#StopRansomware: RansomHub Ransomware

This joint FBI/CISA/MS-ISAC/HHS advisory describes RansomHub, a ransomware-as-a-service (formerly Cyclops/Knight) active since February 2024 that has impacted at least 210 victims across multiple critical sectors. The report documents RansomHub affiliates’ TTPs — including phishing, exploitation of known vulnerabilities (several CVEs listed), password spraying, credential theft (Mimikatz), lateral movement (RDP, PsExec, Cobalt Strike), data exfiltration methods, and encryption behavior using Curve25519 — and provides extensive IOCs (IPs, URLs, file paths, emails) alongside defensive mitigations and incident response guidance.