.svg?width=185&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Home"){kind=logo}
.svg?width=13&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Top Navigation - Sign in - Icon")
Summary
GOLD HUBBARD was a financially motivated cybercrime group that operated the RansomHub ransomware-as-a-service (RaaS) scheme. It used the name-and-shame or double extortion model, meaning affiliates of the scheme stole data and held it to ransom in addition to encrypting files and systems. The first victim was named on the RansomHub leak site on February 17, 2024. The number of listed victims steadily increased through 2024, likely as a result of the scheme's expansion thanks to affiliates switching from LockBit after it was was disrupted by law enforcement in February and from ALPHV/BlackCat following the shuttering of its operation in a likely exit scam in March. In March 2025, after a public spat between GOLD HUBBARD and GOLD FLAME, the operators of the DragonForce RaaS, the RansomHub operation was shuttered.
According to Symantec, the RansomHub ransomware bears similarities to Cyclops and Knight variants that were used consecutively in name-and-shame ransomware operations in mid- to late-2023. It is possible that RansomHub represented a rebrand of Knight ransomware, although it is more likely the RansomHub developers used the Knight source code after it was sold on an underground forum around the same time RansomHub began operating.
The apparently large number of affiliates working with RansomHub meant that a variety of tools and tactics, techniques and procedures (TTP) were seen in deployments of the ransomware. CTU researchers have observed a Citrix account with single factor authentication abused for initial access, while the Cybersecurity and Infrastructure Security Agency (CISA) cited spear phishing, password spraying and the exploitation of vulnerabilities in internet-facing services as initial access vectors in RansomHub intrusions. Multiple such vulnerabilities were exploited by affiliates and included flaws in FortiOS, Citrix ADC (NetScaler) and Confluence Data Center. The Zerologon vulnerability in Microsoft's Netlogon was also exploited.
RansomHub affiliates used a range of off-the-shelf, freely available and cracked legitimate tools in support of their activities. These include the Mimikatz credential harvesting tool, the Cobalt Strike and Sliver adversary simulation frameworks, the AngryIPScanner network discovery tool and Rclone and WinSCP for data exfiltration. Both Trend Micro and Sophos reported on the use of a custom tool called EDRKillShifter in RansomHub attacks to disable endpoint detection and response (EDR) solutions for defense evasion. RansomHub ransomware has variants that its affiliates used to encrypt files on both Microsoft Windows devices and VMware ESXi hosts. With the shuttering of RansomHub, affiliates likely moved to other RaaS schemes.
According to Symantec, the RansomHub ransomware bears similarities to Cyclops and Knight variants that were used consecutively in name-and-shame ransomware operations in mid- to late-2023. It is possible that RansomHub represented a rebrand of Knight ransomware, although it is more likely the RansomHub developers used the Knight source code after it was sold on an underground forum around the same time RansomHub began operating.
The apparently large number of affiliates working with RansomHub meant that a variety of tools and tactics, techniques and procedures (TTP) were seen in deployments of the ransomware. CTU researchers have observed a Citrix account with single factor authentication abused for initial access, while the Cybersecurity and Infrastructure Security Agency (CISA) cited spear phishing, password spraying and the exploitation of vulnerabilities in internet-facing services as initial access vectors in RansomHub intrusions. Multiple such vulnerabilities were exploited by affiliates and included flaws in FortiOS, Citrix ADC (NetScaler) and Confluence Data Center. The Zerologon vulnerability in Microsoft's Netlogon was also exploited.
RansomHub affiliates used a range of off-the-shelf, freely available and cracked legitimate tools in support of their activities. These include the Mimikatz credential harvesting tool, the Cobalt Strike and Sliver adversary simulation frameworks, the AngryIPScanner network discovery tool and Rclone and WinSCP for data exfiltration. Both Trend Micro and Sophos reported on the use of a custom tool called EDRKillShifter in RansomHub attacks to disable endpoint detection and response (EDR) solutions for defense evasion. RansomHub ransomware has variants that its affiliates used to encrypt files on both Microsoft Windows devices and VMware ESXi hosts. With the shuttering of RansomHub, affiliates likely moved to other RaaS schemes.
Contact us
Contact us directly whether your organization needs immediate assistance or
you want to discuss your incident readiness, response, and testing needs.