Threat Intel Report: RaaS Unfold — RansomHub, The Ransomware Empire Built on Abandoned Affiliates
Platform: CyberDefenders
Challenge: RaaS Unfold
Category: Threat Intelligence / Malware Analysis
Difficulty: Hard
Tools: VirusTotal, GitHub, Symantec Threat Intelligence, ESET Research, Sophos, Group-IB, Insikt Group, CISA, WatchGuard
Achievement: Proof of Completion
1. Executive Summary
Incident Type: Ransomware-as-a-Service (RaaS) / Double Extortion
Malware Family: RansomHub (formerly Knight / Cyclops)
A file hash has been flagged by the SIEM and escalated for threat intelligence analysis. The task is to profile the binary and reconstruct the full attack chain of the RansomHub ransomware group — from their dark-web emergence, to their affiliate recruitment strategy, to the CVEs they weaponize, and finally to the technical internals of their payload. This lab follows the OSINT-first model, building an intelligence picture entirely from public threat reports without requiring local execution.
RansomHub launched publicly on February 2, 2024, and rapidly became one of the most prolific ransomware operations globally — partly by aggressively recruiting affiliates abandoned by the ALPHV/BlackCat exit scam. The group operates a true RaaS model with an 80/20 affiliate revenue split, sophisticated payload engineering, and a custom EDR-killing toolset.
Indicators of Compromise (IOCs)
| Type | Indicator | Description |
|---|---|---|
| SHA-256 | 099997fe34d613ec70da710e2ad077d421bd7db95d2aad08d750ef88989f33da | RansomHub payload (VCboEJ.exe) |
| MD5 | 5c8d30d80adfa8e905cabc8d37677d55 | RansomHub payload |
| SHA-1 | 2382e531ed3b0e2289179c9489f27c43d9811bc0 | RansomHub payload |
| File Name | VCboEJ.exe | Obfuscated filename, 10.62 MB |
| Tox ID | 4D598799696AD5399FABF7D40C4D1BE9F05D74CFB311047D7391AC0BF64BED47B56EEE66A528 | Operator qTox contact |
| Dark-Web Forum Handle | koley | RAMP forum affiliate recruiter |
| C2 (DLS) | http://ransomxifxwc5eteopdobynonjctkxxvap77yqifu2emfbecgbqdw6qd.onion/ | RansomHub Data Leak Site |
| EDR Killer | EDRKillShifter | Custom EDR termination tool |
| PoC SHA-256 | 53473d4ce45ba3250281d83480db7dad65e2330e080b79bd0d93b21d024f912b | CVE-2024-3400 Python PoC (main.py) |
MITRE ATT&CK Mapping
| Tactic | Technique | ID |
|---|---|---|
| Initial Access | Exploit Public-Facing Application (PAN-OS) | T1190 |
| Execution | Windows Command Shell | T1059.003 |
| Persistence | Remote Access Software (AnyDesk) | T1219 |
| Privilege Escalation | Exploitation for Privilege Escalation (ZeroLogon) | T1068 |
| Defense Evasion | Impair Defenses: Disable or Modify Tools | T1562.001 |
| Defense Evasion | Indicator Removal: Clear Windows Event Logs | T1070.001 |
| Lateral Movement | Remote Services | T1021 |
| Collection | Data Staged | T1074 |
| Exfiltration | Exfiltration to Cloud Storage (RClone) | T1567.002 |
| Impact | Data Encrypted for Impact | T1486 |
| Impact | Inhibit System Recovery | T1490 |
2. Phase 1: Sample Identification — VirusTotal (Q1)
Objective: Identify the ransomware group linked to the flagged file hash.
The lab provides malware_hash.txt containing:
1
SHA256 - 099997fe34d613ec70da710e2ad077d421bd7db95d2aad08d750ef88989f33da
Submitting this hash to VirusTotal immediately reveals the group identity.
Key findings from the Detection page:
| Field | Value |
|---|---|
| Detection ratio | 53/71 vendors |
| Popular threat label | ransomware.ransomhub/rnsmhub |
| Threat categories | ransomware, trojan |
| Family labels | ransomhub, rnsmhub, sliver |
| File size | 10.62 MB |
| Filename | VCboEJ.exe (obfuscated name) |
The consensus is unambiguous — this binary is a RansomHub payload. The 10.62 MB file size is consistent with a Go-compiled binary (Go statically links its runtime, which inflates binary sizes significantly compared to C-compiled equivalents).
The Details tab confirms all cryptographic hashes:
Answer Q1:
RansomHub
3. Phase 2: Group Origins & Emergence (Q2 & Q3)
Objective: Determine when RansomHub first announced its affiliate program and which earlier ransomware family it was rebranded from.
Q2: When did the group first appear and start advertising its affiliate program on the dark-web forum?
Barracuda’s threat blog provides the key date explicitly: RansomHub announced itself on February 2, 2024 with a post on the RAMP (Russian Anonymous Marketplace) dark-web criminal forum. The timing was strategic — ALPHV/BlackCat had just conducted an exit scam after the Change Healthcare attack, leaving hundreds of experienced ransomware affiliates without a platform. RansomHub positioned itself as the natural successor, welcoming all orphaned affiliates with an attractive 80% revenue share.
Answer Q2:
2024-02-02
Q3: Which earlier ransomware variant is RansomHub believed to be a rebranded version of?
Symantec’s analysis identified that RansomHub shares significant code overlap with Knight ransomware (previously known as Cyclops). Key similarities:
- Both written in Go and obfuscated with Gobfuscate
- Virtually identical command-line help menus — the only difference is RansomHub adds a
sleepcommand - The same encryption scheme and configuration structure
- Embedded data-leak site links differentiate them at the binary level
Knight’s source code was put up for sale on underground forums in February 2024 — coinciding exactly with RansomHub’s launch. The theory is that a new operator (or syndicate) purchased the Knight source code and updated it before launching RansomHub as a rebranded RaaS.
Answer Q3:
Knight
4. Phase 3: Affiliate Program Intelligence (Q4, Q5 & Q6)
Objective: Profile the operator who posted the RAMP affiliate recruitment ad, their communication preferences, and the attack restrictions they imposed.
Q4: What forum username advertised the affiliate program?
WatchGuard’s ransomware intelligence profile confirms the RAMP forum handle used to post the affiliate program: koley. This individual is listed as the sole threat actor and the communication identifier on the RAMP forum.
Answer Q4:
koley
Q5: Which instant-messaging platform did they prefer, and what was their ID?
The ESET/WeLiveSecurity article on the affiliate program announcement explicitly states the operator’s preferred encrypted communication platform and ID. The Ransomware_Official_Domains GitHub repository also lists the same TOX ID:
qTox is a peer-to-peer, end-to-end encrypted messaging application that operates without centralized servers, making it impossible to subpoena or monitor through traditional legal channels. Its consistent use by ransomware operators reflects a deliberate operational security (OPSEC) choice — no account linking, no phone number, no central server with logs.
Answer Q5:
qTox, 4D598799696AD5399FABF7D40C4D1BE9F05D74CFB311047D7391AC0BF64BED47B56EEE66A528
Q6: Affiliates are prohibited from attacking companies from 4 regions — what are they?
RansomHub’s About page on their TOR infrastructure explicitly lists the prohibited targeting regions. This is a common trait among post-Soviet ransomware groups — restricting attacks on CIS nations signals likely Russian or CIS-based operator origins. Attacking Cuba, North Korea, and China likely reflects diplomatic sensitivities with states that might otherwise shelter threat actors.
The four restricted regions are:
- CIS (Commonwealth of Independent States — Russia, Ukraine, Kazakhstan, etc.)
- Cuba
- North Korea
- China
Answer Q6:
CIS, Cuba, North Korea, China
5. Phase 4: Initial Access — CVE Exploitation (Q7 & Q8)
Objective: Identify the Palo Alto PAN-OS vulnerability weaponized by RansomHub and obtain the SHA-256 of the public PoC exploit script.
Q7: What CVE did RansomHub exploit for initial access via PAN-OS?
CVE-2024-3400 is a critical OS command injection vulnerability in Palo Alto Networks’ GlobalProtect feature within PAN-OS. The vulnerability allows an unauthenticated, remote attacker to execute arbitrary code with root privileges on firewall appliances by writing a specially crafted file to an accessible path via the GlobalProtect portal.
This CVE received a CVSS score of 10.0 (maximum severity) and was observed being actively exploited within days of its public disclosure in April 2024. RansomHub leveraged public PoC tooling to probe victim perimeters before moving to brute-force attacks on VPN credentials when exploitation failed.
Answer Q7:
CVE-2024-3400
Q8: What is the SHA-256 hash of the PoC script used in the Palo Alto exploitation?
Group-IB’s DFIR analysts traced the attacker’s tooling back to a specific Python script on GitHub:
The exploit script (main.py) works by sending a crafted HTTP request to the /ssl-vpn/hipreport.esp endpoint with a malicious SESSID cookie value that traverses the path to write arbitrary files into the web-accessible GlobalProtect portal directory — specifically /global-protect/portal/images/poc.txt.
The GitHub repository (pwnj0hn/CVE-2024-3400) contains the full main.py source:
Submitting main.py to VirusTotal confirms its SHA-256 hash. Note that VirusTotal returns 0/63 detections — this is a legitimate Python reconnaissance script, not a weaponized payload itself. This is a critical distinction: the PoC checks whether a target is vulnerable; a separate exploitation step would then be used to gain code execution.
Answer Q8:
53473d4ce45ba3250281d83480db7dad65e2330e080b79bd0d93b21d024f912b
6. Phase 5: Active Directory Exploitation (Q9)
Objective: Identify the Active Directory vulnerability exploited by the affiliate for domain privilege escalation.
Q9: What CVE enabled domain access without valid user credentials?
CVE-2020-1472 — ZeroLogon is a cryptographic flaw in Microsoft’s MS-NRPC (Netlogon Remote Protocol) that allows an attacker with network access to a Domain Controller to:
- Spoof the identity of any computer account (including the DC itself)
- Elevate privileges to Domain Admin without providing any valid credentials
- Extract the NTLM hash of the Domain Controller’s machine account
The attack leverages a flawed AES-CFB8 implementation that allows an attacker to force the Netlogon session key to all zeros with approximately 1-in-256 probability — requiring roughly 256 attempts on average, completable in seconds.
Group-IB’s investigation logs show the mimikatz tool’s authentication attempt failing initially (Figure 9) — consistent with the detector-evading approach of using ZeroLogon to bypass credential requirements entirely.
Critical Severity: ZeroLogon received a CVSS score of 10.0. Despite being patched in August 2020, it remains widely exploited in 2024 due to unpatched legacy domain controllers — a persistent problem in enterprise environments where updating Domain Controllers requires extensive change management processes.
Answer Q9:
CVE-2020-1472
7. Phase 6: Threat Actor Attribution (Q10 & Q11)
Objective: Identify the specific ESET-named threat actor and their AnyDesk configuration details.
Q10: What is the name of the threat actor responsible for compromising a North American government institution in August 2024?
ESET Research identified and named the specific threat actor behind the August 2024 North American governmental institution compromise as QuadSwitcher. This naming convention reflects the actor’s unique behavior of simultaneously operating as an affiliate across four different ransomware-as-a-service platforms — RansomHub, Play, Medusa, and BianLian.
This multi-gang affiliation is operationally unusual and suggests a highly experienced threat actor who either maintains separate personas across platforms, or one who has negotiated special access. The common thread is the deployment of EDRKillShifter — RansomHub’s custom EDR termination tool — across all four operations, serving as the attribution fingerprint that allowed ESET to link the attacks.
Answer Q10:
QuadSwitcher
Q11: What password did the PowerShell script set for AnyDesk?
|  |
RansomHub’s leaked operational manual included a PowerShell script for deploying AnyDesk as a persistence mechanism. The script:
- Downloads
AnyDesk.exefrom the official CDN toC:\ProgramData\AnyDesk.exe - Silently installs it with
--installand--start-with-winflags - Sets the remote access password via
echo J9kzQ2Y0qO | anydesk.exe --set-password
The hardcoded password J9kzQ2Y0qO gives the attacker persistent GUI remote access to all compromised hosts through a trusted, often-whitelisted remote desktop application — bypassing most endpoint perimeter controls.
Answer Q11:
J9kzQ2Y0qO
8. Phase 7: Payload Internals (Q12, Q13, Q14 & Q15)
Objective: Analyze the RansomHub binary’s runtime requirements, error handling, EDR evasion loader, and programming language.
Q12 & Q13: What command-line flag provides the passphrase, and what is the error message on failure?
EDRKillShifter was first documented by Sophos in mid-2024 after a failed RansomHub attack. The tool works by loading a vulnerable driver (BYOVD — Bring Your Own Vulnerable Driver) onto the victim system, then using the driver’s legitimate kernel access to terminate EDR and AV processes that would otherwise block the ransomware.
The BYOVD technique is significant because:
- The loaded driver is legitimately signed by Microsoft or a legitimate vendor
- Kernel-mode termination of security processes bypasses all user-mode protection
- The EDR software cannot protect itself from kernel-level attacks
RansomHub made EDRKillShifter available to all affiliates via their RaaS administration panel — this is the “loader” component referenced in Q14.
Answer Q14:
EDRKillShifter
Q15: What programming language was used to develop the final payload/killer code?
Returning to the Symantec research on RansomHub’s Knight lineage:
Both RansomHub and its Knight predecessor are written in Go (Golang). The choice of Go for ransomware development has become increasingly common for several strategic reasons:
- Cross-platform compilation: One Go codebase compiles to Windows, Linux (ESXi), and macOS targets — enabling RansomHub to offer Windows, Linux, and ESXi variants from a single codebase
- Static linking: Go binaries include all dependencies, meaning they run on any target without requiring runtime installations
- Anti-analysis: Go’s reflection and goroutine model complicate both static and dynamic analysis compared to traditional C/C++ binaries
- Gobfuscate: Combined with the Gobfuscate obfuscator (which mangles symbol names and injects dead code), Go ransomware is particularly resistant to signature-based detection
Answer Q15:
Go
9. Phase 8: Pre-Encryption Operations (Q16 & Q17)
Objective: Identify the PowerShell cmdlets used to stop VMs and determine how many Windows log files are cleared.
Q16: What two PowerShell cmdlets stop virtual machines?
|  |
Before encrypting files, RansomHub systematically kills workloads to ensure all files are accessible (no open file handles that would prevent encryption):
| Command | Purpose |
|---|---|
powershell.exe -Command "Get-VM \| Stop-VM -Force" | Forcefully shut down all running Hyper-V virtual machines |
cmd.exe /c iisreset.exe /stop | Stop all IIS web services |
powershell.exe -Command "Get-CimInstance Win32_ShadowCopy \| Remove-CimInstance" | Delete all Volume Shadow Copies (prevents recovery) |
The VM termination command pipes Get-VM (enumerate all Hyper-V VMs) into Stop-VM -Force (force power-off without graceful shutdown). The -Force flag bypasses any “unsaved work” confirmations, ensuring that even VMs with open transactions are immediately powered off and their disk files become exclusively accessible to the ransomware.
Answer Q16:
Get-VM | Stop-VM -Force
Q17: How many Windows log files does the ransomware clear?
The S-RM intelligence report identifies that RansomHub uses wevtutil.exe to clear three specific Windows event log channels:
- Application log
- System log
- Security log
These three logs are the primary forensic sources for incident responders. Clearing them eliminates evidence of:
- Failed login attempts (Security log — Brute force / Pass-the-Hash artifacts)
- Service installations and anomalous process executions (System log)
- Application errors and crash signatures (Application log)
By clearing these before or during the final encryption stage, RansomHub maximizes the difficulty of post-incident forensic reconstruction.
Forensic Resilience Note:
Thewevtutil.exe cl(clear-log) event itself generates Windows Event ID 1102 (Audit log cleared) in the Security log, and 104 in the System log. If SIEM forwarding is configured to forward logs to a remote SIEM before they are cleared, the clearing event and all preceding events are preserved. This is why real-time SIEM log forwarding is a non-negotiable defensive control against ransomware.
Answer Q17:
3
10. Phase 9: Encryption & File Markers (Q18)
Objective: Identify the cryptographic signature appended to the end of every RansomHub-encrypted file.
Q18: What are the last four bytes consistently observed in encrypted files?
The CISA #StopRansomware advisory on RansomHub includes a detailed analysis of the encrypted file structure. The structure appended to each encrypted file (after the encrypted data) consists of:
- 32-byte master public key — the per-session ECDH public key, allowing decryption only with the corresponding private key held by the attacker
- 4-byte checksum value — a verification value
- 4-byte magic footer — always the constant value
0x00ABCDEF
The 0x00ABCDEF trailer is a deterministic file marker — a YARA hunting opportunity. Any file on a victim system ending in the byte sequence 00 AB CD EF is a RansomHub-encrypted file. This marker can be used for:
- Automated identification of encrypted files in forensic imaging
- YARA rule creation for triage of potentially encrypted file sets
- Confirming RansomHub attribution during incident response
Answer Q18:
0x00ABCDEF
11. Phase 10: Ransom Note & Data Leak Infrastructure (Q19 & Q20)
Objective: Identify the opening line of the ransom note and the URL of the RansomHub Data Leak Site.
Q19: What is the message on the first line of the ransom note?
Q20: What is the URL of the Data Leak Site?
The ransom note (stored as README_<random>.txt) opens with a direct, unambiguous declaration of identity: “We are the RansomHub.”
The note structure follows a deliberate psychological playbook:
- Identity declaration — establishes authority and group recognition
- Threat statement — “Your company Servers are locked and Data has been taken”
- Good news framing — psychological softening technique to make the victim receptive to negotiation
- Proof of decryption offer — builds credibility by offering a free decryption of sub-1MB files
- Confidentiality assurance — falsely claims the breach is secret (except to the victim and RansomHub)
- Legal threat — GDPR fine warnings designed to pressure victims into paying rather than reporting
The Data Leak Site URL is embedded directly in the ransom note and confirmed in multiple intelligence reports. The WatchGuard profile also confirms this as one of RansomHub’s four known TOR extortion links:
Answer Q19:
We are the RansomHub.
Answer Q20:
http://ransomxifxwc5eteopdobynonjctkxxvap77yqifu2emfbecgbqdw6qd.onion/
12. Full Attack Chain Summary
| Phase | Stage | Technique | Evidence |
|---|---|---|---|
| 1 | Initial Access | CVE-2024-3400 PAN-OS exploit attempt; fallback VPN brute-force | main.py PoC (SHA-256: 53473d…) |
| 2 | Credential Theft | Mimikatz + ZeroLogon (CVE-2020-1472) | Group-IB NetLogon attack logs |
| 3 | Persistence | AnyDesk deployed via PowerShell; password: J9kzQ2Y0qO | Symantec leaked manual |
| 4 | Lateral Movement | ngrok reverse proxy, SMB, compromised credentials | S-RM propagation analysis |
| 5 | Defense Evasion | EDRKillShifter BYOVD EDR termination | Sophos first documentation |
| 6 | Defense Evasion | Clear Application, System, Security event logs via wevtutil.exe | S-RM / Insikt Group |
| 7 | Pre-Encryption | Stop Hyper-V VMs: Get-VM \| Stop-VM -Force; Stop IIS; Delete VSS | Insikt Group analysis |
| 8 | Exfiltration | RClone to cloud storage | Trend Micro intelligence |
| 9 | Encryption | ECDH + AES; -pass required; trailer: 0x00ABCDEF | CISA advisory, Group-IB |
| 10 | Impact | Ransom note README_<random>.txt; DLS at ransomxifxwc5… | ESET / WatchGuard |
13. Remediation & Mitigation Recommendations
Immediate Indicators to Hunt
- Files ending in bytes
00 AB CD EF(RansomHub encryption marker) - File extension
.6706c3(or random hex — changes per victim deployment) README_*.txtfiles created in bulk across directory treeswevtutil.exe cl Application,wevtutil.exe cl System,wevtutil.exe cl Securityin process logspowershell.exe Get-VM | Stop-VM -Forcein SIEM
Critical Patches to Prioritize
| CVE | System | Severity | Action |
|---|---|---|---|
| CVE-2024-3400 | Palo Alto PAN-OS GlobalProtect | CVSS 10.0 | Patch immediately; check for /global-protect/portal/images/*.txt artifacts |
| CVE-2020-1472 | Windows Domain Controllers | CVSS 10.0 | Apply KB4571694 (Aug 2020); enable DC enforcement mode |
Defensive Architecture
- Real-time SIEM log forwarding: Prevents
wevtutil.execlearing from destroying forensic evidence - VSS protection: Enable Microsoft’s VSS protection policy preventing non-System processes from deleting shadow copies
- Hyper-V network segmentation: Restrict access to Hyper-V management APIs to dedicated management VLANs
- EDR kernel protection: Deploy EDR solutions with tamper-protection enabled at the kernel level (PPL — Protected Process Light)
- Block TOR exit nodes: Prevent ransomware C2 communication and DLS data exfiltration at the perimeter
- AnyDesk allowlisting: Only allow pre-approved AnyDesk organization IDs; block personal/unlicensed installations
14. Conclusion
RansomHub represents a mature, operationally sophisticated RaaS operation that successfully combined:
- Strategic timing — Launching at the exact moment ALPHV abandoned hundreds of experienced affiliates
- Code efficiency — Reusing the Knight codebase (Go + Gobfuscate) rather than developing from scratch
- Operational security — qTox, TOR-only infrastructure, passphrase-protected payloads
- Tooling sophistication — Custom EDRKillShifter bypasses modern EDR at the kernel level
- Aggressive targeting — Weaponizing CVSS 10.0 vulnerabilities within days of public PoC availability
The 20-question lab demonstrates how a complete threat intelligence profile can be constructed entirely from OSINT — from initial hash triage through VirusTotal, to dark-web forum registration intelligence, to binary internals from vendor research reports — without ever executing the sample.
Key Takeaways for the SOC:
- Patch CVSS 10.0 vulnerabilities within 24 hours. CVE-2024-3400 was weaponized within days of disclosure. There is no acceptable patch window for maximum-severity perimeter vulnerabilities.
0x00ABCDEFis your hunt anchor. Deploy YARA rules scanning for this byte sequence across all network shares to rapidly identify encrypted files during an active incident.- EDR tamper protection is non-negotiable. EDRKillShifter only succeeds because EDR processes can be terminated from kernel space. PPL-protected EDR agents cannot be killed by BYOVD attacks.
Analysis Date: April 5, 2026
Analyst: El OMARI Zakaria