Unlike many competitors, RansomHub implemented a business model that directed ransom payments either directly to affiliates or split them at the point of transaction, significantly reducing the risk of “exit-scamming” – a common problem where RaaS administrators keep entire ransoms and abandon their affiliates. Adding another layer of complexity to the situation, competing RaaS operator DragonForce made a public claim on April 2nd that RansomHub had “decided to move to their infrastructure” under “a new option from The DragonForce Ransomware Cartel”. The ambiguity surrounding this claim was further highlighted when DragonForce requested that RansomHub “consider [their] offer,” suggesting the announcement may have been premature or possibly a form of opportunistic marketing during RansomHub’s moment of vulnerability. This disruption has forced affiliates to redirect victim communications to alternative platforms, including those belonging to competing ransomware groups, creating confusion in ongoing extortion attempts and potentially threaten ransom payments in progress. RansomHub, a relatively newer player in the ransomware-as-a-service (RaaS) landscape, is experiencing significant internal turmoil after affiliates suddenly lost access to negotiation chat portals on April 1st, 2025. This announcement appeared on the RAMP forum, where it prompted immediate skepticism from users, with some questioning if RansomHub had been “taken down” by DragonForce. A user named “Hexcat” directly requesting clarity for RansomHub affiliates, underscoring the confusion prevalent among the criminal ecosystem’s participants. GuidePoint Security’s Research and Intelligence Team (GRIT) researchers identified the first signs of trouble on the morning of April 1st when multiple client chat portals used for ransomware negotiations suddenly went offline. This instability mirrors patterns seen in other prominent ransomware groups that collapsed due to internal conflicts, including Conti (Russia-Ukraine disagreements), Alphv (affiliate exit-scamming), and Black Basta (targeting disputes). Organizations facing RansomHub ransom notes now face additional complications, as communication channels have become unreliable and the group’s ability to provide decryption tools is increasingly questionable. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.
This Cyber News was published on cybersecuritynews.com. Publication date: Sat, 12 Apr 2025 08:40:16 +0000