logo
Home/News/News article/

RansomHub Went Dark April 1; Affiliates Fled to Qilin, DragonForce Claimed Control

RansomHub Went Dark

Cybersecurity researchers have revealed that RansomHub's online infrastructure has "inexplicably" gone offline as of April 1, 2025, prompting concerns among affiliates of the ransomware-as-a-service (RaaS) operation.

Singaporean cybersecurity company Group-IB said that this may have caused affiliates to migrate to Qilin, given that "disclosures on its DLS [data leak site] have doubled since February."

RansomHub, which first emerged in February 2024, is estimated to have stolen data from over 200 victims. It replaced two high-profile RaaS groups, LockBit and BlackCat, to become a frontrunner, courting their affiliates, including Scattered Spider and Evil Corp, with lucrative payment splits.

"Following a possible acquisition of the web application and ransomware source code of Knight (formerly Cyclops), RansomHub quickly rose in the ransomware scene, thanks to the dynamic features of its multi-platform encryptor and an aggressive, affiliate-friendly model offering substantial financial incentives," Group-IB said in a report.

RansomHub's ransomware is designed to work on Windows, Linux, FreeBSD, and ESXi as well as on x86, x64, and ARM architectures, while avoiding attacking companies located in the Commonwealth of Independent States (CIS), Cuba, North Korea, and China. It can also encrypt local and remote file systems via SMB and SFTP.

The affiliate panel, which is used to configure the ransomware via a web interface, features a dedicated "Members" section where members of the affiliate group are given the option to create their own accounts on the device.

Affiliates have also been provided with a "Killer" module as of at least June 2024 to terminate and bypass security software using known vulnerable drivers (BYOVD). However, the tool has since been discontinued owing to high detection rates.

Per eSentire and Trend Micro, cyber-attacks have also been observed leveraging a JavaScript malware known as SocGholish (aka FakeUpdates) via compromised WordPress sites to deploy a Python-based backdoor connected to RansomHub affiliates.

"On November 25, the group's operators released a new note on their affiliate panel announcing that any attack against any government institution is strictly forbidden," the company said. "All affiliates were therefore invited to refrain from such acts because of the high risk and unprofitable 'return of investment.'"

GuidePoint Security, which has also observed the downtime of RansomHub infrastructure, said the chain of events has led to an "affiliate unrest," with rival RaaS group DragonForce claiming on the RAMP forum that RansomHub "decided to move to our infrastructure" under a new "DragonForce Ransomware Cartel."

It's worth noting that another RaaS actor called BlackLock is also assessed to have started collaborating with DragonForce after the latter defaced its data leak site in late March 2025.

"These discussions on the RAMP forums highlight the uncertain environment that RansomHub affiliates appear to be in at the moment, seemingly unaware of the group's status and their own status amidst a potential 'Takeover,'" GuidePoint Security said.

"It remains to be seen whether this instability will spell the beginning of the end for RansomHub, though we cannot help but note that the group that rose to prominence by promising stability and security for affiliates may now have failed or betrayed affiliates on both counts."

Secureworks Counter Threat Unit (CTU), which has also tracked DragonForce's rebrand as a "cartel," said the effort is part of a new business model designed to attract affiliates and increase profits by allowing affiliates to create their own "brands."

This is different from a traditional RaaS scheme where the core developers set up the dark web infrastructure and recruit affiliates from the cybercrime underground, who then conduct the attacks after procuring access to target networks from an initial access broker (IAB) in exchange for 70% of the ransom payment.

"In this model, DragonForce provides its infrastructure and tools but doesn't require affiliates to deploy its ransomware," the Sophos-owned company said. "Advertised features include administration and client panels, encryption and ransom negotiation tools, a file storage system, a TOR-based leak site and .onion domain, and support services."

Another ransomware group to embrace novel tactics is Anubis, which sprang forth in February 2025 and uses a "data ransom" extortion-only option to exert pressure on victims by threatening to publish an "investigative article" containing an analysis of the stolen data and inform regulatory or compliance authorities of the incident.

"As the ransomware ecosystem continues to flex and adapt we are seeing wider experimentation with different operating models," Rafe Pilling, Director of Threat Intelligence at Secureworks CTU said. "LockBit had mastered the affiliate scheme but in the wake of the enforcement action against them it's not surprising to see new schemes and methods being tried and tested."

The development coincides with the emergence of a new ransomware family called ELENOR-corp, a variant of the Mimic ransomware, that's actively targeting healthcare organizations after harvesting credentials using a Python executable capable of stealing clipboard content.

"The ELENOR-corp variant of Mimic ransomware exhibits enhancements compared to earlier versions, employing sophisticated anti-forensic measures, process tampering, and encryption strategies," Morphisec researcher Michael Gorelik said.

"This analysis highlights the evolving sophistication of ransomware attacks, emphasizing the need for proactive defenses, swift incident response, and robust recovery strategies in high-risk industries like healthcare."

Some of the other notable ransomware campaigns observed in recent months are as follows -

  • CrazyHunter, which has targeted Taiwanese healthcare, education, and industrial sectors and uses BYOVD techniques to circumvent security measures via an open-source tool named ZammoCide
  • Elysium, a new variant of the Ghost (aka Cring) ransomware family that terminates a hard-coded list of services, disables system backups, deletes shadow copies, and modifies the boot status policy to make system recovery harder
  • FOG, which has abused the name of the U.S. Department of Government Efficiency (DOGE), and individuals connected to the government initiative in email and phishing attacks to distribute malware-laced ZIP files that deliver the ransomware
  • Hellcat, which has exploited zero-day vulnerabilities, such as those in Atlassian Jira, to obtain initial access
  • Hunters International, which has rebranded and launched an extortion-only operation known as World Leaks by making use of a bespoke data exfiltration program
  • Interlock, which has leveraged the infamous ClickFix strategy to initiate a multi-stage attack chain that deploys the ransomware payload, alongside a backdoor called Interlock RAT and stealers such as Lumma and BerserkStealer
  • Qilin, which has employed a phishing email masquerading as ScreenConnect authentication alerts to breach a Managed Service Provider (MSP) using an AitM phishing kit and launch ransomware attacks on its customers (attributed to an affiliate named STAC4365)

These campaigns serve to highlight the ever-evolving nature of ransomware and demonstrate the threat actors' ability to innovate in the face of law enforcement disruptions and leaks.

Indeed, a new analysis of the 200,000 internal Black Basta chat messages by the Forum of Incident Response and Security Teams (FIRST) has revealed how the ransomware group conducts its operations, focusing on advanced social engineering techniques and exploiting VPN vulnerabilities.

"A member known as 'Nur' is tasked with identifying key targets within organizations they aim to attack," FIRST said. "Once they locate a person of influence (such as a manager or HR personnel), they initiate contact via phone call."

Free online web security scanner

Top News: