule RansomHub_ransomware_executable meta: author = “areteir.com” strings: $s1 = “json:\”local_disks\”” condition: ((uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550)) and } | ||
|---|---|---|
Recommended Mitigations
Organizations can find the full list of US government-recommended ransomware prevention and mitigation guidance here: https://www.cisa.gov/stopransomware/ransomware-guide
Arete provides data-driven cybersecurity solutions to transform your response to emerging cyber threats.
References
At Arete, we envision a world without cyber extortion, where people, businesses, and governments can thrive. We are taking all that we know from over 9,000 engagements to inform our solutions and strengthen powerful tools to better prevent, detect, and respond to the cyber extortion threats of tomorrow. Our elite team of experts provides unparalleled capabilities to address the entire cyber threat lifecycle, from incident response and restoration to advisory and managed security services. To learn more about our solutions, visit www.areteir.com.
Back to Blog Posts
Article
FortiBleed Campaign Linked to INC and Lynx Ransomware Operations
Researchers have linked the FortiBleed credential-harvesting campaign to the INC and Lynx ransomware-as-a-service (RaaS) operations, establishing a direct connection between large-scale FortiGate credential theft and subsequent ransomware deployment. The attribution is based on a variety of factors, including an operator observed managing negotiation panels for both ransomware groups, notable overlap between FortiBleed victim data and subsequent ransomware targets, and internal infrastructure exposing attack workflows. The campaign is estimated to have targeted more than 430,000 internet-facing FortiGate devices, resulting in administrative access to hundreds of organizations.
What’s Notable and Unique
Researchers identified a shared operator actively managing negotiation panels for both the INC and Lynx ransomware groups, providing rare operational evidence linking the two RaaS operations beyond infrastructure or malware similarities.
Analysis of the exposed infrastructure revealed a structured ransomware operation with dedicated roles for access acquisition, victim management, negotiations, and technical support, reflecting an organized ransomware-as-a-service (RaaS) model rather than an ad hoc criminal group.
The operation reportedly integrates artificial intelligence into multiple stages of the attack lifecycle, including vulnerability research, penetration testing, attack automation, and ransomware development, demonstrating the increasing adoption of AI to enhance offensive capabilities.
Mitigations
Organizations should assume that exposed or previously compromised FortiGate credentials may be leveraged for ransomware deployment and immediately reset administrative and VPN credentials while enforcing multi-factor authentication (MFA) for all privileged access. Security teams should ensure that FortiGate appliances are fully patched, restrict management interfaces to trusted networks, and audit administrative accounts and firewall configurations for unauthorized changes. Organizations should also monitor for anomalous authentication activity, hunt for published indicators of compromise (IOCs), and review VPN and firewall logs for signs of unauthorized access. Maintaining centralized logging and a well-practiced incident response process can help detect and contain attacks before they progress to lateral movement or ransomware deployment.
Analyst Comments
The attribution of FortiBleed to the INC and Lynx ransomware operations reinforces the growing convergence between credential-harvesting campaigns and ransomware deployment, highlighting the role of initial access operations in modern RaaS ecosystems. The relationship between INC and Lynx also aligns with Arete's previous research, which identified a shared malware lineage. INC Ransom, first observed in 2023, was later leaked or sold, enabling code reuse by other threat actors. Lynx, which emerged in 2024, is widely regarded as an evolution of the INC codebase. Sinobi ransomware, identified in 2025, shares near-identical binaries and infrastructure, and approximately 99% code similarity with Lynx. Further details on the code correlation between INC, Lynx, and Sinobi are available in Arete's 2025 Annual Report.
Sources
Is FortiBleed Linked to INC and Lynx Ransomware?
FortiBleed credential-theft campaign linked to Lynx ransomware
FortiBleed Unmasked: A Joint Operation by Lynx and INC Ransomware Groups
FortiBleed Credential Theft Campaign Attributed to INC and Lynx Ransomware Groups
Article
Ransomware Trends & Data Insights: June 2026
Although Akira was once again the most active ransomware threat in June, activity remained relatively distributed among multiple threat groups, with 17 unique threat groups observed throughout the month. Along with Akira, Qilin and INC Ransom remained active and were among the top five most active threat groups observed in June. Several new threat actors also emerged during the month, including KryBit, Settra, and Icarus.

Figure 1. Activity from the top 5 threat groups in June 2026
Throughout the month, analysts at Arete identified several trends behind the threat actors perpetrating cybercrime activities:
In June, a threat actor calling themselves Icarus compromised and exfiltrated data from customers of the market intelligence platform Klue. Klue later confirmed the security incident, which involved attackers stealing OAuth tokens used to connect to customers' Salesforce environments, and reported that the threat actor was deleting the data stolen from affected Klue customers. In an odd twist, reports emerged of a second threat actor claiming to have compromised Icarus's infrastructure and attempting to re-extort Klue's customers. Regardless, the Klue breach highlights the growing threat of software-as-a-service (SaaS) supply chain compromises, particularly those exploiting OAuth tokens and trusted integrations to bypass traditional security controls.
In mid-June, security researchers identified a large-scale credential-harvesting and valid account abuse campaign dubbed “FortiBleed” that systematically targets internet-facing Fortinet FortiGate firewalls and SSL-VPN gateways, relying heavily on automated password spraying and configuration exfiltration rather than vulnerability exploitation. The scale of exposure and attack activity has been significant and globally distributed, with attackers collecting the login credentials of over 86,000 FortiGate devices across 194 countries. There is no singular ‘fix’ to mitigate the database exposure, and it is important that organizations work with their security teams, incident response providers, and other stakeholders to review environments holistically and monitor for signs of potentially unauthorized activity.
Multiple threat groups continue to leverage vulnerable drivers to bypass endpoint detection and response (EDR) solutions in a technique known as Bring Your Own Vulnerable Driver (BYOVD). Arete has observed Akira and DragonForce using the technique in multiple engagements, and The Gentlemen ransomware-as-a-service (RaaS) has also been observed using what researchers are calling "GentleKiller", a framework consisting of multiple variants that leverage vulnerable drivers and EDR-disabling utilities to target a wide range of endpoint security products.
Sources
Arete Internal
Article
Update on FortiBleed Credential Exposure
Last week, security researchers identified a large-scale credential-harvesting and valid account abuse campaign dubbed “FortiBleed” that systematically targets internet-facing Fortinet FortiGate firewalls and SSL-VPN gateways. The campaign relies heavily on automated password spraying and configuration exfiltration rather than vulnerability exploitation.
Attackers first scan for exposed FortiGate devices and rank targets based on revenue. SSH brute-force attacks are used against admin accounts to gain initial access.
Following initial access, operators deploy stealthy packet-sniffing capabilities and establish external listening posts to receive harvested credentials and session data in near real time.
Observed post-exploitation activity strongly indicates pre-positioning for broader enterprise compromise, including lateral movement and potential ransomware deployment.
The scale of exposure and attack activity has been significant and globally distributed. The campaign has been ongoing since at least February 2026, with attackers collecting the login credentials of over 86,000 FortiGate devices across 194 nations.
How Arete Can Help
Arete continues to monitor this campaign, utilizing our extensive experience in detection, threat hunting, and attack surface review to look for indications of unauthorized activity related to this database exposure. Additional information regarding important considerations, containment and credential compromise mitigation actions, and additional hardening recommendations can be found in Arete’s FortiBleed Advisory.
Sources
FortiBleed: SOCRadar’s Investigation into 86,644 Compromised Fortinet Firewalls
FortiBleed Attackers Turn Firewalls Into Credential Stealers as Heists Persist
FortiBleed: The Most Detailed Breakdown Yet of an Active Russian Credential-Harvesting Operation
Hackers Using FortigateSniffer Tool That Turns Compromised Firewalls Into Password Collectors
Article
Europol Disrupts AudiA6 Crypto Laundering Service
European authorities have dismantled AudiA6, a major cryptocurrency laundering service linked to ransomware groups and broader cybercriminal networks. Between 2022 and 2025, the platform is believed to have processed over €336 million in illicit funds, enabling threat actors to obscure financial trails and monetize cybercrime proceeds. Its operators are also suspected of running Dark2Web, a dark web forum that facilitated collaboration, services, and connections among cybercriminals globally. This development underscores the expanding role of sophisticated, large-scale cryptocurrency laundering services in sustaining the cybercrime economy, enabling threat actors to obscure illicit funds and evade regulatory controls.
What’s Notable and Unique
Following law enforcement disruption of Cryptex and Garantex, AudiA6 emerged as another platform involved in financial activities linked to ransomware groups. Investigators believe that AudiA6 became a central hub for cybercriminals seeking to launder stolen digital assets while obscuring the transaction trail from authorities.
On June 10, 2026, a coordinated operation resulted in two arrests in Georgia, the dismantling of key infrastructure (30+ servers, 25 domains), the freezing or seizure of over €778,000 in crypto, and the takedown of the AudiA6 and Dark2Web platforms.
Analyst Comments
Ransomware groups and cybercriminal networks are increasingly leveraging sophisticated techniques, including chain-hopping, decentralized exchanges, and mixer-as-a-service platforms, to rapidly move illicit cryptocurrency across multiple blockchains, effectively obscuring transaction trails. Concurrently, the widespread use of fraudulent exchange accounts, mule wallets, and privacy-enhancing tools has elevated cryptocurrency laundering to a core enabler of the cybercrime ecosystem, allowing actors to bypass anti-money-laundering controls at scale. This investigation identified over 6,000 KYC records linked to money-mule accounts, many of which were tied to Russian-speaking intermediaries specifically recruited to facilitate the movement of illicit proceeds. These threat actors systematically used both commercial and domain-controlled email services to establish mule accounts across multiple cryptocurrency platforms. Collectively, these findings underscore the growing scale, coordination, and professionalization of cryptocurrency-enabled crime, highlighting the critical need for sustained, intelligence-led, and internationally coordinated efforts to disrupt these evolving financial ecosystems.
Sources
Ransomware gangs cut off from EUR 336 million ‘AudiA6’ crypto laundering pipeline



