Masked Actors
True crime meets cybercrime. Discover the people behind the keyboard.
From Ransomware-as-a-Service (RaaS) gangs to global financial crime syndicates, the rise of sophisticated cyber threats is reshaping the world. These aren’t lone hackers — they’re organized groups running multi-million dollar operations in the shadows.
In the Masked Actors podcast, cyber threat expert and former soldier turned hacker Gary Ruddell joins forces with Nick Palmer, a seasoned financial crime fighter, to investigate the top 10 most dangerous cybercriminal groups of 2025 — drawn from Group-IB’s High-Tech Crime Trends Report.
Each episode explores the tactics, motivations, and impact of major cybercrime groups, uncovering their role in the latest cybercrime, RaaS, and financial crime trends. You’ll learn how these actors exploit vulnerabilities, fuel geopolitical tension, and affect businesses and consumers alike.
Tune in to Masked Actors — and stay one step ahead of cybercrime.
Masked Actors
RansomHub: From RaaS Kingpin to Cartel Mystery
When RansomHub, one of the most prolific ransomware groups, vanished overnight back in April, it sent shockwaves through the cybercriminal underworld. With over 600 global attacks and millions extorted, their sudden disappearance left affiliates scrambling and researchers asking: what happened?
Join Group-IB’s Gary Ruddell and Nick Palmer as they speak with Pietro Albuquerque, a threat intelligence analyst at Group-IB and a leading expert on RansomHub, to unpack the rise and fall of this ransomware cartel. They explore how RansomHub’s affiliate-friendly model disrupted the RaaS market, why its tactics proved so effective, and where its members may have gone.
From double extortion to underground job markets, this episode reveals the hidden mechanics of ransomware operations and what businesses must do to stay ahead of the next wave.
By understanding who these actors are and how they operate, you can better anticipate threats and protect yourself in an increasingly hostile digital world.
Subscribe now to meet these Masked Actors — and stay one step ahead in the fight against cybercrime.
Episode links:
Group-IB's Top 10 Masked Actors
RansomHub ransomware-as-a-service
RansomHub Never Sleeps: The evolution of modern ransomware
Ransomware debris: an analysis of the RansomHub operation
Ransom notes from the most active groups
Meet Group-IB's top 10 Masked Actors here - and stay one step ahead in the fight against cybercrime.
Imagine you're at work tapping away at an email when suddenly you get a message that changes everything. It's a note that tells you your company's servers have been breached and your data stolen and encrypted. The note goes on to deliver the good news that your data is, for now, secure and that nobody knows about the breach. It warns against reaching out to the authorities for help and says that any action will have irreversible negative consequences. for your business, including the publication of the stolen data and details of the hack. The solution, you read, is really quite simple. You have to pay up. Pay the ransom and the problem goes away in 24 hours, guaranteed. Before April of this year, that ransom note might be signed by one of the most prolific gangs of online extortionists around the globe. A group responsible for over 600 attacks and multi-million dollars of stolen money. But then they vanished. Their web pages went dark, their thriving ransomware operation vanished overnight, and their members scattered to rival groups across the dark web. Now there are two questions on everyone's lips. What does that mean for the ransomware marketplace, and what exactly happened to the cybercriminal group codenamed RansomHub?
SPEAKER_01:Alright, let's dive right into this episode so we have an exciting guest joining us this week cyber threat intelligence analyst and group ib's ransom hub expert pietro pietro now you've been close to the ground on this one i know it you're our ransomware expert so you're working as part of the cyber threat intelligence team investigating ransom hubs operations and delivering crucial updates and information to help fight back against this prominent ransomware as a service group we're pleased that you've joined us to share your insights. Let's first get into some of the basics. Can you tell us a little bit about the origins of Ransom Hub? When did Group IB or you become aware of them?
SPEAKER_02:Thanks, Nick. Thanks, Gary, for having me here. Really happy to be here. The first time we heard about the Ransom Hub was in February of the last year when they first published the partnership program on Ramp Forum. But one of their accounts used by Ransom Hub admin called Collie was created in this forum. I mean, in forum on May 2023. The group Ransom Hub may have started even before the first victim was published in the idea of us. The origin of Ransom Hub is quite confusing. A lot of people think that Ransom Hub is a rebrand of Black Cat. And there are some reasons for that. The first one is because the partnership program of Ransom Hub was published right after Black Cat exceeded scale. The second reason is because one of the victims, a big company that was published in the Ransom Hub DLS was previously published in the Black Cat DLS. In addition to that, we also have some common features in the Ransomware, like a feature that modifies scene links in the Ransomware of Ransomhub that is also available in the Black Hat Ransomware. And also some instructions that we found in the Affiliate Panel of Ransomhub are present in the Black Hat Affiliate Panel. Ransomhub may have been created by Nochi, which was a former Black Cat affiliate. But of course, it's still confusing, but I think that's the best theory. I do not think that Ransom Hub was a rebrand of Black Cat, but a group created by former Black Cat affiliates and night Ransom developers.
SPEAKER_00:And Ransom Hub is a ransomware as a service provider, right? If I was to try and join this thing, what would that look like? What sort of things would they give me to then enable me to go and carry out attacks?
SPEAKER_02:Yeah, that's important to distinguish affiliates from ransomware as a service groups. Ransomware as a service groups, those who provide resources to criminals to encrypt data, to extort companies and to negotiate with the companies. But because there are a lot of ransomware groups, ransomware as a service operations, they may eventually provide additional resources like killers, which is a kind of tool that they use to bypass detection and some security solutions. Some of them may provide the DOS, or you can even call a victim right from the affiliate The resources that Ransom Hub provided to their affiliates was the ransomware, the DLS, the affiliates panel, where they could configure and build the ransomware and also some killers that were able to bypass some security solutions and also some post exploitation tools. The ransomware developed by Ransom Hub is very similar to most of the ransomware we see nowadays. I mean, you see features like killing processes, stopping services. They're able to use techniques like pass the hash, pass the ticket, and stuff like that. But there was one special feature in the Ransom Hub ransomware, which was the feature that allowed criminals to encrypt data via SF FTP protocol. So that was a feature that I've never ever seen before. There are some other groups like Keeling that also provides some features in the ransomware, which allow encryption, remote data encryption, but they do not use SFTP. So that was the first time I see that.
SPEAKER_00:And it's reported that Ransom Hub is the biggest ransomware as a service operator, bigger than Lockbit. How did they pull that off in such a short time?
SPEAKER_02:In 2024, because of the amount of the companies that were disclosed in the Ransom Hub TLS, we can say that it was much bigger than the amount of companies published on LockBit TLS. But I do not think that Ransom Hub was a special and great ransomware as a service operation The thing is that when they emerged, Lockbit was impacted by a law enforcement operation called Operation Kronos. So that's one of the reasons why they became such a big ransomware as a service operation with a lot of affiliates. But there are some additional reasons additional reasons I would like to mention here. One of them is because the Black Cat and Lockbeats ransomware operations were impacted by law enforcement operations and exceeded scan. So they emerged in the right moment, in the middle of the chaos when Lockbeats and Black Cat was facing this kind of problem. The second reason is, as I mentioned before, So. Right after the Ransom Hub emerged, they leaked data of a big company that was previously published in the Black Cat DLS. So they gained a lot of attention. A lot of people started talking about Ransom Hub. So for obvious reasons, those affiliates that previously worked with Black Cat and Lockbit thought that Ransom Hub could be a good group then to move and start working with. Some additional reasons is because of the exit scams from Black Cat and also from NoScape, RansomHub allowed affiliates to use their own crypto wallets. So affiliates somehow felt like they could trust RansomHub because probably they would not steal their money since the payment, the ransom payment was received right in the affiliate's crypto wallets. And... Also because the athletes had to pay only 10% of fee for the RansomHub group. As you know, every time you join a Ransom as a Service operation, all the money that you get from the victims, you need to give like 10%, 20% of that payment to the ransomware as a service group that provide the resources to the affiliates. And in case of RansomHub, affiliates had to pay only 10% as a fee. So it was, at that time, the lowest fee I've ever seen from a ransom group. And for obvious reasons, a lot of affiliates moved to RansomHub because they wanted to gain a lot of money and pay as less as they could. And I think... There is something else like I've heard from a lot of Ransom Hub affiliates that the ransomware was good. The ransomware was fast. It had some cool features like that one I mentioned. They were able to encrypt data via SFTP and so on and so on. And the last thing I would like to say, why Ransom Hub became such a big ransomware as a service operation and could recruit a lot of criminals is because they created a narrative based on what the Ransom Hub admin called LockBit and Black Hat mistakes. So all that stuff about exit scam, the problems that LockBit faced because of the law enforcement operation and so on and so on. So the Ransom Hub admin posted a lot of stuff in the RAMP forum talking about their mistakes and said like, look, you will not face this kind of problem with us. We are a great group and we will not make such mistakes like those that Lockpit and Black Cat did. So I think that's one of the reasons why they became such a big group.
SPEAKER_01:One of many reasons it seems that this franchise model is really working out for Ransom Hub. So Pietro, can you tell us a little bit about who were the Ransom Hub targets?
SPEAKER_02:Ransom Hub as their affiliates, financially motivated threat actors. So they do not focus on a specific country or region or industry. But Because of the law enforcement operations that happened in the last year and late in 2023 that affected Black Cat, I've noticed that a lot of ransomware affiliates started attacking critical infrastructure, like the healthcare, hospitals, and this kind of organizations. So the same happened with the Ransom Hub. The amount of organization healthcare organization that they attacked was really impressive because they believed, the affiliates believed that by attacking critical infrastructure, the likelihood for the victims to pay the ransom was much higher. So that's why nowadays we see a lot of attacks against the healthcare organization and this kind of company. As most of the ransomware as a service groups, they did not allow affiliates to attack countries like Russia, Ukraine, and all of those countries that were part of Soviet Union. And also they didn't allow affiliates to attack North Korea, Cuba, and some other countries. really hard to explain why they do not attack these countries, but maybe there are some political reasons why they do not do it. But Ransoming groups admins do not have any control of what affiliates will attack. They can have these rules, but an affiliate can eventually attack a Russian company or attack a company in Brazil if they do not allow you to attack Brazil, for example. Killing, for example, has the same, very similar rule. Killing does not allow their athletes to attack a BRICS country. But they may eventually attack a company in a BRICS country. So they do not have any control of it. And the ransomware can be run in any computer. So they do not check languages, the country of that IP address of the victim. So yeah, even though they have rules, they do not have any control of the affiliates.
SPEAKER_01:Yeah, I suppose there are more guidelines at this point than rules and really interesting to see them targeting critical infrastructure and healthcare. So talk to us a little bit about the impact from RansomHub?
SPEAKER_02:A lot of people may know some threat actors like those involved with Scattered Spider and some other big groups joined RansomHub. In addition to the amount of companies that they published in the DLS, they attacked really big companies. So I think that the impact that RansomHub made in the companies all over the world was really big.
SPEAKER_00:And where are Ransom Hub today?
SPEAKER_02:That's a hard question to answer. There are some theories that Ransom Hub may have joined Dragonforce. A lot of people know that Dragonforce advertised something that they called Ransom Cartel. Even though that's not the first time that we see this kind of stuff. Some time ago in 2021, they also tried to do the same, like to create a ransomware cartel and... work together. But even though there is such a theory that Ransom Hub may have joined Dragon Force, or even that Dragon Force attacked Ransom Hub, I do not think that none of them is true. The truth is that there is no evidence of what happened to Ransom Hub. Some criminals think that Dragon Force may be a rebrand of Ransom Hub. And even And though Ransom Hub admin said a lot of bad things about Dragonforce on Ramp Forum, maybe it's just to create confusion so that people will not think that Dragonforce is not a rebrand of Ransom Hub. There is no evidence what happened to Ransom Hub or where they are now.
SPEAKER_00:If someone did take them down, who do you think that would have been? As I
SPEAKER_02:mentioned, some people think that Dragonforce attacked Ransom Hub. because there are some evidence that Dragonforce already attacked some other Ransom Groups. But there are some interesting information that we found in the Ransom Hub Affiliates Panel. The admin of Ransom Hub reported at least three of what they call technical issues, incidents in the infrastructure. The admin didn't mention about any attack, any pen test, exploitation of vulnerability or something like that. But that's very, very strange, very, very strange, even though we do not know who did that. Either it was law enforcement or maybe Dragon Force or the ransom group. But in one of the technical issues that the admin mentioned in the affiliate panel, he said that those who were trying to exploit their system, their affiliate panel, gain access to some decryptors. So he said that they were working on an update of their affiliate panel and the developer did some things wrong and it allowed those who were trying to exploit the affiliate panel to gain access access to some decryptors. The admin said that It didn't impact all the affiliates. I mean, those who gain access to the decryptors didn't get all the decryptors, but only part of it. But that was something that was reported in the affiliates panel that was very strange. And so maybe Dragonforce, who knows?
SPEAKER_01:So what does this mean for the businesses that were waiting on a decryptor? They paid their money. They're waiting for the decryptor. What do they do now?
SPEAKER_02:Yeah, as long as I know that there is no decryptor, you know that there is a project called No More Ransom. Law enforcement and security companies upload some decryptors. But as long as I know there is no decryptor for Ransom Hub, they just disappeared. Recently, Hunter International said that they're going to close the project. And they told their victims that look, you can message us and we will give you, we will provide you with the decryptors. But it didn't happen with RansomHub. So if there is no decryptor and those companies who were attacked do not have any backup, that's really hard to recover the data. Yeah, maybe there's nothing to do unless you have backup.
SPEAKER_00:The ransomware marketplace as a whole, you know, how are these groups orchestrating hostile takeovers?
SPEAKER_02:We can say even more fragmented because of a lot of stuff that happened that I mentioned here, really. Law enforcement operations, exit scams, and so on and so on. So now we see a very fragmented, it was a really very fragmented wrestling landscape, but now it's even more fragmented wrestling landscape. landscape. So affiliates are leaving big groups like Keeling and Dragon Force. Some of them do not trust what they call big groups because they believe that in the future they may exit scam like Black Cat did, like Nodescape did. So they are leaving these big groups and they are creating their own ransomware operation. Some of them are like Breslin as a service. Some of them are like private groups, so very close. So they allow only those that they know to join their operation. So I think that's the kind of thing we deal with right now. Very fragmented, but with a lot of groups, a lot of uncertainty and this kind of thing.
SPEAKER_00:How do people move from one group to the other? Is it like, you know, a jobs board or is it people WhatsApp on each other? It
SPEAKER_02:depends. I do not think that they move to the group that offers the best resources, like the best ransomware. The group whose ransomware has the best features. Sometimes they move to a group because their friends work with some specific groups or because they got some good recommendations. Even though the ransomware is not good, they have some problems, but they get some recommendations of some other threat actors. In addition to that, I think it also depends on the, let's say, propaganda that ransomware groups make on open sources like Twitter or on underground forums like RIMP. For example, now if you go and access the Ramp Forum, you will see some advertisements of NOVA, which is somehow a new ransom group, and also some advertisements of killing. So they try to make this propaganda. In addition to advertisement, they make some comments on some partnership problems to say, look, we have this group, we have these resources, join us. are ready to help you. So yeah, a little bit of some recommendations from criminals, a little bit of some propaganda that they see on underground forums. Yeah, that's how they move.
SPEAKER_01:Thanks, Pietro. And they really sound like businesses trying to scale themselves, you know, employees going where their friends are working. So now that Ransom Hub has disappeared, should businesses still be concerned?
SPEAKER_02:Yeah, sure. Ransom Hub RansomHub is just a ransomware as a service provider. So those involved with RansomHub do not conduct any intrusion. Those who conduct intrusion are the affiliates. And it doesn't matter if it's RansomHub, Killing Over, Lockpit, it really doesn't matter. So that's why companies should care about identifying, attributing the intrusions to the affiliates, understanding their techniques. So those who worked with the Ransom Hub, some of them, I know that they moved to killing, for example. So they're still there using the same techniques, very similar modus operandi, the same tools. That's why they should be aware and be concerned.
SPEAKER_01:And I think that's a really key point that you brought up about the affiliates conducting the attacks, the overlaps in the tactics technique and procedures. So when you look at it from a business perspective, impacted by Ransom Hub or similar groups, what are the common weaknesses that you see that could be avoided? You should
SPEAKER_02:patch everything which is vulnerable, of course. But especially devices that provide SSL, VPN, and web-based applications like RDWeb, Citrix, and the stuff like that, because usually they gain initial access by exploiting vulnerabilities in such devices, especially SSL VPNs. But in addition to that, since the first time we heard about ransomware as a service and partnership programs and affiliates, they use very similar techniques. So you should avoid public facing RDPs and remote services. So what should be available on the internet is only the VPN. So you should connect to the VPN and once you connect to the VPN, you gain access to the resources of your company. RDP windows should not, in my humble opinion, be available on the internet. Otherwise, they view brute force, they will try to exploit vulnerabilities in this kind of service. Also, the lack of two-factor authentication. So they perform a lot of brute force based on very weak passwords. So if you do not have two-factor authentication, that's a problem. And in addition to that, we see very bad password policies. They have some word lists that they use to conduct brute force with passwords like admin, admin, admin, one, two, three. So you should not allow such a password. So the weak password and bad password ports is a very serious problem. They also, I think that there's one thing that should be avoided, which is having a workstation and all of the servers in the same network. If you do it, if you do not use VLAN, for example, when a criminal gain access to your network, you see everything. That will be really easy to do some lateral movement. Use a VPN. Please do it. And do not put all the servers and workstations together. What else I think should be avoided? Unpatched all really old vulnerabilities. So I've heard a lot about some hackers that they could do some privilege escalation because they could exploit some old vulnerabilities on Windows. So that's the kind of stuff you should avoid. The lack of offline backup. You may have backup, but if it's connected to your network, the threat actors may eventually gain access to your backup and also encrypt your backup. So that's why when they are talking about a successful attack, what they mean by that is that backup should be either encrypted or deleted. You should have offline backup. Yeah, I think that's all.
SPEAKER_01:So from a defender perspective, is there an overlap in the TTPs that they use from different RAS operators?
SPEAKER_02:Since the first time we see this kind of Ransom as a service staff, they keep using the same techniques. I'm not saying that nothing changes. Of course, things change, but they're doing the same, like brute forcing RDP servers, SSL VPNs. They will always try to exploit vulnerabilities, especially SSL VPNs. They will try to gain access, to gain initial access to the companies as fast as they can and as easy as they can because they want to do everything fast to get money fast. If you see a vulnerability in the SSL VPN device, for example, and they can exploit by exploiting some path traversal or any vulnerability that can lead to remote code execution or they can upload web shell, they will do it because that's easy to hack. And as it's easy to hack, that should be better. And in addition to that, we see a lot of intrusions where affiliates gain access via valid accounts. So it doesn't matter the source. Sometimes the valid accounts is available on Telegram or underground forums because someone decided to share their logs. So you will see like initial access brokers getting those data and selling on underground forums. You will see that they may eventually buy some credentials, some valid accounts on marketplaces. So valid accounts is a very serious problem that they keep using this technique. Talking a lot about threat actors, not only Scattered Spider, but Encrypt Hub, for example, and some affiliates of Inc. Ransomware that have been conducting intrusions and gain initial access through social engineering, like vishing, email phishing, and events meshing. So that's a very common technique that they use. In addition to that, we see like in the post-exploitations, they dump the hashes, they dump Kerberos tickets, they will try to use techniques like pass the hash, pass the tickets, they will use vulnerable drivers to try to kill some EDR solutions and some other antiviruses. So that's the kind of technique that we see in intrusions from affiliates of ransomware as a service groups.
SPEAKER_01:Excellent. Thanks a lot, Pietro. When I look at the ransomware landscape, we have the ransomware as a service operators providing the tools, providing the scalability, and we have the affiliates that are actually conducting these attacks against organization. What do you think should or could be done, speaking specifically about the affiliates?
SPEAKER_02:I think one of the most important things is to understand the mindset of criminals and also to understand the TTPs. As you said, there are some overlaps. So we should understand what are the common techniques that they use, what kind of tools that they usually use. Like you see a lot of PSX, we see a lot of Mimikatz, we see a lot of Bloodhound to exploit Windows domain. So that's really important to understand the common techniques that we see in intrusions from the affiliates and create detection rules based on the behavior of the tools and the techniques that they use. From the threat intelligence perspective, I believe that's really important to conduct human intelligence. What I mean by that? We should get information from the affiliates. We should infiltrate the groups because we should know about the vulnerabilities, about the resources that they use, their capabilities before they attack a company. We should understand how they think, how they choose a victim, why they exploit a specific vulnerability and stuff like that. That's really important to be a lot of steps ahead of the criminals and we should not be afraid of them. They should be afraid of us.
SPEAKER_01:So, Speaking about the future, and you talked about gaining access, gaining knowledge, understanding your adversary. Given the disappearance and the shifts in the ransomware marketplace, what signs are you watching for?
SPEAKER_02:Yeah, in the last blog we published in the GroupAB blog, we noticed that the amount of companies that were published in the killing DLS increased in the last three months. So it's happened right after the ransomware hub disappeared. peer. Maybe we have information that some affiliates that previously worked with Ransom Hub moved to Keeling. Of course, we do not have full visibility about all the affiliates because Ransom Hub are not working anymore, at least not under this brand. I think that affiliates will join Keeling, will join Dragon Force because they are big and known ransom as a service groups, or they may eventually create their own Ransom as a Service group. I can give you an example. The Van Helsing Ransom as a Service group was a group created by two affiliates that worked with the Ransom Hub. So they do not trust, because a lot of things that happened, they do not trust big groups. They may eventually join big groups like Dragonfort and Kili, but they may create their own Ransom as a Service and private Ransom groups. So that's why I'm saying that the ransomware landscape, we have even more fragmented scenario. So that's really hard to make attribution during incident response, collecting evidence in incident response and making attribution because of all of this stuff, even more fragmented scenario.
SPEAKER_00:Nick, you work with a lot of customers that get impacted in ransomware attacks. What sorts of things should they be doing to protect themselves?
SPEAKER_01:You know, listening to Pietro, he had a lot of great insights. And I think it's not a matter of if, but when we will be attacked as a business from ransomware operators, from other APT groups, whoever it might be, right? And it all comes down, in my opinion, to a few different categories. You know, one is about understanding your adversaries. So collecting information either from OSINT sources or from private companies like Group IB to really understand who are the adversaries that can attack me, what are the overlapping tactics, techniques, and procedures that they may use, and then making sure that we have the right tools in place to defend against it. Pietro spoke a lot about the overlapping vulnerabilities that ransomware groups will employ to try and target different organizations. So having an attack surface management capabilities that ingests the vulnerability intelligence to passively scan the external infrastructure or actively scan the infrastructure on the external makes sense to make sure those gaps are plugged before a ransomware group may, or affiliate, excuse me, will try to actually attack the organization. Pietro mentioned also that external remote services for employees is one of the primary entry points. So having different OTP enforced for MFA, for remote services, and having really strong identity access management solutions to make sure only your employees are accessing different services rather than external affiliates, for example. So I think definitely having the right tools in place. Pietro had a lot of great points about the overlapping tactics, techniques, and procedures. So knowing what those are and making sure you have the right tools in place. But More importantly, I think it's to be prepared and not just from a technical perspective, but from a business perspective. What are we going to do as a business when and if this happens? How is our PR team going to react? How is our board of directors going to react? So really running those simulations, understanding how different important critical pieces of the business may react. during the scenario is critically important. So yeah, definitely having those yearly preparations for this type of incident would be critical.
SPEAKER_00:Awesome. Thanks, Nick. Well, that's just about all we have time for this week. Pietro, thanks very much for joining us. It's been a pleasure having you on as a guest.
SPEAKER_02:Thanks for you, Gary and Nick, for having me here. Cheers, Pietro. Thanks, man.
SPEAKER_00:We'll see you again next time. Your data is valuable and it's under attack. Cyber Espionage Group financially motivated threat actors, ransomware attackers and other criminal enterprises are on the rise. Working in secrecy to dismantle security perimeters, they spread like a virus through the web, stoking geopolitical tensions, holding businesses to ransom and flooding criminal marketplaces with sensitive information. These groups thrive in secrecy now more than ever. Knowing who your adversaries are is critical. So join us as we ask who's behind the world's most prolific cybercriminal groups. What are their tactics, their motivations and their impact? Who are the world's masked actors? Masked Actors is an independent podcast from Group IB, a leading voice in the fight against cybercrime. The threat landscape evolves quickly, but all information was correct at the time of recording and based on Group IB's high-tech crime trends report Join in the conversation online using the hashtag maskedactors. And don't forget to subscribe so you don't miss an episode. Thanks for listening. See you next time as we uncover more of the world's top masked actors.
