The RansomHub ransomware group has rapidly emerged as one of the most prolific cybercrime syndicates of 2024–2025.
As this ransomware group done by expanding its arsenal to target Windows, VMware ESXi, Linux, and FreeBSD systems in global attacks.
RansomHub ransomware group leverages advanced evasion techniques, cross-platform encryption, and vulnerabilities in enterprise infrastructure.
Group-IB analysts have discovered that the group has compromised over 600 organizations, including healthcare, finance, and critical infrastructure sectors.
Multi-OS Encryption Capabilities
RansomHub’s ransomware variants are tailored for diverse environments, featuring unique command-line arguments and encryption methods per platform.
powershell RansomHub.exe -pass
A JSON configuration file, decrypted at runtime, specifies whitelisted directories, kill lists for processes/services, and credentials for lateral movement.
The ESXi encryptor (C++-based) disrupts virtual machines using vim-cmd commands and encrypts VM files (.vmdk, .vmx) with ChaCha20 and Curve25519 algorithms.
A flawed /tmp/app.pid check allows defenders to prevent encryption by writing -1 to the file, forcing an infinite loop.
c // Code snippet from ESXi encryptor if (access("/tmp/app.pid", F_OK) == 0) { pid_t pid = read_pid(); if (kill(pid, 0) == 0) { kill(pid, SIGKILL); exit(0); } }
The Linux variant uses intermittent encryption (1 MB chunks) and terminates services like syslog to hinder detection.
The FreeBSD version, detected as Ransom.FreeBSD.INTERLOCK.THJBBBD, avoids critical directories (/boot, /etc) and appends .interlock to files.
RansomHub affiliates exploit vulnerabilities such as CVE-2024-3400 (Palo Alto firewalls) and CVE-2021-42278/CVE-2020-1472 (Active Directory) for initial access.
.webp)
Post-compromise, they deploy:-
- PCHunter: Terminates EDR processes and deletes logs.
- FileZilla: Exfiltrates data to C2 servers.
- BYOVD attacks: Use vulnerable drivers (
POORTRY.sys) to disable security tools.
RansomHub’s affiliate panel, acquired from the defunct Knight ransomware, enables customizable ransom notes and leak site integrations.
.webp)
The group threatens victims with regulatory reporting (PDPL violations) to pressure payments.
json // Decrypted configuration snippet { "master_public_key": "a1b2c3...", "extension": ".6706c3", "note_file_name": "README.txt", "kill_processes": ["MsMpEng.exe", "TaniumCX.exe"] }
.webp)
CISA urges organizations to immediately patch CVE-2024-3400 and audit remote services to mitigate the growing threat posed by RansomHub.
Detection strategies include using YARA rules for RansomHub binaries, monitoring for suspicious PowerShell commands like Get-CimInstance Win32_ShadowCopy | Remove-CimInstance, and blocking known indicators of compromise (IoCs) such as IP 10.10.10.10:22 and TOR URLs.
With RansomHub actively exploiting zero-day vulnerabilities and recruiting displaced ALPHV/LockBit affiliates, organizations must strengthen endpoint security and ensure backup isolation to prevent potential attacks.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free