Are There Signs of RansomHub Shutting Down… And Who Is DragonForce?

Contributors: Niranjan Jayanand, Madhuri Syamakala, Venkatesh Bolla 

Executive Summary 

• On 01 April, researchers reported RansomHub infrastructure going offline and signs of affiliates possibly joining another Qilin RaaS. This is not new in the ransomware world, where we have seen affiliates getting hired across groups, encryptors’ code getting reused, and rebranding of ransomwares. 

• RansomHub remained as one of the top active Human-Operated ransomware groups in the last 12 months reported to have targeted 600+ organizations. The group is known to target Windows, Linux, ESXi and FreeBSD platforms and capable of encrypting files in local and remote file systems via SMB and SFTP.  

• RansomHub is known to also infect users through SocGholish infection, a well-known JavaScript based malicious loader at least since 2020. CyberProof customers are well-protected against SocGholish campaigns. 

• RansomHub has caught the news in early 2024 when they reported to have acquired stolen data from a former ALPHV / BlackCat affiliate to target Change HealthCare that caused the firm to lose about $872 million to the incident. The group is believed to share code from BlackCat and Knight. 
• DragonForce has recently begun promoting a new service where they allow cybercrime teams to white-label their services. 

Technical Details 

Global ransomware threats have not slowed down since the beginning of 2025. Below stats show the most active ransomware groups from public research. Reports identify the threat actors as Scattered Spider, who have been known to act as affiliates for various ransomware operations, including RansomHub, Qilin, and now, DragonForce.

In 2024, RansomHub caught the world’s attention when Change HealthCare was targeted by them and ALPHV where the organization had to pay a ransom amount of a whopping $22 million USD. 

BlackCat operators pulled an exit scam, the disgruntled affiliate may have leaked the allegedly stolen data to sell it to other cybercriminals – possibly to RansomHub.  

RansomHub later listed on its leak site, claiming to be in the possession of the 4TB of stolen. 

RansomHub is known to target multiple critical sectors including manufacturing, healthcare, and financial services, with a particular focus on organizations in the United States and Europe. On 01 April 2025, DragonForce claimed that some affiliates had already joined other groups, signaling a possible instability within the group (possibly through new hiring within Qilin that resulted in a surge in Qilin’s DLS announcing new victim names in recent weeks). 

DragonForce’s most recent and high impactful attack was reported to hit Mark and Spencer, resulting in a loss of more than 700 million pounds ($930m) in its market value. Mandiant and a public report have suggested that the threat actors used tactics consistent with Scattered Spider to target a UK retail organization and deploy DragonForce ransomware. Subsequent reporting by BBC News indicates that actors associated with DragonForce claimed responsibility for attempted attacks at multiple UK retailers. Learn more about these coordinated attacks on UK retailers.

Code Similarity Between RansomHub and Knight Ransomware 

The below two images show some level of code sharing between these two ransomware stains. Samples considered for quick review are: 

• RansomHub – EEC3A55B1599EEE16A47954E1BB230EC99DB5F96 

• Knight – 63C31BCDA20194821D142A0ED131EB32649AA32E 

Both support similar arguments for execution as shown below: 

Recorded Future has shared a visual representation on similarities seen between BlackCat/ALPHV, RansomHub, and Knight as shown below:

Source: Recorded Future 

Malwares, Tools and Exploits Used

Source: TrendMicro 

Conclusion 

Ransomware groups becoming inactive and resurging as groups under new branded logo is not new. We expect a rise in activities tied to DragonForce operating as a cartel in coming months. Our team of researchers will continue to review malicious files at code level and perform additional analysis to enrich our knowledge base on threat groups and TTPs to develop detection logics to stay ahead of targeted attacks by cyber criminals.  

At CyberProof, our strong cross-team collaboration between SOC, MEDR, UCM, Automation, Engineering and R&D has successfully mitigated multiple intrusions in first quarter of 2025. We will continue to focus on high impactful threat groups in coming months and shall report if we find any interesting stories. Please review MITRE attack navigator for RansomHub to learn more about the group’s TTPs. 

 
Indictors of Compromise 

• IOCs reference #1 – RansomHub: Attackers Leverage New Custom Backdoor | Symantec Enterprise Blogs 

• IOCs reference #2  #StopRansomware: RansomHub Ransomware | CISA  

Recommendation 

• Ensure implementing Multi-Factor Authentication (MFA) for all accounts and applications (i.e., VPNs, etc.) 

• Regular audits of inventory and logs

• Implement regularly scheduled backups and recovery processes  

• Review and ensure regular patch management

• Leverage cyber threat intelligence to stay ahead of threat actors targeting your organizations directly or through indirect business partners (mergers and acquisitions)

• Ensure regular scans using updated EDR solutions

• Limit exposure of services by disabling unused ports

• Segment networks to restrict lateral movement from initial infected devices and other devices in the same organization

How CyberProof Can Help 

CyberProof Advanced Threat Hunters are skilled to hunt across different security platforms building new hypothetical queries to stay ahead of threat landscape. We learn through telemetry around the clock to identify how attackers modify their TTPs challenging our researchers. We heavily continue to focus on malicious loaders like SocGholish, IDAT loader (HijackLoader)  and RATs, etc., to alert and block early stage attacks.