RansomHub, a relatively newer player in the ransomware-as-a-service (RaaS) landscape, is experiencing significant internal turmoil after affiliates suddenly lost access to negotiation chat portals on April 1st, 2025.<\/p>\n
This disruption has forced affiliates to redirect victim communications to alternative platforms, including those belonging to competing ransomware groups, creating confusion in ongoing extortion attempts and potentially threaten ransom payments in progress.<\/p>\n
The group initially gained prominence in early 2024 by offering particularly favorable payment terms to attract skilled affiliates.<\/p>\n
Unlike many competitors, RansomHub implemented a business model that directed ransom payments either directly to affiliates or split them at the point of transaction, significantly reducing the risk of \u201cexit-scamming\u201d \u2013 a common problem where RaaS administrators keep entire ransoms and abandon their affiliates.<\/p>\n
GuidePoint Security\u2019s Research and Intelligence Team (GRIT) researchers identified<\/a> the first signs of trouble on the morning of April 1st when multiple client chat portals used for ransomware negotiations suddenly went offline.<\/p>\n Intelligence sharing partners confirmed similar disruptions across RansomHub\u2019s infrastructure, pointing to widespread internal conflict rather than isolated technical issues.<\/p>\n The impact extends beyond the criminal organization itself, creating uncertainty for victims currently engaged in negotiations.<\/p>\n Organizations facing RansomHub<\/a> ransom notes now face additional complications, as communication channels have become unreliable and the group\u2019s ability to provide decryption tools is increasingly questionable.<\/p>\n Adding another layer of complexity to the situation, competing RaaS<\/a> operator DragonForce made a public claim on April 2nd that RansomHub had \u201cdecided to move to their infrastructure\u201d under \u201ca new option from The DragonForce Ransomware Cartel\u201d.<\/p>\n This announcement appeared on the RAMP forum, where it prompted immediate skepticism from users, with some questioning if RansomHub had been \u201ctaken down\u201d by DragonForce.<\/p>\n The ambiguity surrounding this claim was further highlighted when DragonForce requested that RansomHub \u201cconsider [their] offer,\u201d suggesting the announcement may have been premature or possibly a form of opportunistic marketing during RansomHub\u2019s moment of vulnerability.<\/p>\n Evidence of this appears, where DragonForce demonstrates what they claim to be a new RansomHub affiliate portal.<\/p>\n A user named \u201cHexcat\u201d directly requesting clarity for RansomHub affiliates, underscoring the confusion prevalent among the criminal ecosystem\u2019s participants.<\/p>\n This instability mirrors patterns seen in other prominent ransomware groups that collapsed due to internal conflicts, including Conti (Russia-Ukraine disagreements), Alphv (affiliate exit-scamming), and Black Basta<\/a> (targeting disputes).<\/p>\n Find this News Interesting! Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>, &\u00a0X<\/a>\u00a0to Get Instant Updates!<\/strong><\/p>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgcYYKadqDRaRz1BziJ68M-k7DBrxXsyUH_5vZm12fXukoZcWsQiQQPZWODDiMn3MO6rtsZU_TbpXIPlsg8xwJNMK_mKGDxC4f-KebUHt24oomHptUuQVF-aZGS9IaIrnagBTSuubXg9ndUQkN8Ili41KMVWSMegu8QE9sZvq4LELn8pe9vArmFQcYoXRA\/s16000\/DragonForce%2520demonstrates%2520an%2520alleged%2520new%2520RansomHub%2520affiliate%2520portal%2520%28Source%2520-%2520Guidepointsecurity%29.webp?ssl=1\")
The DragonForce Connection<\/strong><\/h2>\n
Also Read:<\/strong><\/h3>\n