Threat Actor Profile
Critical
Cybercriminal
Description
The group emerged in mid-February 2024 and has already listed several organizations as alleged victims of their attacks, resulting from extortion through encryption and data leaks. The announcement of the sale of the new Ransomware-as-a-Service (RaaS) by RansomHub was published on one of the Russian-origin forums used by cybercrime to advertise malicious services, known as RAMP4U (or RAMP). A user with the nickname and persona of 'koley' announced the affiliate program on February 2, 2024. In the new RaaS announcement, it was mentioned that the money laundering operation of the paid ransoms is the responsibility of the affiliate. This means that all communication and sending of the decryptor to the victim are done through chat. The split of this RaaS would be 90% of the value for the affiliate and 10% for the developer, who in this case would be the persona of Koley. Furthermore, according to the publication, the ransomware payload is written in Golang language, uses the asymmetric algorithm based on x25519, and encryption algorithms AES256, ChaCha20, and xChaCha20, standing out for its speed. The encryption is obfuscated using AST. The payload would support network propagation and encryption of data both in secure and local mode. According to Koley, the ransomware is designed to operate on platforms such as Windows, Linux, and ESXi, as well as other architectures such as ARM and MIPS. As pointed out by the panel and already highlighted by the intelligence team, Koley stated that the panel uses a .onion domain, allowing the affiliate to organize and manage targets and chat rooms, view access logs, automatically respond when offline, and create private blog pages. Source: https://github.com/crocodyli/ThreatActors-TTPs
Confidence Score
Tags
ransomware
ransomware.live
First Seen
Unknown
Last Updated
Unknown
Active Status
ActiveCreated
April 29, 2026
MITRE ATT&CK Techniques (8)
Indicators of Compromise
Loading IOCs…
IOC KQL for Sentinel
STIX Data
{'added_date': None,
'client': '2003264@sit.singaporetech.edu.sg',
'description': 'The group emerged in mid-February 2024 and has already listed '
'several organizations as alleged victims of their attacks, '
'resulting from extortion through encryption and data '
'leaks.<br> <br> The announcement of the sale of the new '
'Ransomware-as-a-Service (RaaS) by RansomHub was published on '
'one of the Russian-origin forums used by cybercrime to '
'advertise malicious services, known as RAMP4U (or RAMP). A '
"user with the nickname and persona of 'koley' announced the "
'affiliate program on February 2, 2024.<br> <br> In the new '
'RaaS announcement, it was mentioned that the money laundering '
'operation of the paid ransoms is the responsibility of the '
'affiliate. This means that all communication and sending of '
'the decryptor to the victim are done through chat. The split '
'of this RaaS would be 90% of the value for the affiliate and '
'10% for the developer, who in this case would be the persona '
'of Koley.<br> <br> Furthermore, according to the publication, '
'the ransomware payload is written in Golang language, uses '
'the asymmetric algorithm based on x25519, and encryption '
'algorithms AES256, ChaCha20, and xChaCha20, standing out for '
'its speed. The encryption is obfuscated using AST.<br> <br> '
'The payload would support network propagation and encryption '
'of data both in secure and local mode. According to Koley, '
'the ransomware is designed to operate on platforms such as '
'Windows, Linux, and ESXi, as well as other architectures such '
'as ARM and MIPS.<br> <br> As pointed out by the panel and '
'already highlighted by the intelligence team, Koley stated '
'that the panel uses a .onion domain, allowing the affiliate '
'to organize and manage targets and chat rooms, view access '
'logs, automatically respond when offline, and create private '
'blog pages.<BR>Source: '
'https://github.com/crocodyli/ThreatActors-TTPs',
'firstseen': '2023-03-09T00:00:00+00:00',
'group': 'ransomhub',
'has_negotiations': True,
'has_ransomnote': True,
'lastseen': '2025-03-31T16:17:39+00:00',
'locations': [{'available': False,
'fqdn': 'fpwwt67hm3mkt6hdavkfyqi42oo3vkaggvjj4kxdr2ivsbzyka5yr2qd.onion',
'slug': 'http://fpwwt67hm3mkt6hdavkfyqi42oo3vkaggvjj4kxdr2ivsbzyka5yr2qd.onion',
'title': 'Index of /',
'type': 'Files'},
{'available': False,
'fqdn': 'ransomxifxwc5eteopdobynonjctkxxvap77yqifu2emfbecgbqdw6qd.onion',
'slug': 'http://ransomxifxwc5eteopdobynonjctkxxvap77yqifu2emfbecgbqdw6qd.onion',
'title': 'RansomHub | Home',
'type': 'DLS'},
{'available': False,
'fqdn': 'ransomgxjnwmu5ceqwo2jrjssxpoicolmgismfpnslaixg3pgpe5qcad.onion',
'slug': 'http://ransomgxjnwmu5ceqwo2jrjssxpoicolmgismfpnslaixg3pgpe5qcad.onion',
'title': 'Index of /',
'type': 'Files'}],
'negotiation_count': 1,
'ransomnotes_count': 4,
'tiaras_metadata': {'has_negotiations': True,
'has_ransomnote': True,
'locations': [{'available': False,
'fqdn': 'fpwwt67hm3mkt6hdavkfyqi42oo3vkaggvjj4kxdr2ivsbzyka5yr2qd.onion',
'slug': 'http://fpwwt67hm3mkt6hdavkfyqi42oo3vkaggvjj4kxdr2ivsbzyka5yr2qd.onion',
'title': 'Index of /',
'type': 'Files'},
{'available': False,
'fqdn': 'ransomxifxwc5eteopdobynonjctkxxvap77yqifu2emfbecgbqdw6qd.onion',
'slug': 'http://ransomxifxwc5eteopdobynonjctkxxvap77yqifu2emfbecgbqdw6qd.onion',
'title': 'RansomHub | Home',
'type': 'DLS'},
{'available': False,
'fqdn': 'ransomgxjnwmu5ceqwo2jrjssxpoicolmgismfpnslaixg3pgpe5qcad.onion',
'slug': 'http://ransomgxjnwmu5ceqwo2jrjssxpoicolmgismfpnslaixg3pgpe5qcad.onion',
'title': 'Index of /',
'type': 'Files'}],
'negotiation_count': 1,
'ransomnotes_count': 4,
'ransomware_live_group': 'ransomhub',
'tools': {'CredentialTheft': ['Mimikatz'],
'DefenseEvasion': ['BadRentdrv2',
'ThreatFire System Monitor '
'driver (BYOVD)',
'Acronis Disk Director',
'Revo Uninstaller'],
'DiscoveryEnum': ['Angry IP Scanner',
'Nmap',
'SoftPerfect NetScan',
'WKTools'],
'Exfiltration': ['FileZilla',
'PSCP',
'RClone',
'WinSCP'],
'LOLBAS': ['BITSAdmin', 'PsExec', 'WMIC'],
'Networking': ['Cloudflared',
'Ngrok',
'Stowaway'],
'Offsec': ['Cobalt Strike',
'CrackMapExec',
'Impacket',
'Kerbrute',
'Metasploit',
'NetExec',
'Sliver'],
'RMM-Tools': ['AnyDesk',
'Atera',
'N-Able',
'ScreenConnect',
'Splashtop',
'TightVNC']},
'url': 'https://www.ransomware.live/group/ransomhub',
'victims': 842,
'vulnerabilities': [{'CVE': 'CVE-2023-46604',
'CVSS': 10.0,
'Product': 'ActiveMQ',
'Vendor': 'Apache',
'severity': 'CRITICAL'},
{'CVE': 'CVE-2023-22515',
'CVSS': 9.8,
'Product': 'Confluence Data Center & '
'Server',
'Vendor': 'Atlassian',
'severity': 'CRITICAL'},
{'CVE': 'CVE-2023-3519',
'CVSS': 9.8,
'Product': 'NetScaler ADC & Gateway',
'Vendor': 'Citrix',
'severity': 'CRITICAL'},
{'CVE': 'CVE-2023-27997',
'CVSS': 9.8,
'Product': 'FortiOS SSL-VPN & '
'FortiProxy',
'Vendor': 'Fortinet',
'severity': 'CRITICAL'},
{'CVE': 'CVE-2023-48788',
'CVSS': 9.8,
'Product': 'FortiClientEMS',
'Vendor': 'Fortinet',
'severity': 'CRITICAL'},
{'CVE': 'CVE-2023-46747',
'CVSS': 9.8,
'Product': 'BIG-IP',
'Vendor': 'F5',
'severity': 'CRITICAL'},
{'CVE': 'CVE-2020-1472 ("ZeroLogon")',
'CVSS': 5.5,
'Product': 'NetLogon',
'Vendor': 'Windows',
'severity': 'MEDIUM'},
{'CVE': 'CVE-2020-0787',
'CVSS': 7.8,
'Product': 'BITS',
'Vendor': 'Windows',
'severity': 'HIGH'},
{'CVE': 'CVE-2017-0144 '
'("EternalBlue")',
'CVSS': 8.8,
'Product': 'SMBv1',
'Vendor': 'Windows',
'severity': 'HIGH'}]},
'tiaras_source': 'ransomware.live',
'tools': {'CredentialTheft': ['Mimikatz'],
'DefenseEvasion': ['BadRentdrv2',
'ThreatFire System Monitor driver (BYOVD)',
'Acronis Disk Director',
'Revo Uninstaller'],
'DiscoveryEnum': ['Angry IP Scanner',
'Nmap',
'SoftPerfect NetScan',
'WKTools'],
'Exfiltration': ['FileZilla', 'PSCP', 'RClone', 'WinSCP'],
'LOLBAS': ['BITSAdmin', 'PsExec', 'WMIC'],
'Networking': ['Cloudflared', 'Ngrok', 'Stowaway'],
'Offsec': ['Cobalt Strike',
'CrackMapExec',
'Impacket',
'Kerbrute',
'Metasploit',
'NetExec',
'Sliver'],
'RMM-Tools': ['AnyDesk',
'Atera',
'N-Able',
'ScreenConnect',
'Splashtop',
'TightVNC']},
'ttps': [{'tactic_id': 'TA0002',
'tactic_name': 'Execution',
'techniques': [{'technique_details': 'The ransomware deletes shadow '
'copies using the WMIC.exe '
'utility.',
'technique_id': 'T1047',
'technique_name': 'Windows Management '
'Instrumentation'},
{'technique_details': 'The ransomware utilizes '
'cmd.exe to execute various '
'Windows utilities to '
'implement various other '
'techniques.',
'technique_id': 'T1059.003',
'technique_name': 'Command and Scripting '
'Interpreter: Windows Command '
'Shell'}]},
{'tactic_id': 'TA0005',
'tactic_name': 'Defense Evasion',
'techniques': [{'technique_details': 'The ransomware clears the '
"victim machine's application, "
'system, and security event '
'logs using the wevtutil.exe '
'utility.',
'technique_id': 'T1070.001',
'technique_name': 'Indicator Removal: Clear Windows '
'Event Logs'},
{'technique_details': 'Threat actors use files such '
'as: STONESTOP and POORTRY to '
'load drivers for the purpose '
'of disabling and deleting AV '
'files.',
'technique_id': 'T1562',
'technique_name': 'Impair Defenses: Disable or '
'Modify Tools'}]},
{'tactic_id': 'TA0008',
'tactic_name': 'Lateral Movement',
'techniques': [{'technique_details': 'Affiliates were identified '
'using: psexec.exe, '
'PsExec.exe, and smbexec.exe '
'for lateral movement.',
'technique_id': 'T1570',
'technique_name': 'Lateral Tool Transfer'}]},
{'tactic_id': 'TA0040',
'tactic_name': 'Impact',
'techniques': [{'technique_details': 'Files are encrypted using '
'file replacement method.',
'technique_id': 'T1486',
'technique_name': 'Data Encrypted for Impact'},
{'technique_details': 'The Windows IIS service stop '
'command is executed using '
'iisreset.exe. Allows for '
'encryption of web '
'applications hosted on IIS '
'servers as files linked to '
'these applications are '
'typically locked while IIS is '
'running.',
'technique_id': 'T1489',
'technique_name': 'Service Stop'},
{'technique_details': 'The ransomware deletes system '
'shadow copies to inhibit '
'system recovery.',
'technique_id': 'T1490',
'technique_name': 'Inhibit System Recovery'}]}],
'url': 'https://www.ransomware.live/group/ransomhub',
'victims': 842,
'vulnerabilities': [{'CVE': 'CVE-2023-46604',
'CVSS': 10.0,
'Product': 'ActiveMQ',
'Vendor': 'Apache',
'severity': 'CRITICAL'},
{'CVE': 'CVE-2023-22515',
'CVSS': 9.8,
'Product': 'Confluence Data Center & Server',
'Vendor': 'Atlassian',
'severity': 'CRITICAL'},
{'CVE': 'CVE-2023-3519',
'CVSS': 9.8,
'Product': 'NetScaler ADC & Gateway',
'Vendor': 'Citrix',
'severity': 'CRITICAL'},
{'CVE': 'CVE-2023-27997',
'CVSS': 9.8,
'Product': 'FortiOS SSL-VPN & FortiProxy',
'Vendor': 'Fortinet',
'severity': 'CRITICAL'},
{'CVE': 'CVE-2023-48788',
'CVSS': 9.8,
'Product': 'FortiClientEMS',
'Vendor': 'Fortinet',
'severity': 'CRITICAL'},
{'CVE': 'CVE-2023-46747',
'CVSS': 9.8,
'Product': 'BIG-IP',
'Vendor': 'F5',
'severity': 'CRITICAL'},
{'CVE': 'CVE-2020-1472 ("ZeroLogon")',
'CVSS': 5.5,
'Product': 'NetLogon',
'Vendor': 'Windows',
'severity': 'MEDIUM'},
{'CVE': 'CVE-2020-0787',
'CVSS': 7.8,
'Product': 'BITS',
'Vendor': 'Windows',
'severity': 'HIGH'},
{'CVE': 'CVE-2017-0144 ("EternalBlue")',
'CVSS': 8.8,
'Product': 'SMBv1',
'Vendor': 'Windows',
'severity': 'HIGH'}]}