Inside RansomHub: Anatomy of an OT-Focused Operation

RansomHub operates like a well-oiled machine, recruiting affiliates (the cybercriminals that do the dirty work of launching attacks) and providing them with their ransomware payloads for both Linux and Windows endpoints. Their true innovation, however, lies in their multi-level access intended to attract various levels of cybercriminals, ranging from low-skilled newer entrants to the scene to experienced threat actors looking for lager targets. Through this process, these RansomHub customers receive additional support and customized tooling from RansomHub if they’re willing to pay a higher price, a tiered business model easily adapted to an alarming wide range of potential threat actors.

Given that they were the most active ransomware group in 2024, it’s clear that RansomHub is a menace that should be studied and broken down so that organizations can have an educated response to their tactics. From as early as May 2024, RansomHub had already shifted its focus to OT environments, specifically onto SCADA systems, indicating that they are deliberately targeting interconnected systems for “maximum impact”, according to Cyber Express. Their sophistication is further supported by the way they carry out their attacks. For the sake of simplicity, their attacks can be broken down into the following objectives:

1. Weaponizing Trust and Credentials
2. Evading Defense Undetected
3. Dominating the Network
4. Extorting the Target

Weaponizing Trust and Access

RansomHub affiliates achieve initial access through a number of methods, most of which hinge on the victim placing their trust in the wrong person.

Phishing emails
Victims can be tricked into compromising their systems by clicking on malicious attachments or links in emails sent by an adversary impersonating a trusted source—the tried-and-true social engineering approach.

Spear-phishing
To better convince the victim the impersonator is the real deal, some affiliates employ this targeted cyberattack instead. Some have been observed using voice scams for this purpose, going so far as employing speakers with American accents for increased credibility.

Password spraying
The affiliate uses a common or reused password on many accounts, like a burglar using the same lockpick on every door in the building.

Exploitation of known vulnerabilities
Some vulnerabilities commonly exploited by RansomHub are detailed in the CISA website’s advisory. Let’s look at two noteworthy examples:

a. The Zerologon vulnerability (CVE-2020-1472): This allows attackers to exploit a flaw in Microsoft’s Active Directory Netlogon Remote Protocol (MS-NRPC). Though this exploit is an old one, it is scored 10 out of 10 in the CVSS, the maximum possible severity. When successfully exploited, this flaw allows an attacker not only initial access but Domain Admin privileges, the highest level of access in an Active Directory environment. This shows the way RansomHub affiliates benefit from using such sophisticated tactics—their methods tend to kill two or more birds with one stone.

b. The Citrix ADC vulnerability (CVE-2023-3519): Citrix ADC, a widely used application delivery controller, is frequently leveraged by RansomHub affiliates to gain a foothold on the target’s network. This flaw allows unauthenticated attackers to execute code remotely—giving them the power to compromise a system without credentials, deploy payloads (malware, reverse shells, etc.), and gain access to an internal network.

Employing Initial Access Brokers
Recently, these agents who sell vulnerabilities and credentials to affiliates have emerged on the scene. RansomHub affiliates frequently make use of them to expedite their work, freeing the affiliates up to focus on other parts of the attack chain.

Evading Defense Undetected

Once they’ve successfully broken into the network, it now becomes a priority to stay undetected long enough to successfully carry out an attack.

Discovery
The attacker scans the environment with a combination of Living off the Land (LotL) tools like PowerShell and open-source tools such as AngryIPScanner and NetScan. PowerShell, a legitimate and pre-installed scripting language in Windows environments, could be the poster child for LotL. Because it is built-in to the system, its behavior won’t trigger the alerts traditional malware would, and it can proceed to quietly survey and identify user profiles and accounts, query network configurations, scan for accessible hosts, and even facilitate remote execution. Open-source tools like Angry IP Scanner, Nmap, and Netscan map out the network, identify live hosts, and uncover vulnerable assets. Used in conjunction, the combined forces of LotL tools and open-source tools allow attackers to navigate a compromised network without detection and plan their next move with more information.

However, the impact of PowerShell doesn’t stop there. Not only can it help threat actors map out the newly compromised territory in the beginning of the attack, but it can cover their tracks after they’ve done their nefarious work. The command line utility vssadmin.exe, often invoked through PowerShell, can be used to silently delete all existing Volume Shadow Copy Service (VSS) snapshots. Typically, this silent deletion happens during ransomware deployment, neutralizing the Windows backup and restore function. With that neutralized, full recovery is delayed, and forensic analysis is impeded.

Defense Evasion
Stealth is so crucial for defense evasion—if the affiliate is detected, defenses can be triggered, and the whole attack would be contained. Unsurprisingly, they use a multi-layered strategy for defense evasion, which includes:

• EDRKillShifter
  Used to terminate EDR (Endpoint Detection and Response) products by exploiting vulnerable drivers. This tactic is a textbook example of BYOVD (Bring Your Own Vulnerable Driver), where a legitimate but exploitable driver is introduced into the system. EDRKillShifter acts as a loader that decompresses and installs the vulnerable driver, then abuses the flaws within that vulnerable driver to gain kernel-level privileges over the system and disable EDR and antivirus tools—all without setting off alerts. Crucially, this strategy ensures that malware can run freely once the system is compromised. Several batch scripts are deployed, each with a specific role:
  • 232.bat: Used for password spraying and disabling real-time Windows Defender protection.
  • tdsskiller.bat: Alters registry settings and resets default CLI programs, then uses wildcards and filters to forcefully terminate a broad range of processes, including antivirus services.
  • killdeff.bat: Executes encrypted PowerShell commands to manipulate Defender settings, registry keys, UAC prompts, and escalate privileges using obfuscated and conditional logic.
  • LogDel.bat: Clears evidence by modifying the Default.rdp file attributes and changing Remote Desk Protocol (RDP) settings in the registry. It also uses wevtutil to wipe Windows event logs, hindering forensic efforts.

• Safe Mode Encryption
  RansomHub doesn’t just encrypt files—they do it with surgical precision. The ransomware includes parameters like -safeboot or -safeboot-instance to force a reboot into Safe Mode, a diagnostic state in which most security software does not run. Thus, encryption can take place undisturbed and unstoppable. Once complete, the malware appends file extensions derived from the ransom note, such as .1d7fdb, signaling successful encryption.

Combined, these methods reveal a group that knows how to stay quiet until it’s too late. Their use of pre-installed tools, custom scripts, kernel-level evasion, and forensic destruction demonstrate a deeply strategic and stealthy approach to ransomware deployment.

Dominating the Network

Here we describe how RansomHub affiliates methodically take over the system they’ve infiltrated. Having utilized tools like Angry IP Scanner and Nmap to get their bearings, they move smoothly into credential access and privilege escalation, lateral movement, persistence, and command-and-control operations. All these processes are intricately interconnected, but they all serve the ultimate goal of maintaining control over as much of the network as possible for as long as needed.

Credential Access and Privilege Escalation
Using tools like Mimikatz or the Windows Task Manager to dump credentials from the LSASS process, attackers escalate privileges to system-level access. LSASS, or the Local Security Authority Subsystem Service, is a crucial process in Windows that handles authentication and stores sensitive credentials like NTLM hashes, plaintext passwords, and Kerberos tickets in memory. By extracting this data, attackers can impersonate users, access critical systems, and expand their control.

They further entrench themselves by creating new user accounts or re-enabling disabled ones, often modifying registry keys for persistence (granting them continued access even if some intrusion paths are shut down). This shows the degree of foresight they have, preparing for every contingency, making them a relentless force to be reckoned with.

Lateral Movement
While it looks like it’s simply spreading out, lateral movement is actually about strategic advancement within the network—paving the way for the threat actor to reach the crown jewels and making sure there’s no easy for the victim to kick the intruder out before real damage is done. RansomHub affiliates fan out across the victim’s internal environment—seeking high-value targets (such as PII data), establishing persistence, and setting the stage for encryption and exfiltration in a way that maximizes pressure on the victim to pay (in essence, coordinating the attack to hit all critical systems at once). Equipped with elevated credentials, RansomHub affiliates:

• Use RDP, PsExec, SMB/Windows Admin Share, ConnectWise, and AnyDesk to access and execute commands on remote systems
• Deploy malware via RDP buffer injection (Lateral Tool Transfer)
• Leverage PowerShell scripts, NetScan, and AngryIPScanner to identify critical systems and map network structure
• Upload tools to shared folders on NAS devices to stage attacks and establish presence in backup storage

Command and Control (C2)
Once they’ve established their footing and lateral movement has been achieved, RansomHub affiliates must maintain real-time communication with compromised systems. This is where Command and Control (C2) infrastructure comes in. It enables attackers to issue commands remotely to infected hosts, securely exfiltrate data, deploy additional payloads or updates and coordinate encryption timing across the network.

C2 traffic is often encrypted and disguised as legitimate traffic. For instance, communication may occur over HTTPS, DNS tunneling, or even Tor hidden services to evade detection. RansomHub affiliates are known to use a blend of open-source and commercial remote administration tools that provide flexibility while blending into legitimate network activity:

• Atera, Splashtop, and AnyDesk: These commercial remote access tools are designed for IT support, making their presence on a network less suspicious. Affiliates often install and configure these for stealthy, persistent access.
• Ngrok and Remmina: These tools allow secure tunneling to internal systems. Ngrok, in particular, exposes local services through secure tunnels without requiring a VPN, making it useful for avoiding detection by perimeter defenses.
• Cobalt Strike and Metasploit: These penetration testing frameworks are frequently abused by ransomware actors. Once inside, they allow for the creation of beacons, backdoors, and shellcode payloads. With Cobalt Strike, for example, an attacker can quietly monitor systems, manage multiple sessions, and execute post-exploitation modules on-demand.

Persistence and C2 access may be maintained until the ransomware has been deployed, the ransom note issued, and victim communications begin. In RansomHub’s case, affiliates appear to keep C2 sessions open until encryption is complete, using them not just for orchestration but also for negotiation and support. As noted in public reporting (Trend Micro, Darktrace), some affiliates maintain access well into the negotiation stage, potentially for confirming ransom payment, assisting victims in decrypting data, or ensuring that the affiliate honors the ‘deal’, thereby preserving RansomHub’s criminal reputation. These post-encryption C2 activities mirror a customer support channel—reinforcing RansomHub’s business-like structure and focus on affiliate management.

The sum of these efforts illustrates a threat actor that operates like a disciplined strike team: exploiting access, spreading rapidly, and holding critical systems hostage with a tight operational grip.

Extorting the Target

Finally, when it comes to extorting their targets, RansomHub employs double-extortion—a devastating combination of data exfiltration followed by encryption.

Data Exfiltration
As noted in our annual security report, RansomHub ransomware does not inherently include data exfiltration capabilities, unlike most of its peers in the double extortion space. Instead, affiliates perform exfiltration separately using tools such as Rclone, WinSCP, PuTTY, FileZilla, and HTTP POST requests to attacker-controlled infrastructure, as documented by Trend Micro and Group-IB. These tools are often used to siphon sensitive data to attacker-controlled cloud storage or servers. The fact that data exfiltration is a separate step from encryption shows that within the broader RaaS model, attack steps can be customized or executed manually on a modular level by the affiliate, showcasing once again how adaptable and flexible their operations are. Some affiliates also utilize SSH-based exfiltration techniques, quietly sending stolen data over a secure tunnel that is more difficult to detect, as noted in Darktrace’s reporting on ShadowSyndicate-linked campaigns.12

Encryption
Following exfiltration, encryption is launched with precision—encryption is what announces to the victim organization that something is terribly wrong. At this point, they will be hit with the double whammy of being locked out of their systems and the threat of data breach. This is the sucker punch of double-extortion tactics; between a rock and a hard place is understating it. RansomHub’s payloads support intermittent encryption—encrypting files in chunks—to speed up the process while rendering data unusable. Curve25519, AES, and ChaCha20 encryption algorithms are deployed depending on the target system (ESXi, Linux, or Windows), as confirmed by SentinelOne and Cyble. Shadow copies are erased using vssadmin.exe, ensuring recovery options are wiped clean.

Extortion
Once encryption is complete, the victim receives a ransom note—often dropped post-encryption with filenames like README_[a-zA-Z0-9]{6}.txt— with instructions to contact the attackers via the Tor network. CISA reports that no initial ransom amount is usually included. Instead, victims are pressured into contact, after which negotiation timelines (ranging from 3 to 90 days) are imposed before their data is leaked.

Importantly, RansomHub’s negotiation model reflects its business-minded approach. If an affiliate fails to provide a decryptor after payment, RansomHub claims it will intervene, supply the decryptor, and ban the non-compliant affiliate. This customer-service ethos helps maintain the group’s reputation and ensures future targets see them as “reliable” criminals.

Mitigation Strategies

Forewarned is forearmed. Now that the ins and outs of RansomHub’s operations have been investigated and examined, it’s clear that such a dangerous operation necessitates the construction of defense mechanisms and mitigation strategies. As sophisticated and multilayered as the attackers are, the only choice for defenders is to match them and beat them at their own game.

The following practices can help limit exposure:

• Multi-Factor Authentication (MFA): Enforce MFA across all remote and privileged access points to prevent the misuse of stolen credentials.
• Patch Management: Regularly apply software updates and prioritize critical vulnerabilities such as CVE-2020-1472 (Zerologon) and CVE-2023-3519 (Citrix ADC). Virtual patching in particular is a crucial safety net for OT environments where downtime isn’t an option. Instead of updating system software—which can cause disruptions—it places a protective barrier around vulnerable devices. This helps block attacks in real time without stopping operations. Against groups like RansomHub, who rely on known vulnerabilities, virtual patching can buy critical time for remediation.
• Endpoint Detection and Response (EDR): In OT environments, IT-centric EDR often falls short and can place unnecessary strain on system resources. Legacy systems like Windows XP remain in use, and traditional tools may misinterpret normal OT activity as malicious, triggering costly disruptions. This discourages many organizations from deploying them at all. Instead, use OT-specific EDR solutions that minimize performance impact while delivering behavioral detection, kernel-level monitoring, and the ability to identify tools like Mimikatz, PowerShell abuse, and unusual batch script execution.
• Network Segmentation: Implement segmentation between IT and OT networks, as well as critical systems, to prevent lateral movement.
• Allowlist-Based Access Control: Define strict application control policies and allowlisting to reduce the risk of unauthorized tool execution.
• Backup Strategy: Maintain encrypted, regularly tested backups stored offline and offsite. Ensure shadow copy protection is enforced to counter vssadmin.exe-based deletion.
• Credential Management: Enforce strong password policies, monitor for reused or default credentials, and rotate credentials regularly.
• Incident Response Readiness: Develop, rehearse, and update your incident response plan. Include clear procedures for isolation, forensic analysis, and external communication.
• Monitor for Indicators of Compromise (IOCs): Stay up to date with known IOCs from CISA, Trend Micro, and other threat intel sources. Proactively search for these indicators in your environment.
• Security Awareness Training: Equip employees with knowledge about phishing, spear-phishing, and voice scams to reduce the likelihood of social engineering success.

These defenses—when integrated into a unified strategy—can drastically reduce the likelihood of a successful RansomHub attack or limit its impact if one does occur.

In Conclusion

RansomHub’s rapid ascent and aggressive tactics mark more than just another chapter in the ransomware saga — they represent a dangerous evolution in the cybercrime ecosystem. By delivering a highly functional Ransomware-as-a-Service (RaaS) platform with structured tiers, generous profit-sharing, and reputational guarantees, RansomHub has restored faith in the cybercriminal underground after high-profile exit scams like ALPHV’s.

Their willingness to target critical infrastructure, including OT and SCADA systems, brings cyber risk into the physical world and can threaten healthcare delivery, energy supply, and public safety. Additionally, their adoption of a “customer support” posture — ensuring affiliates deliver decryptors and upholding negotiated agreements — adds a new layer of psychological warfare: victims are coerced not just through fear, but through the promise of reliable resolution.

More broadly, RansomHub’s success speaks to systemic weaknesses: lingering vulnerabilities like Zerologon, inconsistent implementation of MFA, unpatched systems, and the widespread availability of legitimate remote access tools ripe for abuse.

Ultimately, RansomHub’s success proves one thing: this is not a fringe problem. It’s a business model that works—and that should alarm defenders, policymakers, and the public alike.

1. https://digital.txone.com/media/txone-networks-2024-annual-ics-ot-cybersecurity-report/the-changing-threat-landscape-of-ot-environments#block-7f17d0c2-04b5-4689-88ca-e5c8df6a82f3
2. https://thecyberexpress.com/RansomHub-group-strikes-ics/
3. https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-242a
4. https://www.trendmicro.com/en_us/what-is/zerologon.html
5. https://www.trendmicro.com/zh_tw/research/24/i/how-RansomHub-ransomware-uses-edrkillshifter-to-disable-edr-and-.html
6. https://www.darktrace.com/blog/RansomHub-ransomware-darktraces-investigation-of-the-newest-tool-in-shadowsyndicates-arsenal
7. https://www.group-ib.com/blog/RansomHub-never-sleeps-episode-1/
8. https://www.sentinelone.com/anthology/RansomHub/
9. https://cyble.com/blog/critical-advisory-on-RansomHub-ransomware-a-comprehensive-analysis-and-mitigation-guide/