Menu
Browse

Cyber Threat Actor: RansomHub

Aliases: 2 aliases
Actor Type Location Known Incidents
 Icon
Crime Syndicate
United States of America
8 incidents
Profile

RansomHub, also tracked as Cyberthieves, is a ransomware group that operates as a ransomware‑as‑a‑service provider. The group’s malware is written in Golang and has been linked to former members of the LockBit and ALPHV ransomware syndicates. Analysts have described the operation as being based in Russia, although the actor’s location is sometimes noted as the United States of America. RansomHub uses the alias Cyberthieves in some underground communications. Its business model relies on leasing the ransomware to affiliates who conduct the attacks.

RansomHub has shown a pattern of targeting organizations that hold sensitive personal or operational data, including healthcare providers, government agencies, and critical infrastructure facilities. Incidents have been reported against a tribal casino hotel in Minnesota, a Planned Parenthood affiliate in Montana, and the Florida Department of Health, all of which involved threats to leak patient or voter information. The group also struck a Swedish municipality, a Brazilian credit cooperative, and a bioenergy plant in Spain, demonstrating interest in both public‑sector and private‑sector targets across North America, Europe, and South America. While the actor’s public statements focus on financial extortion, the disclosed motives are consistently tied to ransom payments and the threat of data release. No evidence points to espionage or pure disruption as primary goals.

Initial access in several cases has been obtained through stolen credentials purchased from Russian‑language forums, as seen in the attack on the bioenergy plant’s SCADA system. The ransomware payload is delivered via the Golang‑based malware that affiliates deploy after gaining a foothold inside the victim network. Once inside, the actors exfiltrate data—often tens of gigabytes—before encrypting files and issuing double‑extortion demands that combine file locking with the threat of public disclosure. The group’s tooling includes standard ransomware utilities for lateral movement and credential harvesting, though no custom zero‑day exploits have been publicly attributed to it. Their reliance on a service model means that the specific TTPs can vary among affiliates, but the core malware and extortion routine remain consistent.

One illustrative incident involved the Lower Sioux Indian Community’s Jackpot Junction Casino Hotel, where the attack forced the shutdown of slot machines, phone service, bingo events and reservation systems after the group claimed responsibility on a dark web forum. In another case, RansomHub asserted the theft of 93 GB of data from Planned Parenthood of Montana and warned of a leak unless a ransom was paid. The Florida Department of Health faced a similar claim of 100 GB of potentially sensitive information, including vaccine and medical‑marijuana records, which disrupted the issuance of birth and death certificates. A Brazilian credit cooperative had internal documents, source code and employee data posted on the dark web after the group alleged access to internal vulnerabilities. Finally, the attack on Bjurholms kommun in Sweden resulted in the alleged exfiltration of 100 GB of data and a total shutdown of internal systems and broadband services, highlighting the group’s impact on municipal operations.

Incidents
Attributed incidents available to members
8 incidents
Sources
Sources available to members
0 sources