RansomHub: The Affiliate-Led Operation That Absorbed LockBit Crew

# RansomHub: the affiliate-led ransomware operation that absorbed LockBit's crew

When Operation Cronos took down LockBit in February 2024, the immediate question was where the LockBit affiliates would go. The answer, for many of them, was RansomHub. Within six months of the LockBit takedown, RansomHub became the most active ransomware operation on the planet by published victim count, explicitly recruiting ex-LockBit and ex-ALPHV affiliates.

This post walks through what RansomHub is, why the affiliate model works, the TTPs that overlap heavily with LockBit/ALPHV descendants, and the defensive posture that matters as the ransomware affiliate ecosystem continues to reorganize.

#The post-takedown ransomware reshuffling

Law enforcement operations against the top ransomware operations in 2023-2024 created an affiliate migration pattern that matters for defenders:

• February 2024. LockBit disrupted by Operation Cronos (NCA, FBI, Europol, 10+ partner countries).
• March 2024. ALPHV/BlackCat runs an apparent exit scam — claimed FBI seizure, took a large payment from Change Healthcare, disappeared without paying affiliate.
• Mid-2024. RansomHub explicitly courts ex-LockBit and ex-ALPHV affiliates with 90% affiliate share (higher than competitors).
• 2024-2026. RansomHub becomes the top-ranked operation by public victim leak count. DragonForce, Play, Qilin, Hunters International, and Akira also absorb a share of displaced affiliates.
• 2025. US DoJ and UK NCA indict specific RansomHub-affiliated individuals; operation continues.

The takeaway: takedowns scatter affiliates. The operational playbook and victim targeting patterns move with them. The defensive problem doesn't change just because the brand did.

#What RansomHub is

RansomHub operates as a ransomware-as-a-service (RaaS) platform. Core operators maintain:

• The ransomware binary and its ongoing development.
• The data-leak site and payment infrastructure.
• Initial-access broker relationships.
• Affiliate recruitment and vetting.

Affiliates do the actual intrusion work. They keep approximately 90% of ransom payments; core operators take 10%. This share is higher than most competitor operations (LockBit was ~80/20, ALPHV similar) and is the explicit selling point for affiliate migration.

The ransomware itself is written in a mix of Go and C++, supports both Linux and Windows targets, and uses ChaCha20 encryption with Curve25519 key exchange. It is a technically competent build that draws on published code from multiple prior ransomware families.

#TTPs: the recognizable affiliate playbook

Because many RansomHub affiliates are ex-LockBit/ALPHV, the technical playbook is recognizable.

#Initial access

• Phishing with credential-harvesting lures. Mimicking DocuSign, Microsoft Office 365, Adobe, and IT support emails.
• Exploitation of unpatched internet-facing systems. Specifically Citrix NetScaler (CVE-2023-4966 Bleed/Bleedbleed), Fortinet FortiOS, Palo Alto GlobalProtect, Ivanti Connect Secure.
• Zerologon (CVE-2020-1472) against unpatched domain controllers.
• Initial access broker purchases of valid VPN, RDP, or domain credentials.
• Drive-by malware distributions via compromised ad networks.

#Post-access playbook

• Reconnaissance with AdFind, SharpHound, SoftPerfect Network Scanner.
• Credential harvesting with Mimikatz, LSASS dumping, DCSync.
• Lateral movement via RDP, SMB, WMI, PowerShell Remoting.
• Living off the land: PowerShell, WMI, certutil, bitsadmin.
• Cobalt Strike for C2 on beachhead systems.
• Specific tooling note: RansomHub affiliates have been documented deploying Atera Agent and AnyDesk for persistent remote access, because these are legitimate IT tools and pass most EDR baselines.

#Data exfiltration

• Rclone to attacker-controlled S3-compatible storage.
• Mega.nz uploads.
• Bespoke HTTP-based exfil scripts for environments with egress controls.

#Encryption

• Encryption is deferred until exfiltration is complete.
• Victim-specific ransomware binary (affiliate-customized).
• .RansomHub or victim-specific extension on encrypted files.
• Ransom note How To Restore Your Files.txt with Tor communication URL.

#Extortion

• Double extortion: pay to decrypt + pay to prevent publication.
• Victims listed on the RansomHub data-leak site with countdown timers.
• Occasional triple extortion: contact the victim's customers directly after a deadline passes.
• Occasional DDoS pressure on victims who don't negotiate.

#Notable RansomHub incidents

• Change Healthcare / United Healthcare aftermath (2024). Following ALPHV's apparent exit scam on the Change Healthcare payment, a second extortion attempt was launched under the RansomHub brand with the same stolen data. Illustrated the affiliate-data-persistence problem: even after a ransom is paid, the data can be re-used by a different actor.
• Halliburton (2024). Oil and gas services firm confirmed data exfiltration. RansomHub listed them on leak site. Public impact included temporary billing-system outages.
• Kawasaki Motors Europe (2024). Production data exfiltrated. Listed on leak site.
• Multiple US and EU healthcare, education, and manufacturing targets through 2025 and into 2026.

The target profile is consistent with ransomware ecosystem preferences: mid-market to large enterprise with enough revenue to pay 6-7-figure ransoms, but lower security maturity than tier-1 tech firms.

#Why the affiliate model keeps reorganizing

1. Affiliates are durable; operations are not. Takedowns hit infrastructure and operators, not the people who do intrusions. Experienced affiliates simply join the next operation.
2. Specialization is stable. Initial access brokers stay in the access-brokering business. Negotiators stay in negotiation. Malware developers stay in development. Each vertical survives independent of any specific "brand."
3. Competition among operations drives affiliate-favorable terms. 90% affiliate shares, better payout infrastructure, better victim-shaming platforms. Each generation of operation raises the floor.
4. Law enforcement response is slower than ecosystem reorganization. Operation Cronos took 6+ months to plan. Affiliate migration to RansomHub happened in weeks.

#Defensive priorities in a post-LockBit world

The core defensive controls haven't changed, but the prioritization has:

#1. Close the attack surface that IAB sellers harvest

Initial access brokers sell what's easy to acquire. For RansomHub affiliates in 2025-2026, that means:

• Patched FortiOS, Citrix, Ivanti, and similar edge VPN/SSL products.
• MFA (ideally FIDO2) on all remote access.
• No password reuse for admin or VPN accounts.
• Removal of unneeded internet-exposed services.

#2. Detect lateral movement, not initial breach

You may not catch the initial access. Detect the 3-5 day dwell time before ransomware deploys:

• SharpHound/BloodHound execution.
• Unusual service-account password resets.
• Remote Desktop or PowerShell Remoting to multiple hosts from one source.
• Atera Agent, AnyDesk, TeamViewer installation on servers (unless IT standard).

#3. Segregate backup from AD

Compromised AD is assumed in every ransomware incident. Backup must survive AD compromise:

• Immutable backup storage with separate auth (not AD-integrated).
• Air-gapped or object-lock backups.
• Regular restore testing.

#4. Incident response plan assumes exfiltration happened

Double extortion is the default. Assume data is already gone by the time encryption fires. Have the legal, PR, customer notification plan ready.

#5. Ransom decision-making framework in advance

• Legal counsel on retainer with ransomware experience.
• Cyber insurance with ransomware coverage + pre-approved incident response vendors.
• OFAC compliance process for ransom payment (some RansomHub-affiliated individuals are sanctioned).
• Board-level policy on whether payment is authorized.

#What this means for threat intelligence consumption

Treat every "new" ransomware operation as likely to contain 60-80% of the affiliates from whichever operation was disrupted most recently. The TTPs, the IOCs, the tooling, the target selection all carry over. A defender who hardened against LockBit is substantially hardened against RansomHub, DragonForce, Qilin, and whatever comes next.

Threat intel subscriptions should not be consumed as "this brand, that brand." They should be consumed as "the affiliate ecosystem is targeting X industries with Y technique set." The brand is a marketing layer on top of durable criminal capability.

#What Valtik tests for in a ransomware readiness assessment

• Perimeter patch-level on edge VPN/SSL products.
• Phishing-resistant MFA coverage on VPN and privileged accounts.
• AD hardening (Protected Users, tier isolation, Kerberos armor).
• EDR tamper protection and log-forwarding redundancy.
• Backup restore integrity + isolation from AD.
• Exfiltration detection (DLP, egress controls, cloud storage blocking).
• Tabletop walk-through with the current-wave TTPs (not generic "ransomware").
• Incident response plan alignment with cyber insurance carrier expectations.

If you're in a RansomHub target industry and haven't done a ransomware tabletop in 12 months, schedule one. The operational cost of catching this early is a fraction of the cost of restoring after the fact.

#Sources

1. CISA advisory. RansomHub (AA24-242A)
2. ENISA Threat Landscape for Ransomware
3. Operation Cronos takedown of LockBit. NCA press release (Feb 2024)
4. Chainalysis Crypto Crime Report on ransomware payments
5. Symantec Threat Hunter Team. RansomHub analysis