RansomHub - S1212 (16662bee-9d15-4564-a128-1fce214866e9)

RansomHub is a ransomware-as-a-service (RaaS) offering with Windows, ESXi, Linux, and FreeBSD versions that has been in use since at least 2024 to target organizations in multiple sectors globally. RansomHub operators may have purchased and rebranded resources from Knight (formerly Cyclops) Ransomware which shares infrastructure, feature, and code overlaps with RansomHub.(Citation: CISA RansomHub AUG 2024)(Citation: Group-IB RansomHub FEB 2025)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735)	Attack Pattern	RansomHub - S1212 (16662bee-9d15-4564-a128-1fce214866e9)	Malware	1
Data Encrypted for Impact - T1486 (b80d107d-fa0d-4b60-9684-b0433e8bdba0)	Attack Pattern	RansomHub - S1212 (16662bee-9d15-4564-a128-1fce214866e9)	Malware	1
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	RansomHub - S1212 (16662bee-9d15-4564-a128-1fce214866e9)	Malware	1
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea)	Attack Pattern	RansomHub - S1212 (16662bee-9d15-4564-a128-1fce214866e9)	Malware	1
Safe Mode Boot - T1562.009 (28170e17-8384-415c-8486-2e6b294cb803)	Attack Pattern	RansomHub - S1212 (16662bee-9d15-4564-a128-1fce214866e9)	Malware	1
Execution Guardrails - T1480 (853c4192-4311-43e1-bfbb-b11b14911852)	Attack Pattern	RansomHub - S1212 (16662bee-9d15-4564-a128-1fce214866e9)	Malware	1
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	RansomHub - S1212 (16662bee-9d15-4564-a128-1fce214866e9)	Malware	1
Internal Defacement - T1491.001 (8c41090b-aa47-4331-986b-8c9a51a91103)	Attack Pattern	RansomHub - S1212 (16662bee-9d15-4564-a128-1fce214866e9)	Malware	1
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	RansomHub - S1212 (16662bee-9d15-4564-a128-1fce214866e9)	Malware	1
Network Share Discovery - T1135 (3489cfc5-640f-4bb3-a103-9137b97de79f)	Attack Pattern	RansomHub - S1212 (16662bee-9d15-4564-a128-1fce214866e9)	Malware	1
Time Based Checks - T1497.003 (4bed873f-0b7d-41d4-b93a-b6905d1f90b0)	Attack Pattern	RansomHub - S1212 (16662bee-9d15-4564-a128-1fce214866e9)	Malware	1
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	RansomHub - S1212 (16662bee-9d15-4564-a128-1fce214866e9)	Malware	1
Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2)	Attack Pattern	RansomHub - S1212 (16662bee-9d15-4564-a128-1fce214866e9)	Malware	1
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	RansomHub - S1212 (16662bee-9d15-4564-a128-1fce214866e9)	Malware	1
Inhibit System Recovery - T1490 (f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a)	Attack Pattern	RansomHub - S1212 (16662bee-9d15-4564-a128-1fce214866e9)	Malware	1
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	RansomHub - S1212 (16662bee-9d15-4564-a128-1fce214866e9)	Malware	1
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	RansomHub - S1212 (16662bee-9d15-4564-a128-1fce214866e9)	Malware	1
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	RansomHub - S1212 (16662bee-9d15-4564-a128-1fce214866e9)	Malware	1
Service Stop - T1489 (20fb2507-d71c-455d-9b6d-6104461cf26b)	Attack Pattern	RansomHub - S1212 (16662bee-9d15-4564-a128-1fce214866e9)	Malware	1
SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541)	Attack Pattern	RansomHub - S1212 (16662bee-9d15-4564-a128-1fce214866e9)	Malware	1
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	RansomHub - S1212 (16662bee-9d15-4564-a128-1fce214866e9)	Malware	1
Safe Mode Boot - T1562.009 (28170e17-8384-415c-8486-2e6b294cb803)	Attack Pattern	Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529)	Attack Pattern	2
Internal Defacement - T1491.001 (8c41090b-aa47-4331-986b-8c9a51a91103)	Attack Pattern	Defacement - T1491 (5909f20f-3c39-4795-be06-ef1ea40d350b)	Attack Pattern	2
Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d)	Attack Pattern	Time Based Checks - T1497.003 (4bed873f-0b7d-41d4-b93a-b6905d1f90b0)	Attack Pattern	2
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	2
Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2)	Attack Pattern	Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	2
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	2
Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	2
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba)	Attack Pattern	SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541)	Attack Pattern	2
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	2