RansomHub (also tracked as Knight Ransomware Overlap, Cyclops Ransomware Overlap, and MITRE ATT&CK G1058) is one of the most operationally consequential newer ransomware operations of 2024 , a financially-motivated organized cyber-criminal cluster operating predominantly from Russia and adjacent post-Soviet states emerging in February 2024. The cluster has documented operational overlap with earlier Knight ransomware (active 2023) and Cyclops ransomware operations, with modern vendor consensus treating RansomHub as either a Knight-codebase-evolved operation or a personnel-overlapping successor brand. The cluster has compromised 210+ organizations across multiple US critical infrastructure sectors since February 2024 per CISA + FBI + HHS + MS-ISAC joint cybersecurity advisory (August 29, 2024).
The cluster's most operationally distinctive business-model signature is the 90% affiliate revenue split, versus the conventional 70-80% affiliate cut on competing ransomware-as-a- service operations. The affiliate-favorable revenue split was operationally consequential and contributed substantially to rapid affiliate-recruitment success following the March 5, 2024 ALPHV / BlackCat exit-scam. Disaffected ALPHV / BlackCat affiliates (notably including the Scattered Spider-affiliated operator who had executed the Change Healthcare operation and been screwed by ALPHV's exit-scam) migrated to RansomHub for continued operational monetization.
The 90% affiliate revenue split represents one of the most operationally consequential business-model innovations in the publicly-tracked ransomware- as-a-service ecosystem. The cluster's most operationally distinctive single operation was the Change Healthcare data publication (April 2024). Following the March 5, 2024 ALPHV / BlackCat exit-scam in which ALPHV administrators stole the affiliate cut from the Change Healthcare $22M USD Bitcoin ransom payment, the affected Scattered Spider-affiliated operator migrated to RansomHub and brought the previously-stolen Change Healthcare data with them.
RansomHub published the Change Healthcare data on the RansomHub leak site in April 2024, effectively double-extorting the same victim despite UnitedHealth Group already having paid the original $22M USD ransom to ALPHV. The double-extortion pattern was operationally unprecedented in the publicly-tracked record and represents one of the most operationally significant data points for ongoing counter-ransomware policy discussion, payment to ALPHV did not prevent subsequent publication by RansomHub of the same data, undermining one of the core operational arguments for ransom payment (that payment guarantees data non-publication). The cluster operates a sustained operational partnership with Scattered Spider (already covered as scattered_spider.yaml) following Scattered Spider's migration from ALPHV / BlackCat to RansomHub in mid-2024.
The partnership represents continuation of the broader Scattered Spider operational model of operating as affiliate to various ransomware-as-a-service brands rather than maintaining their own dedicated ransomware operations. High-profile documented RansomHub victims include Christie's auction house (May 2024 attack disrupting Christie's online bidding ahead of major spring auctions), Frontier Communications US telecommunications (June 2024), Halliburton US oilfield services (August 2024), Kawasaki Motors Europe (September 2024), Patelco Credit Union (July 2024), Bologna FC Italian Serie A football club (January 2025), and hundreds of additional commercial and government-sector targets. RansomHub became the most prolific ransomware-as-a-service operation by reported victim count for portions of mid-to-late 2024 following the LockBit Operation Cronos disruption (February 2024) and the ALPHV / BlackCat exit-scam (March 2024), collectively creating a market gap that RansomHub's affiliate- favorable revenue split positioned the cluster to fill.
A handful of operational notes: First, the cluster represents one of the most analytically interesting recent developments in the publicly-tracked ransomware ecosystem. The combination of LockBit operational degradation (Operation Cronos February 2024), ALPHV / BlackCat operator exit-scam (March 5, 2024), and RansomHub's affiliate- favorable business model (February 2024 onward) collectively represents a substantial mid-2024 reorganization of the ransomware-as-a-service affiliate ecosystem with disaffected affiliates migrating to RansomHub. The pattern illustrates market-dynamics-driven cluster-ecosystem evolution and represents a meaningful operational-doctrine data point about how counter- ransomware operations and operator misbehavior can drive ecosystem-level reorganization.
Second, the Change Healthcare double-extortion case represents one of the most operationally significant data points for ongoing counter-ransomware policy discussion. The case demonstrates that ransom payment does not guarantee data non-publication when operator-affiliate disputes (or operator exit-scams) result in data migration between cluster brands. The pattern undermines one of the core operational arguments for ransom payment and should inform corporate threat-modeling for ransomware victim response.
Third, no formal individual-operator attribution at the named- Russian-national tier has been publicly issued for RansomHub administrators, consistent with the broader pattern of absence of similar named-individual-attribution for Cl0p, ALPHV / BlackCat, Black Basta, Akira, Play, Medusa, Rhysida, Royal / BlackSuit, and several other contemporary cybercrime clusters. Only LockBit (Khoroshev), Evil Corp (Yakubets / Turashev), and FIN7 (Dunaev / Hladyr / Kolpakov / Witte) have received named- Russian-national-tier formal attribution among the major contemporary cybercrime clusters covered in this corpus. Fourth, the cluster's continued operations through 2025 illustrate that the broader Russia-speaking organized cybercrime ecosystem has demonstrated substantial resilience and adaptability across major operational disruptions (LockBit Operation Cronos, ALPHV / BlackCat exit-scam, ContiLeaks, BlackBastaLeaks).
Defender threat-modeling for ransomware operations should treat the broader ecosystem as continuing operational threat with brand-identity-changes rather than treating individual cluster disruptions as operational pauses.