S1212: RansomHub
RansomHub is a ransomware-as-a-service (RaaS) offering with Windows, ESXi, Linux, and FreeBSD versions that has been in use since at least 2024 to target organizations in multiple sectors globally. RansomHub operators may have purchased and rebranded resources from Knight (formerly Cyclops) Ransomware which shares infrastructure, feature, and code overlaps with RansomHub.[1][2]
Analyst context for executives and security teams
RansomHub matters because ATT&CK describes it as a ransomware-as-a-service offering with Windows, ESXi, Linux, and FreeBSD versions, and relationships show behaviors that span discovery, lateral movement over SMB/admin shares, execution through PowerShell and Windows command shell, defense impairment, recovery inhibition, and data encryption for impact. For leaders, the decision value is not just “ransomware exists”; it is whether the organization can see and contain the pre-impact behaviors before encryption, service disruption, log clearing, or recovery inhibition affect business continuity.
Executive priority
Prioritize RansomHub as an operational resilience and incident-readiness use case. The ATT&CK relationships point to risks that executives should ask about directly: Are critical Windows and Linux environments monitored? Are SMB/admin-share paths controlled? Can the SOC detect discovery and service-stop activity before impact? Are recovery mechanisms protected from tampering? Can incident responders still reconstruct activity if Windows Event Logs are cleared? This object is also useful for audit and board evidence because it maps ransomware risk to concrete control areas: identity and admin access, endpoint visibility, network-share governance, backup/recovery protection, and incident response logging.
Technical view
SOC and IR teams should validate coverage across the related behaviors rather than relying on a single ransomware signature. Key ATT&CK-linked areas include Remote System Discovery, Process Discovery, System Information Discovery, File and Directory Discovery, Network Share Discovery, SMB/Windows Admin Shares, PowerShell, Windows Command Shell, Proxy, Encrypted/Encoded File, Deobfuscate/Decode Files or Information, Execution Guardrails, Time Based Checks, Registry Run Keys/Startup Folder, File Deletion, Clear Windows Event Logs, Safe Mode Boot, Service Stop, Inhibit System Recovery, Internal Defacement, and Data Encrypted for Impact. Detection engineering should test whether telemetry survives privilege misuse, log clearing, safe mode boot behavior, service disruption, and backup/recovery tampering scenarios.
Likely telemetry
- Endpoint process creation and command-line telemetry for PowerShell, cmd, discovery utilities, service-control actions, and recovery-inhibition commands
- Windows Event Log collection, including evidence of log-clearing activity and gaps in expected log flow
- SMB/admin-share access records, file-share enumeration, and lateral movement indicators from Windows systems
- File-system telemetry for rapid file modification, deletion, creation of encrypted or encoded artifacts, and ransom-note or defacement-related changes where observable
- Registry monitoring for Run Key and Startup Folder persistence on Windows
Detection direction
- Correlate discovery behaviors with later SMB/admin-share access, command execution, service changes, and high-volume file activity; isolated discovery commands may be benign, but clustered sequencing increases investigative value.
- Tune PowerShell and Windows command-shell detections for suspicious administrative use while accounting for legitimate IT automation and remote administration.
- Validate that Windows Event Log clearing generates alerts from independent or forwarded telemetry, not only from the host whose logs may be cleared.
- Test visibility for Safe Mode Boot and service-stop behavior because endpoint controls may have reduced function when services or drivers are not loaded.
- Monitor recovery-inhibition activity as a high-priority ransomware precursor because it directly affects restoration options.
Mitigation priorities
- First, protect recovery: ensure backup and recovery mechanisms are access-controlled, monitored, and resistant to deletion or disabling.
- Second, reduce lateral movement exposure: limit SMB/admin-share use, review administrative account access, and validate least-privilege controls for remote shares.
- Third, harden and monitor execution paths: govern PowerShell and Windows command-shell usage without breaking legitimate administration.
- Fourth, improve logging resilience: forward logs off-host and verify alerts for Windows Event Log clearing, service stops, and safe mode related changes.
- Fifth, strengthen endpoint and server coverage across Windows and Linux assets, with special attention to high-value file servers and systems supporting business continuity.
Analyst notes and limits
This take is based on ATT&CK S1212 and its supplied relationships. The object has no official detection text and no ATT&CK tactics listed directly on the malware object, so defensive guidance is derived from the related techniques and official description. The relationships make this most useful as a ransomware behavior-chain validation case for SOC, IR, identity/admin-access review, backup resilience, and recovery readiness.
ATT&CK does not provide official detection guidance for this object in the supplied fields. Local command patterns, filenames, infrastructure indicators, affected sectors, and confirmed exposure are not provided here. Any determination of coverage or risk requires environment-specific telemetry validation, control testing, and incident-response evidence review.
RansomHub
RansomHub is a ransomware-as-a-service (RaaS) offering with Windows, ESXi, Linux, and FreeBSD versions that has been in use since at least 2024 to target organizations in multiple sectors globally. RansomHub operators may have purchased and rebranded resources from Knight (formerly Cyclops) Ransomware which shares infrastructure, feature, and code overlaps with RansomHub.[1][2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1059.001 | PowerShell Sub-technique | RansomHub can use PowerShell to delete volume shadow copies.CitationGroup-IB RansomHub FEB 2025 |
| Enterprise | T1070.004 | File Deletion Sub-technique | RansomHub has the ability to self-delete.CitationGroup-IB RansomHub FEB 2025 |
| Enterprise | T1090 | Proxy | RansomHub can use a proxy to connect to remote SFTP servers.CitationGroup-IB RansomHub FEB 2025 |
| Enterprise | T1480 | Execution Guardrails | RansomHub will terminate without proceeding to encryption if the infected machine is on a list of allowlisted machines specified in its configuration.CitationGroup-IB RansomHub FEB 2025 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | RansomHub has an encrypted configuration file.CitationGroup-IB RansomHub FEB 2025 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | RansomHub has created an autorun Registry key through the `-safeboot-instance -pass` command line argument.CitationGroup-IB RansomHub FEB 2025 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | RansomHub can use `cmd.exe` to execute multiple commands on infected hosts.CitationGroup-IB RansomHub FEB 2025 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | RansomHub can use a provided passphrase to decrypt its configuration file.CitationGroup-IB RansomHub FEB 2025 |
| Enterprise | T1018 | Remote System Discovery | RansomHub can enumerate all accessible machines from the infected system.CitationGroup-IB RansomHub FEB 2025 |
| Enterprise | T1021.002 | SMB/Windows Admin Shares Sub-technique | RansomHub can use credentials provided in its configuration to move laterally from the infected machine over SMBv2.CitationGroup-IB RansomHub FEB 2025 |
| Enterprise | T1497.003 | Time Based Checks Sub-technique | RansomHub can sleep for a set number of minutes before beginning execution.CitationGroup-IB RansomHub FEB 2025 |
| Enterprise | T1685.005 | Clear Windows Event Logs Sub-technique | RansomHub can delete events from the Security, System, and Application logs.CitationGroup-IB RansomHub FEB 2025 |
| Enterprise | T1490 | Inhibit System Recovery | RansomHub has used `vssadmin.exe` to delete volume shadow copies.CitationCISA RansomHub AUG 2024CitationGroup-IB RansomHub FEB 2025 |
| Enterprise | T1083 | File and Directory Discovery | RansomHub has the ability to only encrypt specific files.CitationGroup-IB RansomHub FEB 2025 |
| Enterprise | T1486 | Data Encrypted for Impact | RansomHub can use Elliptic Curve Encryption to encrypt files on targeted systems.CitationCISA RansomHub AUG 2024 RansomHub can also skip content at regular intervals (ex. encrypt 1 MB, skip 3 MB) to optomize performance and enable faster encryption for large files.CitationGroup-IB RansomHub FEB 2025 |
| Enterprise | T1057 | Process Discovery | RansomHub can stop processes associated with files currently in use to maximize the impact of encryption.CitationCISA RansomHub AUG 2024 |
| Enterprise | T1491.001 | Internal Defacement Sub-technique | RansomHub has placed a ransom note on comrpomised systems to warn victims and provide directions for how to retrieve data.CitationCISA RansomHub AUG 2024 |
| Enterprise | T1135 | Network Share Discovery | RansomHub has the ability to target specific network shares for encryption.CitationGroup-IB RansomHub FEB 2025 |
| Enterprise | T1688 | Safe Mode Boot | RansomHub can reboot targeted systems into Safe Mode prior to encryption.CitationGroup-IB RansomHub FEB 2025 |
| Enterprise | T1489 | Service Stop | RansomHub has the ability to terminate specified services.CitationGroup-IB RansomHub FEB 2025 |
| Enterprise | T1082 | System Information Discovery | RansomHub can retrieve information about virtual machines.CitationGroup-IB RansomHub FEB 2025 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | aae116d3e592… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
CISA RansomHub AUG 2024
CISA et al. (2024, August 29). #StopRansomware: RansomHub Ransomware. Retrieved March 17, 2025.
Open source URL -
[2]
Group-IB RansomHub FEB 2025
Alfano, V. et al. (2025, February 12). RansomHub Never Sleeps Episode 1: The evolution of modern ransomware. Retrieved March 17, 2025.
Open source URL -
[3]
mitre-attack S1212Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.