diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index ac66f12d..7a35c7f2 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -16007,6 +16007,18 @@ }, "uuid": "6149f3b6-510d-4e45-bf88-cd25c7193702", "value": "Alpha Spider" + }, + { + "description": "RansomHub is a rapidly growing ransomware group believed to be an updated version of the older Knight ransomware. They have been linked to attacks exploiting the Zerologon vulnerability to gain initial access. RansomHub has attracted former affiliates of the ALPHV ransomware group and operates as a Ransomware-as-a-Service with a unique affiliate prepayment model. The group has been active in extorting victims and leaking sensitive data to pressure for ransom payments.", + "meta": { + "refs": [ + "https://symantec-enterprise-blogs.security.com/threat-intelligence/ransomhub-knight-ransomware", + "https://forescoutstage.wpengine.com/blog/analysis-a-new-ransomware-group-emerges-from-the-change-healthcare-cyber-attack/", + "https://www.sentinelone.com/blog/ransomware-evolution-how-cheated-affiliates-are-recycling-victim-data-for-profit/" + ] + }, + "uuid": "9d218bb3-fc59-43e0-a273-a0a0fb5c463e", + "value": "RansomHub" } ], "version": 310