RansomHub has refined its extortion model and expanded affiliate recruitment efforts amid increasing volatility in the ransomware ecosystem.
Following law enforcement actions and multiple exit scams affecting major Ransomware-as-a-Service (RaaS) players, the group has positioned itself as a viable alternative for displaced affiliates.
According to a new technical analysis by Group-IB, in its affiliate panel’s News section, RansomHub outlines a pricing model based on victim revenue aimed at increasing the likelihood of ransom payments. The guidance emphasizes standard disruption tactics such as deleting Windows Shadow Copies and virtual machine snapshots to prevent recovery.
Earlier versions of the group’s Negotiation FAQ – now removed – included instructions encouraging affiliates to report incidents to regulatory bodies like GDPR, PIPL and PDPL. The aim was to increase pressure by presenting ransom payments as a lower-cost option compared to potential regulatory fines.
Unlike some groups that avoid regulatory disclosure to preserve negotiations, RansomHub previously promoted it as a tactic. Operators initially advised against exposing victim names or data, but if talks fail, stolen data could be leaked via the group’s Data Leak Site (DLS).
Throughout late 2023 and early 2024, operations by Europol, the FBI and NCA disrupted LockBit, ALPHV and others, prompted affiliate migration to other services.
RansomHub responded by promoting favorable terms to attract new partners, including:
- Low commission rates (initially 10%, later increased to 15%)
- Support for personal cryptocurrency wallets
- Full affiliate control over victim negotiations
- Additional customization options in ransom notes
Representatives were active on RAMP forums, highlighting these features while capitalizing on the instability of rivals.
In early April 2025, RansomHub’s infrastructure experienced unplanned downtime. Shortly after, Qilin’s administrator “Haise” became active on RAMP, advertising a new ransomware version and DDoS extortion features.
From February onward, Qilin’s monthly victim disclosures rose significantly, suggesting a potential influx of new affiliates, possibly from RansomHub.
Read more on this malware: Qilin Ransomware’s Sophisticated Tactics Unveiled By Experts
RansomHub and other groups continue to offer broadly similar ransomware functionality, including file encryption, process termination and backup deletion. As technical differences between families narrow, affiliate trust, communication flexibility and perceived reliability increasingly influence group success.
According to Group-IB, the recent shifts highlight a broader trend – affiliate migration and brand perception are playing a larger role in RaaS group dynamics than malware innovation alone.
For defenders, tracking these changes remains essential for anticipating threat actor behavior in an increasingly fragmented threat landscape.