RansomHub appeared in early 2024 and within a year became the largest active ransomware-as-a-service program by claim count, filling much of the void left by the LockBit takedown and the ALPHV exit-scam. In 2026 they remain at the top of the leaderboard. Here’s how they got there and what they look like operationally.
The affiliate-friendly structure
RansomHub’s pitch to affiliates was specific and well-timed. Where ALPHV exit-scammed an affiliate by withholding a multi-million-dollar payout in early 2024, RansomHub launched with a 90/10 affiliate split (against the typical 70/30 or 80/20) and a structure where the affiliate received the ransom payment directly and forwarded the operator’s cut, rather than the other way around. The trust-architecture move was deliberate. Affiliates who’d been burned moved their pipelines onto RansomHub’s encryptor within weeks.
The technical capability
The encryptor itself is competent rather than novel. Cross-platform support (Windows, Linux, ESXi). The expected combination of strong encryption (Curve25519 + ChaCha20), shadow-copy deletion, and selective skipping of system folders to keep the OS bootable for the ransom note. The privilege-escalation tooling, lateral-movement scripts, and disabling-of-security-tools scripts are essentially the standard 2024-2025 affiliate toolkit.
Where they invest more than typical: leak-site and victim-management tooling. The affiliate portal is genuinely well-designed for the operator’s UX. That investment shows up in the operator’s ability to handle high volume without operational mistakes.
Notable victim profile
RansomHub’s victim profile across 2025 covers most sectors. Healthcare disproportionately represented. Multiple municipal-government incidents. Several large logistics and shipping operators. The tendency is toward mid-market enterprise targets where the ransom can be priced in low millions and the victim has the cash to pay if cornered.
The 2025 healthcare-sector incidents in particular drew sustained attention from US authorities and were a major contributor to the HHS cybersecurity guidance updates of late 2025.
The Scattered Spider connection
A meaningful share of RansomHub’s high-profile incidents have been attributed to Scattered Spider operators using RansomHub’s encryptor. The arrangement appears stable and ongoing. The implication: defending against RansomHub specifically requires defending against Scattered Spider’s TTPs (help-desk social engineering, SIM-swap), not just generic ransomware-affiliate TTPs.
Detection and defence priorities
Initial-access vectors observed across RansomHub incidents are unsurprising: Citrix and Ivanti edge appliance exploits, stolen credentials from stealer logs, social-engineering against IT help desks. The defensive priority list is therefore the standard one: edge-appliance patching, MFA hardening, identity-monitoring for impossible-travel and risk-based authentication, EDR coverage on every Windows host that touches the network, and offline backups verified through quarterly restore tests.
What’s next
RansomHub’s structural position is strong but not invulnerable. The same affiliate-friendliness that built them up means affiliates can leave fast if a competitor offers better terms. Several mid-tier operators are now offering 95/5 splits. Watch for affiliate migration through 2026, the operator at the top of the leaderboard a year from now may be a different brand entirely, populated by the same operatives.