Despite how aware hard-boiled researchers are of how volatile and dynamic threat actor activities can be, an April 30 blog by Group-IB showed that they are “sometimes still surprised by how quickly things change in just a few days.”In this case, when they started out researching RansomHub’s operations several weeks ago, they didn’t expect the group to experience a significant outage so soon. According to Group-IB, RansomHub’s operation has been down since April 1.The recent research offered some insight into how RansomHub conducted its business. RansomHub’s ransomware works on Windows, Linux, FreeBSD, and ESXi, as well as on x86, x64, and ARM architecutures and can encrypt local and remote file systems via SMB and SFTP. As part of their “services,” the operators instruct and educate their affiliates with detailed information about how to extort and negotiate with victims.Group-IB’s researchers also noted that Qilin’s recent activity suggests that criminals from RansomHub may have migrated to Qilin, mainly because disclosures on its dedicated leak sites have doubled since February.Heath Renfrow, co-founder and CISO at Fenix24, pointed out that RansomHub’s affiliation with Scattered Spider (best-known for the MGM hack) may have ultimately been too much spotlight for a RaaS group that thrived in relative obscurity.“Scattered Spider’s operations are high-stakes and high-profile, and once RansomHub tooling became part of those breaches, the risk calculus likely changed,” said Renfrow. “This disappearance may be a strategic exit to avoid law enforcement pressure or a precursor to a rebrand under a new identity.”
Renfrow added that from a technical standpoint, RansomHub was notable for repurposing leaked Babuk ransomware code, but has since matured its tooling. Its encryption payloads were modular, capable of bypassing EDR tools by embedding lateral movement capabilities and leveraging compromised remote management tools. Renfrow said they also used custom crypters to evade static detection and often targeted ESXi environments through SSH brute-force and CVE-based exploits.Lawrence Pingree, vice president at Dispersive, said it’s hard to say exactly why RansomHub went down, but he though that it’s basically because stability and resilience for affiliates matters for them to maintain their collective of bad actors.“That's why takedowns, when they can be done, have been so advantageous for cybersecurity over the years,” said Pingree.
Renfrow added that from a technical standpoint, RansomHub was notable for repurposing leaked Babuk ransomware code, but has since matured its tooling. Its encryption payloads were modular, capable of bypassing EDR tools by embedding lateral movement capabilities and leveraging compromised remote management tools. Renfrow said they also used custom crypters to evade static detection and often targeted ESXi environments through SSH brute-force and CVE-based exploits.Lawrence Pingree, vice president at Dispersive, said it’s hard to say exactly why RansomHub went down, but he though that it’s basically because stability and resilience for affiliates matters for them to maintain their collective of bad actors.“That's why takedowns, when they can be done, have been so advantageous for cybersecurity over the years,” said Pingree.
