RansomHub announced 2 more breaches recently, with one victim being in the UK and the other in Italy. Neither of them has commented on the recent events, so it’s unclear if they’ve decided to negotiate.
RansomHub has become more active in Q1 of 2024 compared to the previous year. Despite not being 100% confirmed, RansomHub appears to have Russian roots, which transpires primarily from their recruitment strategy.
The organization works as a RaaS, employing affiliates to do some of the work for them. According to the RansomHub representatives themselves, the affiliates take 90% of the profits, with the rest of 10% going to them.
It’s not difficult to see why this is such an appealing business model for affiliates. The main thing that fuels the theory of Russian descent is the fact that RansomHub recruits its affiliates primarily from the RAMP forum.
The forum is populated with Russian hackers, giving the gang free access to a competent workforce. One interesting aspect of RansomHub is the way it conducts business. The organization appears to be more than a standard ransomware gang.
Rather, it appears to be a more complex business model. The affiliates need to abide by a specific set of internal regulations. One of these requirements is that they are fair toward the victims. If the victim pays the ransom, the affiliate is required to provide the decryption key.
If that doesn’t happen, the victim can file a complaint with the RansomHub representatives themselves, who will provide the key instead. And ban the affiliate that didn’t fulfill his required duty.
The gang is fairly young, after it emerged publicly in February of the current year. But the story goes deeper than one might imagine. RansomHub’s birth relates to an interesting unfolding of events occurring around that time.
One such event is the breach of Change Healthcare by ALPHV, which resulted in a massive data breach. The leak in question amounted to around 4 TB of confidential data. Change Healthcare presumably paid $22 million for the data.
ALPHV took the money but didn’t split it with their affiliates, as they should’ve. Instead, they shut off and ran with it. Shortly after, RansomHub got into possession of the said data and began extorting Change Healthcare themselves.
The official statement was that the ransom money got to the wrong people.
At this point, the theory is that some of ALPHV’s former affiliates shared the data with RansomHub. Some even suggest a merger between ALPHV and RansomHub, although that remains to be proven.
What is clear, at this point in time, is that RansomHub has been growing fast since its inception. One reason for that is the outstandingly advantageous payment rate towards affiliates (90%, whereas ALPHV only offered 80%).
Only the future can tell RansomHub’s entire story.
We believe security online security matters and its our mission to make it a safer place.