RansomHub: Anatomy of the Dominant RaaS Affiliate Program
RansomHub has grown into the most active ransomware-as-a-service operation of 2025–2026, displacing ALPHV/BlackCat and LockBit. An analysis of its affiliate structure, victim statistics, and targeting patterns.
Overview
RansomHub emerged in February 2024 — almost simultaneously with the ALPHV/BlackCat exit scam that stranded hundreds of affiliates after the Change Healthcare attack. The timing was not coincidental. RansomHub’s initial affiliate recruitment messaging explicitly targeted displaced BlackCat affiliates, offering a 90/10 split (significantly above industry standard) and promising that the administrators would never pull an exit scam.
By Q3 2024, RansomHub had become the most prolific ransomware group by victim count. By 2025 it was posting an average of 35–50 new victims per month on its data leak site — a volume that suggests a large, active affiliate base and operational discipline unusual in this ecosystem.
Organizational Structure
Unlike older RaaS groups that maintained tight operational control, RansomHub is highly decentralized. The core team provides:
- The encryptor toolset — cross-platform, with Windows, Linux, ESXi, and FreeBSD variants
- The negotiation portal — a Tor-hosted victim communication platform with automated triage
- The leak site — for publishing victim data on non-payment
- The affiliate panel — for tracking deployments, ransom status, and payouts
Affiliates supply everything else: initial access, lateral movement, data staging, and deployment. This clean separation is intentional. The RansomHub core team maintains plausible distance from individual intrusions, and affiliates bear the bulk of operational security risk.
Affiliate Recruitment and Vetting
RansomHub operates an open but selective recruitment process on underground forums, primarily on RAMP (Russian Anonymous Marketplace Platform) and several Telegram channels accessible only by referral. Prospective affiliates must:
- Demonstrate access to at least one enterprise network (proof of access, not just claims)
- Provide references from two existing affiliates or known threat actors
- Complete a deposit of 0.5 BTC (refundable, but used as identity collateral)
Banned targets: RansomHub explicitly prohibits attacks on healthcare organizations in Russia/CIS countries, government entities in Russia/CIS, and non-profit hospitals globally — mirroring policies adopted by other Russian-linked groups to manage political exposure. These prohibitions are enforced through affiliate agreements and are reportedly violated occasionally, generating disputes resolved through the group’s internal arbitration process.
Encryptor Capabilities
The RansomHub encryptor is widely assessed to incorporate code derived from the leaked ALPHV/BlackCat source. Key technical characteristics:
- Cross-platform Rust implementation providing performance and portability
- Intermittent encryption — encrypts configurable byte intervals rather than entire files, increasing throughput by 30–40% on large datasets
- Safe mode reboot capability on Windows — can reboot victim machines into safe mode with networking to disable security tools before encryption
- Network share enumeration via SMB scanning and mounted drive detection
- Active Directory integration — some variants accept domain credentials to authenticate against AD and enumerate hosts for lateral spread
The ESXi variant deserves particular attention. It uses the ESXi management API (when credentials are available) to gracefully shut down VMs before encrypting VMDK files, maximizing the likelihood of clean encryption and minimizing recovery options.
Victim Statistics: 2025–2026
Based on leak site postings, underground forum claims, and third-party intelligence, RansomHub’s victim profile for 2025–2026:
Volume: Approximately 480 confirmed victims posted to leak site in 2025; Q1 2026 pace suggests 550+ annually
Geographic distribution:
- United States: 58%
- European Union: 22%
- Canada/Australia/UK: 11%
- Rest of world: 9%
Sector breakdown:
- Healthcare: 21% (hospitals, dental chains, healthcare IT vendors)
- Government and education: 18%
- Financial services: 16%
- Manufacturing: 15%
- Technology: 12%
- Other: 18%
Ransom demand range: $500K–$20M initial ask; median settlement approximately $1.2M
Payment rate: Estimated 25–35% of victims pay (higher than industry average, attributed to aggressive negotiation tactics and strong data exfiltration leverage)
Targeting Methodology
RansomHub affiliates show consistent preferences in initial access vectors:
Initial access:
- Exploiting public-facing applications: 41% (VPN appliances, web apps, Exchange)
- Valid account abuse: 32% (phishing, credential stuffing, purchased IAB access)
- Phishing with payload: 18%
- Supply chain/trusted relationship: 9%
Dwell time: Median 11 days from initial access to ransomware deployment. Notable outliers include a confirmed 47-day intrusion at a major healthcare system where the affiliate staged extensive data theft before triggering encryption.
Preferred post-exploitation tooling: Cobalt Strike remains dominant, but Sliver C2 usage is growing among RansomHub affiliates — likely reflecting law enforcement focus on Cobalt Strike and the availability of open-source alternatives.
The ALPHV Connection
Substantial technical and operational evidence connects RansomHub to former ALPHV/BlackCat affiliates and potentially to ALPHV core developers:
- Overlapping encryptor code structure and configuration formatting
- Shared infrastructure (IP addresses and ASNs observed in both ALPHV and RansomHub campaigns during the transition period)
- Affiliate forum handles associated with ALPHV operations appearing in RansomHub recruitment threads
- The Change Healthcare affiliate — who received $22M in ALPHV payment before the exit scam — has been tentatively linked to subsequent RansomHub activity
Whether RansomHub represents a direct rebranding or simply an opportunistic absorption of ALPHV talent remains debated among threat intelligence analysts.
Defensive Posture
RansomHub’s targeting of VPN appliances (particularly Citrix NetScaler, Fortinet FortiGate, and Pulse/Ivanti) makes perimeter patch management critical. Organizations should treat CVEs in these products as emergency-priority patches with 24-hour SLAs. MFA on VPN and remote access reduces the impact of valid account abuse, which accounts for nearly a third of observed initial access.