The RansomHub ransomware-as-a-service (RaaS) operation appears to be facing internal conflict as some affiliates reportedly lost access to the gang’s chat portals last week.
RansomHub, which became the most prolific ransomware group of 2024 following the disruption of LockBit and ALPHV/BlackCat, apparently faced “a series of internal disagreements and disunity” at the beginning of April, GuidePoint’s Research and Intelligence Team (GRIT) reported on Tuesday.
An “unknown number of affiliates” were cut off from RansomHub’s communication channels with victims on April 1 due to the internal conflict, leading the cybercriminals to move negotiations to other channels, including the platforms of other RaaS groups, according to GRIT.
Meanwhile, some members aired their confusion on the dark web cybercrime forum RAMP, where a rival ransomware group called DragonForce claimed that RansomHub had partnered with them and migrated their infrastructure.
GuidePoint noted that DragonForce may simply be taking the opportunity to muddy the waters and market themselves amid the turmoil, although DragonForce did take over another RaaS operation called BlackLock last month after its data leak site was compromised by Resecurity researchers.
“This incident can bring to light the notion that there really is ‘no honor among thieves,’” noted GuidePoint Security Principal Threat Intelligence Consultant Justin Timothy, in an email to SC Media.
Supporting the theory that RansomHub is facing setbacks due to internal conflict is the fact that the group’s data leak site has been inactive since March 31.
“It is not entirely unusual for data leak sites to experience short durations of downtime due to hosting instabilities associated with the dark web, however this downtime coupled with the internal strife that we are seeing from RansomHub could be further indication of the group’s internal administration deteriorating,” Timothy said.
Ironically, RansomHub gained much of its success and notoriety through recruiting disgruntled affiliates from other groups like ALPHV/BlackCat, which reportedly pulled an exit scam on its own affiliates when it dismantled last year. Most notably, RansomHub recruited the threat actor known as “notchy” to obtain data from the Change Healthcare breach after ALPHV/BlackCat allegedly ran with a $22 million ransom.
Additionally, RansomHub has marketed its affiliate program by offering favorable revenue cuts and allowing ransom payments to go directly to affiliates, presenting itself as a more trustworthy and affiliate-friendly RaaS group, GRIT noted.
“While information continues to emerge, we cannot help but note the irony of a group which rose to prominence by promising stability and security for affiliates appearing to have failed or betrayed those same affiliates within a year,” the GRIT researchers wrote.
As the situation unfolds, RansomHub victims also face confusion as they are suddenly directed to new communication channels by threat actors. Timothy said organizations that fall victim to ransomware should have second thoughts about negotiating with these groups.
“Because of this, responders themselves may have even less trust in RaaS operations if a ransom payment is made and a decryptor/data deletion is promised. These events highlight that the ransomware actors are criminals at the end of the day and inherently untrustworthy,” Timothy said.
