Do Son 
ESXi Locker panel for affiliates
The sudden disappearance of the online infrastructure belonging to one of the most prolific ransomware groups, RansomHub, has sent ripples across the cybercriminal underworld. Since April 1, 2025, the group’s resources have become inaccessible without explanation, sparking concern among its affiliates and prompting some to migrate to rival operations. According to Group-IB, a marked surge in activity has been observed on the Qilin leak platform since February, suggesting a possible exodus of former RansomHub operatives.
RansomHub emerged in February 2024 and quickly ascended to prominence, filling the void left by the takedowns of LockBit and BlackCat. Its appeal lay in a flexible financial model and a multi-platform encryptor based on the Knight project (formerly Cyclops). This ransomware was capable of targeting systems running Windows, Linux, FreeBSD, and ESXi, supporting x86, x64, and ARM architectures. It deliberately bypassed organizations in the CIS region, as well as those in Cuba, North Korea, and China, encrypting both local and networked file systems via SMB and SFTP protocols.
The RansomHub control panel offered affiliates a wide array of capabilities — from customization options to the creation of individual accounts. In 2024, members were also provided with a “Killer” module designed to disable security software through vulnerable drivers, although its use was eventually discontinued due to high detection rates. Furthermore, the group’s campaigns were linked to the malicious SocGholish JavaScript, which was disseminated via compromised WordPress sites and delivered a Python-based backdoor.
In November, affiliates were officially forbidden from targeting government entities, a decision justified by elevated risk and low profitability. Despite such attempts to enforce discipline, infrastructural issues triggered significant unrest among partners. According to GuidePoint Security, a post by DragonForce appeared on the dark web forum RAMP, announcing that RansomHub had migrated to their platform as part of a new alliance — the DragonForce Ransomware Cartel.
Similar realignments were observed among other actors. BlackLock, previously targeted by DragonForce, is now collaborating with them. Secureworks CTU notes that DragonForce is pioneering a new model — offering infrastructure and tools without mandating the use of proprietary malware, thereby allowing affiliates to launch operations under their own “brands.”
Simultaneously, a wave of new threat groups has surged into view. Anubis, which surfaced in February 2025, eschews encryption altogether, opting instead to extort victims by publishing “investigations” based on stolen data. ELENOR-corp, a Mimic-derived variant, specializes in attacks on healthcare institutions using a Python utility that exfiltrates clipboard contents, employs advanced obfuscation, and modifies system recovery policies.
Other emerging threats include CrazyHunter, which leverages the open-source tool ZammoCide to bypass defenses; Elysium, a reengineered version of Ghost that disables services and backup systems; and FOG, which distributes malicious ZIP archives disguised as communications from U.S. government agencies. Hellcat gains access to networks via undisclosed vulnerabilities in Atlassian Jira, while Hunters International has adopted a new “World Leaks” model centered on data breaches. Interlock employs a multi-stage delivery chain involving backdoors and malware payloads, and Qilin has intensified phishing operations by spoofing ScreenConnect alerts to compromise MSP clients.
Even after high-profile takedowns like that of LockBit, the cybercriminal landscape shows no signs of retreat. Instead, it is evolving — toward greater fragmentation, flexibility, and novel modes of collaboration. Ransomware groups continue to adapt to external pressures, including law enforcement actions, underscoring the enduring nature of the threat and the urgent need for continuously evolving defensive strategies.
