Live Training | What's New in Lumu Defender

Register Now

Already have an account? Sign in

Sign in

Main Menu

Malware

S1212

RansomHub

Type

Ransomware

Associated threat actors

Former ALPHV and LockBit affiliates, ShadowSyndicate, Ransomware-as-a-Service operators

Key Capabilities

Encrypts files across multiple platforms. Steals data for double extortion. Deletes volume shadow copies. Clears event logs to hide activity.

OS Targeted

Windows, Linux, VMware ESXi, FreeBSD

IoCs on Maltiverse

Maltiverse provides updated IoCs for easy SIEM/SOAR/Firewall/EDR integration.

Search for RansomHub

What is RansomHub?

RansomHub (S1212) is an aggressive ransomware strain that emerged in early 2024. Operating as a Ransomware-as-a-Service (RaaS), the platform grew rapidly by recruiting top cybercriminals and former affiliates from disrupted cartels like ALPHV and LockBit.

Affiliates deploy the malware after breaching networks via unpatched vulnerabilities, phishing campaigns, or stolen credentials. Once inside, they move laterally to locate and steal sensitive company data for extortion.

When deployed, the RansomHub payload locks critical systems across multiple platforms. The software actively sabotages recovery efforts by terminating security services and deleting local volume shadow copies. It also clears Windows event logs to erase evidence and severely complicate incident response for IT teams.

The attackers then rely on double extortion, demanding a massive ransom and threatening to publish the stolen data on their dark web leak site.

How to Defend Against RansomHub?

Defending against RansomHub requires strict vulnerability management, offline data redundancy, and continuous network monitoring.

  • Secure remote access: Attackers frequently exploit known vulnerabilities and use stolen credentials to enter the network. Enforce Multi-Factor Authentication (MFA) and use Lumu Discover to continuously monitor for compromised credentials.
  • Maintain offline backups: RansomHub actively destroys local backups and shadow copies. Store critical data offline to ensure quick recovery without paying a ransom.
  • Deploy endpoint detection: Monitor devices for suspicious administrative commands. Flag any process that attempts to disable security software, clear event logs, or delete shadow copies.
  • Use network detection (NDR): Use tools like Lumu Defender to identify unauthorized data exfiltration. Detect the subtle command and control beacons from the attacker before encryption begins.
  • Integrate threat intelligence: Use platforms like Lumu Maltiverse to stay updated on the latest RansomHub indicators and block access to malicious domains.

Related Resources

View all threat actors

Join our pre-day 
workshop waitlist

By clicking “Submit Request” you agree to the Lumu Terms of Service and Privacy Policy.