69 Days Undetected: How RansomHub Quietly Compromised Australian and New Zealand Organisations

Last update: 17 June, 2026

Tags: Blog

Richard Grainger

Prepared by: Richard Grainger, Global Head of Digital Forensics | Last update: 13 April 2026

Threat actor profile: RansomHub

Threat actor status: INACTIVE / MONITORING

A ransomware group that emerged in 2024 has been operating inside Australian and New Zealand networks for an average of 69 days before detection; quietly mapping environments, identifying backup weaknesses, and stealing sensitive data before pulling the trigger on encryption. RansomHub, a financially motivated threat actor operating under a ransomware-as-a-service (RaaS) model, targeted organisations across healthcare, finance, manufacturing, education, and government. Triskele Labs conducted direct incident response to eight RansomHub-related intrusions, providing firsthand insight into how affiliates operate - and what defenders can do to close the gaps they exploit.

Who is RansomHub?

RansomHub is a financially motivated ransomware group that emerged in 2024 and operates under a ransomware-as-a-service (RaaS) model — meaning the group develops and maintains the ransomware platform while independent affiliates carry out the actual intrusions in exchange for a share of ransom payments.

They are known for aggressive double extortion: affiliates both encrypt victim environments and exfiltrate sensitive data, then use a dark web leak site to pressure organisations into paying. Those that do not comply face public exposure of their stolen information.

RansomHub primarily targets enterprise Windows environments and has affected organisations across a broad range of sectors, including healthcare, finance, manufacturing, education, and government.

Triskele Labs has conducted direct response to eight RansomHub-related incidents, providing direct insight into the group’s operational behaviour.

How do they operate?

RansomHub’s activity across Triskele Labs investigations shows a consistent pattern of deliberate compromise designed to maximise leverage.

Double extortion as the pressure mechanism

RansomHub affiliates exfiltrate sensitive data while also encrypting systems. This enables them to pressure victims with both operational disruption and the threat of publishing stolen information.

Extended dwell time

One defining characteristic observed is an extended dwell time. On average, RansomHub affiliates maintained access to compromised networks for up to 69 days before detection or encryption. This longer access window enables thorough reconnaissance and significantly increases the blast radius when ransomware is finally deployed.

Reconnaissance with a focus on backups

Affiliates pay special attention to identifying how backup systems operate and where backup coverage is weak. This allows them to deliberately target recovery pathways, reducing a victim’s ability to restore without paying.

Living off the land activity

Rather than deploying custom malware, affiliates use legitimate administrative tools already present in the environment for movement and execution. This reduces detection opportunities, as the activity can blend in with normal IT operations.

Cloud-based exfiltration and resilient access

Data exfiltration is commonly performed using Rclone — a command-line tool originally designed for syncing files to cloud storage services such as Dropbox, Google Drive, and OneDrive. Affiliates repurpose it to quietly transfer stolen data out of the network. The group also employs a distributed, multi-layer command-and-control (C2) infrastructure and uses anonymisation techniques such as VPNs, compromised third-party services, and tunnelling via Cloudflared — a tool from Cloudflare that creates encrypted tunnels, used here to maintain persistent, hidden access into compromised environments. Tools like Netexec — a network execution framework used to authenticate and run commands across systems at scale — have also been observed in use across engagements.

What changed in 2025?

In late March 2025, RansomHub abruptly ceased operations and removed their infrastructure from the dark web. Shortly thereafter, rival ransomware group DragonForce claimed that RansomHub had joined its platform, suggesting a shift toward a decentralised ransomware cartel model. This change fragmented RansomHub’s affiliate network, with some affiliates moving to other groups such as Qilin, while others appeared to disband entirely.

Since then, the group has remained largely silent, creating uncertainty about future activity. Organisations should continue monitoring for activity consistent with former RansomHub affiliates operating under new banners.

Practical defences against RansomHub-style intrusions

The following defensive actions align directly to behaviours observed across Triskele Labs RansomHub incident response engagements.

Reduce exposure to credentialed remote access pathways

RansomHub intrusions have involved VPN-based access using valid credentials, including both domain and local accounts. To reduce the likelihood of credentialed remote access being abused:

- Review and minimise externally accessible remote access services
- Audit VPN authentication and account hygiene, including local VPN accounts
- Strengthen authentication controls for remote access, with a focus on preventing misuse of valid accounts
Plan for long dwell time and earlier-stage detection
Given the extended dwell time observed, defenders should assume affiliates may be present for weeks or months prior to encryption. Focus detection efforts on:
- Discovery activity against network services and shares
- Account discovery within domain environments
- Data staging behaviour, particularly centralised staging prior to exfiltration
Detect and restrict cloud tunnelling and exfiltration tooling
RansomHub affiliates have used Cloudflared to maintain persistent, covert access, and Rclone to exfiltrate data to cloud storage. Defenders should:
- Monitor for tunnelling activity consistent with Cloudflared usage
- Monitor for data transfer patterns consistent with Rclone-driven exfiltration to cloud services
- Watch for tools such as Netexec that may support lateral movement and credential validation
Watch for defence evasion and log tampering
Affiliates have been observed disabling or modifying security tooling and clearing Windows event logs — both of which reduce the ability to detect and investigate their activity. Ensure you can detect and respond to:
- Security tool disablement and modification activity
- Event log clearing and other evidence removal behaviours
Harden lateral movement pathways
RDP-based lateral movement has been observed. Strengthen controls and monitoring around:
- RDP access pathways inside the environment
- Pass-the-hash attacks — a technique where an attacker uses a captured password hash rather than the plain-text password to authenticate — used in connection with some RDP lateral movement
Protect backups as a priority target
Because affiliates deliberately focus on backups and recovery weaknesses, organisations should:
- Review backup architecture and identify coverage gaps
- Validate the security of backup systems and administrative access pathways
- Assume backup systems may be deliberately targeted in the lead-up to encryption

Summary

RansomHub is a financially motivated RaaS operation known for double extortion and a deliberate, patient approach to compromise. Across Triskele Labs investigations, affiliates demonstrated extended dwell time averaging 69 days, methodical reconnaissance, a strong focus on backup systems, and heavy reliance on legitimate tooling to blend into normal administrative activity. Exfiltration via Rclone and persistent access via Cloudflared-style tunnelling were recurring themes, alongside common defence evasion actions such as security tooling interference and Windows event log clearing.

In late March 2025, RansomHub ceased operations and removed its infrastructure from the dark web, followed by claims of alignment with DragonForce and fragmentation of the affiliate ecosystem. The group’s subsequent silence has created uncertainty around future activity.

MITRE ATT&CK Mapping

Tactic	Technique	Description
Initial Access	T1133 – External Remote Services	VPN was used to remotely access the environment
Initial Access	T1078.002 – Valid Accounts: Domain Accounts	Valid credentials were used to gain access to the network
Initial Access	T1078.003 – Valid Accounts: Local Accounts	Local accounts for the VPN were used to gain access
Execution	T1543.003 – Create or Modify System Process: Windows Service	A system process was created or modified
Discovery	T1046 – Network Service Discovery	Network services were scanned to identify active systems and open ports
Discovery	T1135 – Network Share Discovery	Systems were scanned to identify network shares
Discovery	T1087.002 – Account Discovery: Domain Account	Domain account information was collected
Lateral Movement	T1021.001 – Remote Services: Remote Desktop Protocol	RDP was used to move laterally within the environment
Defence Evasion	T1562.001 – Impair Defences: Disable or Modify Tools	Security tooling was disabled or modified
Defence Evasion	T1070.001 – Indicator Removal: Clear Windows Event Logs	Event Logs were cleared to hide activity
Defence Evasion	T1550.002 – Use Alternate Authentication Material: Pass the Hash	Pass the Hash was used for some RDP connections
Collection	T1039 – Data from Network Shared Drive	Data was collected from network shares
Collection	T1074 – Data Staged	Data was staged centrally before exfiltration
Impact	T1486 – Data Encrypted for Impact	Data was encrypted, rendering systems inoperable
Exfiltration	T1567.002 – Exfiltration Over Web Service: Cloud Storage	Data was uploaded to cloud storage

Common Utilised Tooling:

TOOL	PURPOSE
Cloudflared	Tunnelling tool used to bypass perimeter protections and establish resilient access
Rclone	Used for data exfiltration to cloud storage
Netexec	Used for lateral movement and credential validation
Anonymising infrastructure	VPNs and compromised third-party services used for obfuscation
Anti-analysis binaries	Payloads may include obfuscation and anti-debugging protections