Skip to content
Grit Blog

RansomSnub: RansomHub’s Affiliate Confusion

Posted by: Justin Timothy, Jean-Pierre Mouton, Ryan Silver

4 min read

Executive Summary

Since RansomHub’s emergence in early 2024, the group has become the most prolific Ransomware-as-a-Service group operating today. In the process, RansomHub has replaced long-time frontrunners LockBit and Alphv, after LockBit experienced heavy setbacks from law enforcement disruption and Alphv dissolved after “exit-scamming” an affiliate for millions of dollars. RansomHub initially attracted experienced affiliates with favorable RaaS/Affiliate ransom payment splits, and by directing ransom payments either directly to the affiliate or splitting ransom payments at the point of transaction – this reduced the risk to affiliates of “exit-scamming,” in which the RaaS group keeps the entirety of the ransom and refuses to pay the affiliate. The goal of both was almost certainly to assure affiliates that they would not be “scammed” or taken advantage of by the RaaS group’s administrators.

Despite this, GRIT has observed a series of internal disagreements and disunity that could threaten RansomHub’s viability in the long term, and which has undoubtedly introduced volatility in the near term. While information continues to emerge, we cannot help but note the irony of a group which rose to prominence by promising stability and security for affiliates appearing to have failed or betrayed those same affiliates within a year.

In this blog we’ll examine the impetus of this behavior, potential explanations, and why this behavior stands out against the norm.

Affiliate Unrest

Our earliest indication that issues may be emerging within RansomHub appeared during the morning of April 1st, 2025, when several of RansomHub’s client chat portals – which are used for ransomware negotiations – inexplicably went offline. Several of our intelligence-sharing partners also observed and reported similar infrastructure issues. Further discussion and collection led us to assess that RansomHub’s administrators were weathering internal conflict with an unknown number of affiliates. In the process, frustrated RansomHub affiliates were diverting their communications with victims onto other non-RansomHub platforms – including the chat platforms of other ransomware groups. We assume that in at least some of these cases, this represented ransomware groups that the affiliate either formerly belonged to or operated with concurrently.

 The result was a high degree of confusion and uncertainty among RansomHub affiliates and the victims they were negotiating with, who inexplicably faced warning messages and new contact information from the affiliates regardless of how far along the negotiation process was.

This affiliate confusion has been echoed by users on the illicit forum, RAMP; RAMP has been used to facilitate recruitment and advertising for RaaS operations in recent years. A self-proclaimed affiliate under the moniker “hexcat” expressed their concern with the lack of clarity from RansomHub on April 3rd, 2025:

Discussion between potential RansomHub affiliates on the RAMP forum

A spokesperson for RansomHub, under the moniker “koley,” who we previously identified in our reporting on RansomHub’s initial recruitment efforts in March of 2024, has not made any public statements on RAMP to address the concerns. At the time of writing, RansomHub’s data leak site and chat infrastructure have been inactive since March 31st. To further complicate an already complex situation, on April 2nd, 2025, shortly after RansomHub’s chat sites began to experience downtime, the competing RaaS group “DragonForce” claimed that RansomHub had “decided to move to their infrastructure” under “a new option from The DragonForce Ransomware Cartel.”

DragonForce alleges that RansomHub will be moving to the DragonForce infrastructure
DragonForce demonstrates an alleged new RansomHub affiliate portal

Further muddying the waters, DragonForce goes on to request in their post that RansomHub “consider [their] offer,” leaving it unclear whether the move is actual or proposed, and whether such actions were concomitant or unilateral. We cannot rule out the possibility that the posts represent a form of “trolling” or opportunistic advertising on the part of DragonForce. Mergers and realignment of affiliates between different RaaS groups is not new, and we have observed and reported on joint efforts by disparate groups in the past.

Shortly after this announcement by DragonForce on RAMP, users began asking if RansomHub had been “taken down” by DragonForce. In a historical effort, DragonForce has taken down and impacted the former BlackLock ransomware group. On  April 3rd, 2025, “hexcat” alleged on RAMP that RansomHub had” joined forces” with DragonForce, and asked what the future would hold for RansomHub’s affiliates.

Hexcat asks for clarity for RansomHub affiliates

These discussions on the RAMP forums highlight the uncertain environment that RansomHub affiliates appear to be in at the moment, seemingly unaware of the group’s status and their own status amidst a potential “Takeover.”  Overall, relevant users posting on RAMP seem to view DragonForce negatively and have expressed vague threats against the group as these events have unfolded.

No matter how much financial success we’ve seen ransomware groups achieve, the desire for more seems to be insatiable, inevitably leading to internal conflicts, disagreements, and backstabbing in the pursuit of greater individual profit. In the past, such disagreements and infighting have led to the downfall of some of the most prolific ransomware groups – including Conti, which fell apart amid disagreement on the Russia-Ukraine conflict; Alphv, which dissolved after exit-scamming an affiliate; and Black Basta, which appears to have ceased operations after internal conflict on targeting of Russian organizations.

It remains to be seen whether this instability will spell the beginning of the end for RansomHub, though we cannot help but note that the group that rose to prominence by promising stability and security for affiliates may now have failed or betrayed affiliates on both counts. As this situation is still actively developing, we’ll continue to update this blog as new details are revealed. In the meantime, organizations that find themselves reviewing a ransom note from RansomHub may do well to further scrutinize any communications with alleged affiliates or administrators of RansomHub and consider the viability of independent recovery in case of the group’s further disruption.

Happy Hunting,

GRIT

Categories: GRIT® Blog News
Tags:cybersecurityGRIT®newsransomware

Justin Timothy

Threat Intelligence Consultant,
GuidePoint Security

Justin Timothy is a Threat Intelligence Consultant for GuidePoint’s Research and Intelligence Team, where he engages in threat intelligence reporting on behalf of the firm’s clients. His career background includes working for a non-profit that supports both the private and public sectors with services including threat intelligence. His primary focuses in this position were malware analysis and cyber threat intelligence. Justin holds a Bachelor of Science in Computer Science from Seton Hill University.

Jean-Pierre Mouton

Ryan Silver

Related Articles

View All

  • GRIT® Blog
GRIT’s 2025 Report: Ransomware Group Dynamics and Case Studies
Posted by: Ben MartinMooney
Read More 3 min read
  • Governance, Risk & Compliance
Proposed Changes from the HHS to HIPAA Security Rule
Posted by: Dan Mengel
Read More 3 min read
  • GRIT® Blog
Ongoing report: Babuk2 (Babuk-Bjorka)
Posted by: Ryan Silver
Read More 3 min read