Since emerging in early 2024, RansomHub has successfully attacked over 200 victims across multiple industries, including infrastructure, information technology, government services, healthcare, agriculture, financial services, manufacturing, transportation, and communications.
This relatively new cybercrime group operates as a Ransomware-as-a-Service (RaaS) agent and has established itself as prominent among competing criminal groups.
Our Varonis MDDR Forensics team has recently investigated multiple breaches attributed to this group and its affiliates, helping to contain and remediate active network threats. If your organization has suffered a breach, please contact our team for immediate assistance.
Continue reading to learn more about RansomHub, the group’s recent activity, and how your organization can defend against RaaS.
RansomHub’s recent activity
RansomHub activity has ramped up since its first detection in 2024, quickly becoming synonymous with a ‘big game hunter’ when it comes to target selection. They primarily target larger organizations that are more likely to pay ransom demands to restore business continuity ASAP rather than deal with extended downtime.
The widespread nature of their victims indicates these attacks of opportunity, rather than targeting specific industries or sectors. This is reinforced by the knowledge of their Initial Access operations, which typically include exploitation of a public-facing application or service hosted by the victim, such as Citrix ADC, FortiOS, Apache ActiveMQ, Confluence Data Center, BIG-IP, and others.
Current intelligence indicates that the group forbids affiliates from targeting organizations located in China, Cuba, North Korea, Romania, and countries part of the Commonwealth of Independent States, including Russia. This type of SOP is common for threat actors based in China or Russia to reduce the likelihood of friendly fire occurring, indicating some level of state association or a desire to reduce the risk of interference from local government entities.
The group targets victims across a wide array of verticals, with prominent targets including telecom companies such as Frontier Communications and healthcare institutions such as Change Healthcare and Rite Aid. In March 2025 alone, the group posted over 60 new victims to its dark web site, ransomxifxwc5eteopdobynonjctkxxvap77yqifu2emfbecgbqdw6qd[.]onion.
Additionally, as of April 2025, a group known as DragonForce claimed to be taking over the infrastructure of RansomHub. Threat actor merging has certainly occurred before, but this stands out as notable due to the relative size and number of victims RansomHub has targeted over the past 12 months. The official RansomHub onion site has been unavailable since March 31, 2025 and the publish date of this article.
TrendMicro tracks the group as Water Bakunawa, while CISA notes that the variant has been formerly referred to as Cyclops and Knight. Members of the group and related affiliates have linked by association with other high-profile RaaS groups such as Scattered Spider and ALPHV.
RansomHub’s commonly abused Tactics, Techniques and Procedures
RansomHub affiliates, like many other RaaS providers, are known to leverage both custom malware implants in addition to common IT utilities and LOLBINs over the course of their malicious campaigns.
From an IT perspective, they have been observed using the tools below, many of which are common to find in an enterprise setting:
- Ngrok – A reverse-proxy utility designed to create a secure network tunnel between internal corporate devices and external endpoints – often abused for persistence and exfiltration by cyber threats
- Remmina – An open-source RDP client often abused by cyber threats for its capability to run on UNIX systems
- TailScale VPN – Often used to initiate secure tunnels between compromised devices and attacker infrastructure
- SplashTop Atera, AnyDesk, Connectwise, etc – Remote Monitoring and Management (RMM) software commonly deployed by cyber threats to maintain control of devices
- Rclone – A commonly abused file management utility often used to exfiltrate data at-scale to external destinations
In addition to IT focused tooling, affiliates have been known to deploy customized malware in pursuit of their goals, including the following capabilities:
- Custom payloads targeting Windows, Linux, ESXi and SFTP Servers
- Operators can configure extensions to encrypt, exclusions, specific processes to terminate (security software, etc) and other items
- Operators can also allow-list specific hosts that they wish to exclude from the ransomware attack
- The malware is known to delete backups such as Volume Shadow Copies using vssadmin, a built-in Windows utility as well as running in safe mode to bypass certain security controls
- Abuse of EDR-impact tooling such as EDRKillShifter, a Bring-Your-Own-Vulnerable-Driver style attack
- Clearing forensic evidence such as Event Logs
Finally, RansomHub has also been observed exploiting several critical vulnerabilities to help achieve both initial access and privilege escalation, including but not limited to the following:
- CVE-2023-3519 – Citrix ADC NetScaler RCE
- CVE-2023-27532 – Veeam Backup & Replication Credential Leak
- CVE-2023-27997 – FortiOS RCE
- CVE-2023-48788 – FortiClientEMS RCE
- CVE-2023-46604 – Apache OpenWire RCE
- CVE-2023-46747 – F5 BIG-IP RCE
- CVE-2023-22515 – Atlassian Confluence Admin Creation
- CVE-2017-0144 – Windows SMB RCE
Defensive recommendations
There are multiple opportunities along the cyber kill chain to harden your enterprise defenses in anticipation of an attack by a RansomHub affiliate or similar group. We recommend:
- Patching externally facing systems is one of the highest priority tasks that should be performed to ensure critical vulnerabilities are mitigated
- Enable multifactor authentication (MFA) for Remote Access Systems such as VPN, RDP, Citrix NetScaler, Horizon, etc., and do not allow access to the network from untrusted devices without MFA
- Ensure 100% EDR coverage to monitor for ingress tool transfers and execution of malicious files
- Block tunneling and RMM utilities such as Ngrok, Cloudflared, AnyDesk, SplashTop, etc — these are commonly abused by cyber threats and should only be allowed to execute if approved by the business
- Monitor data platforms for anomalous access patterns and ransomware attempts with software such as Varonis or similar. Solutions should include the ability to monitor traditional networked file shares such as NetApp/Isolons, OneDrive/SharePoint, Emails, CRMs, Databases, S3 buckets, etc., as these are all potential exfiltration and impact targets
Don’t wait for a breach to occur.
Detecting ransomware and associated tactics is a constantly changing game of cat-and-mouse. Once a technique is blocked, adversaries immediately pivot to a new one.
It is critical to ensure your organization has the right technology in place to automate your defensive posture as much as possible by reducing permissions, limiting access, and closely monitoring all enterprise data.
If your organization has suffered a breach, please contact the Varonis IR Team for immediate assistance.
What should I do now?
Below are three ways you can continue your journey to reduce data risk at your company:
Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.
See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.
Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.
![ransomware-statistics,-data,-trends,-and-facts-[updated-2024]](https://www.varonis.com/hubfs/ransomware-stats.png)
![ransomware-statistics,-data,-trends,-and-facts-[updated-2024]](https://www.varonis.com/hubfs/rob-sobers.jpg)