RansomHub
RansomHub is a ransomware-as-a-service (RaaS) group that first appeared in February 2024 and became one of the most prolific ransomware groups to emerge after the 2024 disruption of LockBit and the demise of ALPHV/BlackCat. It is also referred to as Spoiled Scorpius. Reporting in the provided content describes RansomHub as highly active and affiliate-driven, with links or associations noted to other groups including Play, Medusa, and BianLian, and with Scattered Spider described as an affiliate or partner in some reporting. The group has been associated with rapid, goal-oriented intrusion behavior and double-extortion-style ransomware activity in broader incident reporting. A notable distinguishing feature of RansomHub is that its operators developed and maintained a proprietary EDR-killing tool, EDRKillShifter, and offered it directly to affiliates through the affiliate panel. Multiple sources in the content describe this as unusual among RaaS programs, with RansomHub specifically highlighted as having built an in-house EDR killer for affiliate use. The group has also been linked in incident reporting to deployment chains involving Poortry and Stonestop prior to attempted ransomware execution. The content associates RansomHub with several access and tooling ecosystems. It has been observed exploiting Splashtop to gain access to victim systems, maintain persistence, and in some cases facilitate access sales. It has also been identified as a follow-on ransomware consumer of SocGholish/FakeUpdates access. Huntress reporting cited in the content characterizes RansomHub as an actor that often enters environments with a clear plan and moves quickly. The provided reporting also describes ecosystem relationships and later disruption. RansomHub was mentioned in connection with DragonForce, including claims of partnership, takeover activity, and later reporting that DragonForce claimed to take over RansomHub infrastructure. One source states RansomHub went offline in April 2025, and another says the group was taken over by DragonForce and shut down completely; some researchers suggested part of the group migrated to Qilin. The content also notes a claim by a RansomHub member that both RansomHub and DragonForce had FSB contacts, but this is presented as an accusation rather than established fact.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Tradecraft
51 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
3 malware families attributed to this actor across reporting.
Observables
2 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
Recent activity
20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Referenced as a prominent RaaS operation that provided affiliates with a single in-house EDR killer, EDRKillShifter, contrasting with Gentlemen’s broader tooling portfolio.
Named as a threat actor using SocGholish-associated access or delivery infrastructure for follow-on activity.
Named as one of several ransomware groups that used SocGholish infections as an entry point for follow-on attacks.
Referenced as a ransomware group that previously leveraged the same kinds of initial access points used in the SocGholish pipeline to gain deeper access into corporate networks.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.