S1212: RansomHub
RansomHub is a ransomware-as-a-service (RaaS) offering with Windows, ESXi, Linux, and FreeBSD versions that has been in use since at least 2024 to target organizations in multiple sectors globally. RansomHub operators may have purchased and rebranded resources from Knight (formerly Cyclops) Ransomware which shares infrastructure, feature, and code overlaps with RansomHub.[1][2]
Analyst context for executives and security teams
RansomHub matters because ATT&CK describes it as a ransomware-as-a-service offering with Windows, ESXi, Linux, and FreeBSD versions, and relationships show behaviors that span discovery, lateral movement over SMB/admin shares, execution through PowerShell and Windows command shell, defense impairment, recovery inhibition, and data encryption for impact. For leaders, the decision value is not just “ransomware exists”; it is whether the organization can see and contain the pre-impact behaviors before encryption, service disruption, log clearing, or recovery inhibition affect business continuity.
Executive priority
Prioritize RansomHub as an operational resilience and incident-readiness use case. The ATT&CK relationships point to risks that executives should ask about directly: Are critical Windows and Linux environments monitored? Are SMB/admin-share paths controlled? Can the SOC detect discovery and service-stop activity before impact? Are recovery mechanisms protected from tampering? Can incident responders still reconstruct activity if Windows Event Logs are cleared? This object is also useful for audit and board evidence because it maps ransomware risk to concrete control areas: identity and admin access, endpoint visibility, network-share governance, backup/recovery protection, and incident response logging.
Technical view
SOC and IR teams should validate coverage across the related behaviors rather than relying on a single ransomware signature. Key ATT&CK-linked areas include Remote System Discovery, Process Discovery, System Information Discovery, File and Directory Discovery, Network Share Discovery, SMB/Windows Admin Shares, PowerShell, Windows Command Shell, Proxy, Encrypted/Encoded File, Deobfuscate/Decode Files or Information, Execution Guardrails, Time Based Checks, Registry Run Keys/Startup Folder, File Deletion, Clear Windows Event Logs, Safe Mode Boot, Service Stop, Inhibit System Recovery, Internal Defacement, and Data Encrypted for Impact. Detection engineering should test whether telemetry survives privilege misuse, log clearing, safe mode boot behavior, service disruption, and backup/recovery tampering scenarios.
Likely telemetry
- Endpoint process creation and command-line telemetry for PowerShell, cmd, discovery utilities, service-control actions, and recovery-inhibition commands
- Windows Event Log collection, including evidence of log-clearing activity and gaps in expected log flow
- SMB/admin-share access records, file-share enumeration, and lateral movement indicators from Windows systems
- File-system telemetry for rapid file modification, deletion, creation of encrypted or encoded artifacts, and ransom-note or defacement-related changes where observable
- Registry monitoring for Run Key and Startup Folder persistence on Windows
Detection direction
- Correlate discovery behaviors with later SMB/admin-share access, command execution, service changes, and high-volume file activity; isolated discovery commands may be benign, but clustered sequencing increases investigative value.
- Tune PowerShell and Windows command-shell detections for suspicious administrative use while accounting for legitimate IT automation and remote administration.
- Validate that Windows Event Log clearing generates alerts from independent or forwarded telemetry, not only from the host whose logs may be cleared.
- Test visibility for Safe Mode Boot and service-stop behavior because endpoint controls may have reduced function when services or drivers are not loaded.
- Monitor recovery-inhibition activity as a high-priority ransomware precursor because it directly affects restoration options.
Mitigation priorities
- First, protect recovery: ensure backup and recovery mechanisms are access-controlled, monitored, and resistant to deletion or disabling.
- Second, reduce lateral movement exposure: limit SMB/admin-share use, review administrative account access, and validate least-privilege controls for remote shares.
- Third, harden and monitor execution paths: govern PowerShell and Windows command-shell usage without breaking legitimate administration.
- Fourth, improve logging resilience: forward logs off-host and verify alerts for Windows Event Log clearing, service stops, and safe mode related changes.
- Fifth, strengthen endpoint and server coverage across Windows and Linux assets, with special attention to high-value file servers and systems supporting business continuity.
Analyst notes and limits
This take is based on ATT&CK S1212 and its supplied relationships. The object has no official detection text and no ATT&CK tactics listed directly on the malware object, so defensive guidance is derived from the related techniques and official description. The relationships make this most useful as a ransomware behavior-chain validation case for SOC, IR, identity/admin-access review, backup resilience, and recovery readiness.
ATT&CK does not provide official detection guidance for this object in the supplied fields. Local command patterns, filenames, infrastructure indicators, affected sectors, and confirmed exposure are not provided here. Any determination of coverage or risk requires environment-specific telemetry validation, control testing, and incident-response evidence review.
RansomHub
RansomHub is a ransomware-as-a-service (RaaS) offering with Windows, ESXi, Linux, and FreeBSD versions that has been in use since at least 2024 to target organizations in multiple sectors globally. RansomHub operators may have purchased and rebranded resources from Knight (formerly Cyclops) Ransomware which shares infrastructure, feature, and code overlaps with RansomHub.[1][2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | aae116d3e592… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
CISA RansomHub AUG 2024
CISA et al. (2024, August 29). #StopRansomware: RansomHub Ransomware. Retrieved March 17, 2025.
Open source URL -
[2]
Group-IB RansomHub FEB 2025
Alfano, V. et al. (2025, February 12). RansomHub Never Sleeps Episode 1: The evolution of modern ransomware. Retrieved March 17, 2025.
Open source URL -
[3]
mitre-attack S1212Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.