Researchers Uncovered RansomHub Operation and it’s Relation With Qilin Ransomware

Security researchers have identified significant connections between two major ransomware-as-a-service (RaaS) operations, with evidence suggesting affiliates from the recently-disabled RansomHub group may have migrated to the Qilin ransomware operation.

The investigation reveals sophisticated technical capabilities within both groups and highlights the dynamic nature of ransomware ecosystems.

RansomHub’s Technical Arsenal and Rise to Prominence

RansomHub emerged in February 2024 following a suspected acquisition of web application and ransomware source code from the Knight (formerly Cyclops) operation.

The group quickly gained notoriety for its sophisticated multi-platform ransomware that targets Windows, Linux, FreeBSD, and ESXi operating systems across x86, x64, and ARM architectures.

This versatility enabled affiliates to encrypt both local and network file systems via SMB and SFTP protocols.

What distinguished RansomHub was its aggressive affiliate-friendly business model, offering a remarkably low 10% commission fee (later increased to 15%), significantly below the industry standard of 20-30%.

This approach successfully attracted former ...