Dragons Eye
Dragons EyeRansomware Tracker
DashboardVictimsGroupsRansom NotesDecryptorsNegotiationIOCStatistics
Dragons Community
Information & Disclaimer
โ† Back to Groups
RA

ransomhub

๐ŸŸข Active

Status

Active

Total Victims

844

Active Sites

8 / 11

Has Parser

No

Top Target Countries

๐Ÿ‡บ๐Ÿ‡ธ US๐Ÿ‡ฌ๐Ÿ‡ง GB๐Ÿ‡ง๐Ÿ‡ท BR๐Ÿ‡จ๐Ÿ‡ฆ CA๐Ÿ‡ฎ๐Ÿ‡น IT

Top Target Industries

Business ServicesTechnologyManufacturingHealthcareGovernment
Country Distribution
๐Ÿ‡บ๐Ÿ‡ธ US364
๐Ÿ‡ฌ๐Ÿ‡ง GB42
๐Ÿ‡ง๐Ÿ‡ท BR36
๐Ÿ‡จ๐Ÿ‡ฆ CA35
๐Ÿ‡ฎ๐Ÿ‡น IT32
๐Ÿ‡ฉ๐Ÿ‡ช DE23
๐Ÿ‡ฆ๐Ÿ‡บ AU20
๐Ÿ‡ช๐Ÿ‡ธ ES20
Site Locations (11)
Description

The group emerged in mid-February 2024 and has already listed several organizations as alleged victims of their attacks, resulting from extortion through encryption and data leaks. The announcement of the sale of the new Ransomware-as-a-Service (RaaS) by RansomHub was published on one of the Russian-origin forums used by cybercrime to advertise malicious services, known as RAMP4U (or RAMP). A user with the nickname and persona of 'koley' announced the affiliate program on February 2, 2024. In the new RaaS announcement, it was mentioned that the money laundering operation of the paid ransoms is the responsibility of the affiliate. This means that all communication and sending of the decryptor to the victim are done through chat. The split of this RaaS would be 90% of the value for the affiliate and 10% for the developer, who in this case would be the persona of Koley. Furthermore, according to the publication, the ransomware payload is written in Golang language, uses the asymmetric algorithm based on x25519, and encryption algorithms AES256, ChaCha20, and xChaCha20, standing out for its speed. The encryption is obfuscated using AST. The payload would support network propagation and encryption of data both in secure and local mode. According to Koley, the ransomware is designed to operate on platforms such as Windows, Linux, and ESXi, as well as other architectures such as ARM and MIPS. As pointed out by the panel and already highlighted by the intelligence team, Koley stated that the panel uses a .onion domain, allowing the affiliate to organize and manage targets and chat rooms, view access logs, automatically respond when offline, and create private blog pages.Source: https://github.com/crocodyli/ThreatActors-TTPs

Ransom Notes (4)
readme_[id]_2.txtRansomhub - readme [id] 2
Hello!

Visit our Blog: 
    Tor Browser Links:
        http://ransomxifxwc5eteopdobynonjctkxxvap77yqifu2emfbecgbqdw6qd.onion/
    Links for normal browser:
        http://ransomxifxwc5eteopdobynonjctkxxvap77yqifu2emfbecgbqdw6qd.onion.ly/


>>> Your data is stolen and encrypted.

If you don't pay the ransom, the data will be published on our TOR darknet sites. Keep in mind that once your data appears on our leak site, it could be bought by your competitors at any second, so don't hesitate for a long time. The sooner you pay the ransom, the sooner your company will be safe.



>>> If you have an external or cloud backup; what happens if you donโ€™t agree with us?

All countries have their own PDPL (Personal Data Protection Law) regulations. In the event that you do not agree with us, information pertaining to your companies and the data of your companyโ€™s customers will be published on the internet, and the respective countryโ€™s personal data usage authority will be informed. Moreover, confidential data related to your company will be shared with potential competitors through email and social media. You can be sure that you will incur damages far exceeding the amount we are requesting from you should you decide not to agree with us.



>>> How to contact with us? 

- Install and run 'Tor Browser' from https://www.torproject.org/download/
- Go to http://cki3klxqycazagx3r5prae3nmfvxmwa34beknr3il4uf76vxd76akqid.onion/
- Log in using the Client ID: [snip]


>>> WARNING

DO NOT MODIFY ENCRYPTED FILES YOURSELF.
DO NOT USE THIRD PARTY SOFTWARE TO RESTORE YOUR DATA.
YOU MAY DAMAGE YOUR FILES, IT WILL RESULT IN PERMANENT DATA LOSS.


This link (TOR) is your private blog link. Right now it is only available to you but in 72 hours if you don't get in touch it will be published on our platform and will be seen by thousands of journalists: ransomxifxwc5eteopdobynonjctkxxvap77yqifu2emfbecgbqdw6qd.onion/[snip]/
Recent Victims (844 total)
View All
VictimCountryIndustryDate
intellioan.com
intellioan.com
๐Ÿ‡บ๐Ÿ‡ธ USFinancial ServicesMar 31, 2025
jackpotjunction.com
jackpotjunction.com
๐Ÿ‡บ๐Ÿ‡ธ USHospitality and TourismMar 31, 2025
europtec.com
europtec.com
๐Ÿ‡ฉ๐Ÿ‡ช DETechnologyMar 31, 2025
delta-life.com
delta-life.com
๐Ÿ‡ฉ๐Ÿ‡ช DEFinancial ServicesMar 31, 2025
www.assisi.nl
assisi.nl
๐Ÿ‡ณ๐Ÿ‡ฑ NLHealthcare
ransomxifxwc5eteopdobynonjctkxxvap77yqifu2emfbecgbqdw6qd.onion
DLS
ransomgxjnwmu5ceqwo2jrjssxpoicolmgismfpnslaixg3pgpe5qcad.onion
Files
fpwwt67hm3mkt6hdavkfyqi42oo3vkaggvjj4kxdr2ivsbzyka5yr2qd.onion
Files
biurt7anlhkncf2t3dvvtlszpnnyg3oiksyapcikxostz6zfrh4csvid.onion
DLS
bzfp6qfir7bfqjxnpgofwvfzoyca7kmcsfliot5zzfsas6oofwo7zoad.onion
DLS
i2agsvbyoy3viwel7ucjqtzcq3ocsj3jqqew5wlwpxty6uxd455qkoqd.onion
DLS
kfvsqtlnfa5iiweywpubtqk4c2omc2vu4hvy26mhanaahtvpifzuxlid.onion
DLS
ljxmkfr6kl3ovwgkxycdrvvdf6tk7qdhgowcjkpsiocg7j5uuhmszyyd.onion
DLS
red46f427ed4ogc76gscsqrytpdh4gy5reh2g6dzjpbm24k3ns2t27qd.onion
DLS
xznhtihjpaz3rwcgwqrv3jipbbivlg5ttsdqoet55xe5a3nbxi47jwqd.onion
DLS
readme_[id]_3.txtRansomhub - readme [id] 3
We are the RansomHub.

Your company Servers are locked and Data has been taken to our servers. This is serious. 

Good news:
- your server system and data will be restored by our Decryption Tool;
- for now, your data is secured and safely stored on our server;
- nobody in the world is aware about the data leak from your company except you and RansomHub team;

FAQs:
Who we are?
- Normal Browser Links: https://ransomxifxwc5eteopdobynonjctkxxvap77yqifu2emfbecgbqdw6qd.onion.ly/
- Tor Browser Links: http://ransomxifxwc5eteopdobynonjctkxxvap77yqifu2emfbecgbqdw6qd.onion/

Want to go to authorities for protection?
- Seeking their help will only make the situation worse,They will try to prevent you from negotiating with us, because the negotiations will make them look incompetent,After the incident report is handed over to the government department, you will be fined <This will be a huge amount,Read more about the GDRP legislation:https://en.wikipedia.org/wiki/General_Data_Protection_Regulation>,The government uses your fine to reward them.And you will not get anything, and except you and your company, the rest of the people will forget what happened!!!!!

Think you can handle it without us by decrypting your servers and data using some IT Solution from third-party "specialists"?
- they will only make significant damage to all of your data; every encrypted file will be corrupted forever. Only our Decryption Tool will make decryption guaranteed;  

Think your partner IT Recovery Company will do files restoration? 
- no they will not do restoration, only take 3-4 weeks for nothing; besides all of your data is on our servers and we can publish it at any time; 
  as well as send the info about the data breach from your company servers to your key partners and clients, competitors, media and youtubers, etc. 
  Those actions from our side towards your company will have irreversible negative consequences for your business reputation.

You don't care in any case, because you just don't want to pay? 
- We will make you business stop forever by using all of our experience to make your partners, clients, employees and whoever cooperates with your company change their minds by having no choice but to stay away from your company. 
  As a result, in midterm you will have to close your business. 

So lets get straight to the point.

What do we offer in exchange on your payment:
- decryption and restoration of all your systems and data within 24 hours with guarantee;
- never inform anyone about the data breach out from your company;
- after data decryption and system restoration, we will delete all of your data from your servers forever;
- provide valuable advising on your company IT protection so no one can attack your again.

Now, in order to start negotiations, you need to do the following: 
- install and run 'Tor Browser' from https://www.torproject.org/download/
- use 'Tor Browser' open http://pod4gkypkd6kykwoht3kioehhpoh4k75ybdfoe6q7hqbphrd77b32jqd.onion/
- enter your Client ID: [snip]

There will be no bad news for your company after successful negotiations for both sides. But there will be plenty of those bad news if case of failed negotiations, so don't think about how to avoid it.
Just focus on negotiations, payment and decryption to make all of your problems solved by our specialists within 1 day after payment received: servers and data restored, everything will work good as new.

************************************************
readme_[id]_4.txtRansomhub - readme [id] 4
We are the RansomHub.

Your company Servers are locked and Data has been taken to our servers. This is serious. 

Good news:
- your server system and data will be restored by our Decryption Tool;
- for now, your data is secured and safely stored on our server;
- nobody in the world is aware about the data leak from your company except you and RansomHub team;

FAQs:
Who we are?
- Normal Browser Links: https://ransomxifxwc5eteopdobynonjctkxxvap77yqifu2emfbecgbqdw6qd.onion.ly/
- Tor Browser Links: http://ransomxifxwc5eteopdobynonjctkxxvap77yqifu2emfbecgbqdw6qd.onion/

Want to go to authorities for protection?
- Seeking their help will only make the situation worse,They will try to prevent you from negotiating with us, because the negotiations will make them look incompetent,After the incident report is handed over to the government department, you will be fined <This will be a huge amount,Read more about the GDRP legislation:https://en.wikipedia.org/wiki/General_Data_Protection_Regulation>,The government uses your fine to reward them.And you will not get anything, and except you and your company, the rest of the people will forget what happened!!!!!

Think you can handle it without us by decrypting your servers and data using some IT Solution from third-party "specialists"?
- they will only make significant damage to all of your data; every encrypted file will be corrupted forever. Only our Decryption Tool will make decryption guaranteed;  

Don't go to recovery companies, they are essentially just middlemen who will make money off you and cheat you. 
- We are well aware of cases where recovery companies tell you that the ransom price is xxx dollars, but in fact they secretly negotiate with us for xxx dollars, so they earn xxx dollars from you. If you approached us directly without intermediaries you would pay 5 times less, that is xxx dollars.

Think your partner IT Recovery Company will do files restoration? 
- no they will not do restoration, only take 3-4 weeks for nothing; besides all of your data is on our servers and we can publish it at any time; 
  as well as send the info about the data breach from your company servers to your key partners and clients, competitors, media and youtubers, etc. 
  Those actions from our side towards your company will have irreversible negative consequences for your business reputation.

You don't care in any case, because you just don't want to pay? 
- We will make you business stop forever by using all of our experience to make your partners, clients, employees and whoever cooperates with your company change their minds by having no choice but to stay away from your company. 
  As a result, in midterm you will have to close your business. 


So lets get straight to the point.

What do we offer in exchange on your payment:
- decryption and restoration of all your systems and data within 24 hours with guarantee;
- never inform anyone about the data breach out from your company;
- after data decryption and system restoration, we will delete all of your data from our servers forever;
- provide valuable advising on your company IT protection so no one can attack your again.

Now, in order to start negotiations, you need to do the following: 
- install and run 'Tor Browser' from https://www.torproject.org/download/
- use 'Tor Browser' open http://dd4djzr2ywfcox3zfvpkpyh3b657hsdwpwv5cfkmdfde2lr3fpz6spad.onion/
- enter your Client ID: 

There will be no bad news for your company after successful negotiations for both sides. But there will be plenty of those bad news if case of failed negotiations, so don't think about how to avoid it.
Just focus on negotiations, payment and decryption to make all of your problems solved by our specialists within 1 day after payment received: servers and data restored, everything will work good as new.

************************************************
readme_[id].txtRansomhub - readme [id]
Hello!

Visit our Blog: 
    Tor Browser Links:
        http://ransomxifxwc5eteopdobynonjctkxxvap77yqifu2emfbecgbqdw6qd.onion/
    Links for normal browser:
        http://ransomxifxwc5eteopdobynonjctkxxvap77yqifu2emfbecgbqdw6qd.onion.ly/


>>> Your data is stolen and encrypted.

If you don't pay the ransom, the data will be published on our TOR darknet sites. Keep in mind that once your data appears on our leak site, it could be bought by your competitors at any second, so don't hesitate for a long time. The sooner you pay the ransom, the sooner your company will be safe.



>>> If you have an external or cloud backup; what happens if you donโ€™t agree with us?

All countries have their own PDPL (Personal Data Protection Law) regulations. In the event that you do not agree with us, information pertaining to your companies and the data of your companyโ€™s customers will be published on the internet, and the respective countryโ€™s personal data usage authority will be informed. Moreover, confidential data related to your company will be shared with potential competitors through email and social media. You can be sure that you will incur damages far exceeding the amount we are requesting from you should you decide not to agree with us.



>>> How to contact with us? 

- Install and run 'Tor Browser' from https://www.torproject.org/download/
- Go to http://davtdavm734bl4hkr3sr4dvfzpdzuzei2zrcor4vte4a3xuok2rxcmyd.onion/
- Log in using the Client ID: [snip]


>>> WARNING

DO NOT MODIFY ENCRYPTED FILES YOURSELF.
DO NOT USE THIRD PARTY SOFTWARE TO RESTORE YOUR DATA.
YOU MAY DAMAGE YOUR FILES, IT WILL RESULT IN PERMANENT DATA LOSS.
View All Ransom Notes
Mar 29, 2025
phaus.us&phakr.com&phabodysystems.com
๐Ÿ‡บ๐Ÿ‡ธ USMedia and EntertainmentMar 28, 2025
www.bassi.it
bassi.it
๐Ÿ‡ฎ๐Ÿ‡น ITTechnologyMar 28, 2025
www.allmilmoe.com
allmilmoe.com
๐Ÿ‡ฉ๐Ÿ‡ช DEManufacturingMar 28, 2025
brattenelectrictn.com
brattenelectrictn.com
๐Ÿ‡บ๐Ÿ‡ธ USManufacturingMar 27, 2025
www.hongthongrice.com
hongthongrice.com
๐Ÿ‡น๐Ÿ‡ญ THAgriculture and Food ProductionMar 26, 2025
www.fkm-elemente.de
fkm-elemente.de
๐Ÿ‡ฉ๐Ÿ‡ช DEManufacturingMar 26, 2025
conterra.com
conterra.com
๐Ÿ‡ฉ๐Ÿ‡ช DETechnologyMar 26, 2025
www.DSelectrical.com
DSelectrical.com
๐Ÿ‡บ๐Ÿ‡ธ USConstructionMar 26, 2025
www.carolinaac.com
carolinaac.com
๐Ÿ‡บ๐Ÿ‡ธ USConsumer ServicesMar 25, 2025
www.garbinc.com
garbinc.com
๐Ÿ‡บ๐Ÿ‡ธ USManufacturingMar 25, 2025
www.mododoc.com
mododoc.com
๐Ÿ‡บ๐Ÿ‡ธ USConsumer ServicesMar 25, 2025
www.argentosc.com
argentosc.com
๐Ÿ‡ฆ๐Ÿ‡ท ARManufacturingMar 25, 2025
www.ripplejunction.com
ripplejunction.com
๐Ÿ‡บ๐Ÿ‡ธ USConsumer ServicesMar 25, 2025
www.creativelogisticservices.com
creativelogisticservices.com
๐Ÿ‡บ๐Ÿ‡ธ USTransportation/LogisticsMar 25, 2025
www.afnigc.ca
afnigc.ca
๐Ÿ‡จ๐Ÿ‡ฆ CAPublic SectorMar 25, 2025