Skip to content

Hide Navigation Hide TOC

RansomHub - S1212 (16662bee-9d15-4564-a128-1fce214866e9)

RansomHub is a ransomware-as-a-service (RaaS) offering with Windows, ESXi, Linux, and FreeBSD versions that has been in use since at least 2024 to target organizations in multiple sectors globally. RansomHub operators may have purchased and rebranded resources from Knight (formerly Cyclops) Ransomware which shares infrastructure, feature, and code overlaps with RansomHub.(Citation: CISA RansomHub AUG 2024)(Citation: Group-IB RansomHub FEB 2025)

Cluster A Galaxy A Cluster B Galaxy B Level
RansomHub - S1212 (16662bee-9d15-4564-a128-1fce214866e9) Malware Safe Mode Boot - T1688 (c7660f19-f8c5-4ae3-a5e5-24381c270376) Attack Pattern 1
RansomHub - S1212 (16662bee-9d15-4564-a128-1fce214866e9) Malware File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 1
RansomHub - S1212 (16662bee-9d15-4564-a128-1fce214866e9) Malware Service Stop - T1489 (20fb2507-d71c-455d-9b6d-6104461cf26b) Attack Pattern 1
RansomHub - S1212 (16662bee-9d15-4564-a128-1fce214866e9) Malware Data Encrypted for Impact - T1486 (b80d107d-fa0d-4b60-9684-b0433e8bdba0) Attack Pattern 1
RansomHub - S1212 (16662bee-9d15-4564-a128-1fce214866e9) Malware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 1
RansomHub - S1212 (16662bee-9d15-4564-a128-1fce214866e9) Malware Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735) Attack Pattern 1
RansomHub - S1212 (16662bee-9d15-4564-a128-1fce214866e9) Malware System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 1
RansomHub - S1212 (16662bee-9d15-4564-a128-1fce214866e9) Malware Network Share Discovery - T1135 (3489cfc5-640f-4bb3-a103-9137b97de79f) Attack Pattern 1
RansomHub - S1212 (16662bee-9d15-4564-a128-1fce214866e9) Malware Time Based Checks - T1497.003 (4bed873f-0b7d-41d4-b93a-b6905d1f90b0) Attack Pattern 1
Clear Windows Event Logs - T1685.005 (75b9a4d2-d4e2-4ca1-9aab-1badd9e05fd0) Attack Pattern RansomHub - S1212 (16662bee-9d15-4564-a128-1fce214866e9) Malware 1
RansomHub - S1212 (16662bee-9d15-4564-a128-1fce214866e9) Malware Internal Defacement - T1491.001 (8c41090b-aa47-4331-986b-8c9a51a91103) Attack Pattern 1
RansomHub - S1212 (16662bee-9d15-4564-a128-1fce214866e9) Malware Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern 1
Execution Guardrails - T1480 (853c4192-4311-43e1-bfbb-b11b14911852) Attack Pattern RansomHub - S1212 (16662bee-9d15-4564-a128-1fce214866e9) Malware 1
RansomHub - S1212 (16662bee-9d15-4564-a128-1fce214866e9) Malware Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern 1
RansomHub - S1212 (16662bee-9d15-4564-a128-1fce214866e9) Malware Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern 1
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern RansomHub - S1212 (16662bee-9d15-4564-a128-1fce214866e9) Malware 1
RansomHub - S1212 (16662bee-9d15-4564-a128-1fce214866e9) Malware Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 1
Inhibit System Recovery - T1490 (f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a) Attack Pattern RansomHub - S1212 (16662bee-9d15-4564-a128-1fce214866e9) Malware 1
RansomHub - S1212 (16662bee-9d15-4564-a128-1fce214866e9) Malware Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern 1
RansomHub - S1212 (16662bee-9d15-4564-a128-1fce214866e9) Malware SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern 1
RansomHub - S1212 (16662bee-9d15-4564-a128-1fce214866e9) Malware PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern 1
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 2
Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d) Attack Pattern Time Based Checks - T1497.003 (4bed873f-0b7d-41d4-b93a-b6905d1f90b0) Attack Pattern 2
Clear Windows Event Logs - T1685.005 (75b9a4d2-d4e2-4ca1-9aab-1badd9e05fd0) Attack Pattern Disable or Modify Tools - T1685 (bbde9781-60aa-4b8a-a911-895b0c1b3872) Attack Pattern 2
Defacement - T1491 (5909f20f-3c39-4795-be06-ef1ea40d350b) Attack Pattern Internal Defacement - T1491.001 (8c41090b-aa47-4331-986b-8c9a51a91103) Attack Pattern 2
Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern 2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 2
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 2
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern 2
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 2