Cybercrime high Multiple (Eastern European core)

RansomHub affiliates

Ransomware-as-a-Service (RaaS) affiliates — diverse origins · Financial — ransomware and extortion

Reports 1

Active Since 2024

Last Reported 14 May 2026

Sectors Targeted healthcare

Tactics, Techniques & Procedures (TTPs)

Affiliate-driven RaaS model (affiliates keep ~90% of ransom)
Initial access via phishing, RDP brute force, VPN vulnerabilities
ALPHV/BlackCat refugee affiliates post-disruption
LockBit affiliates post-law enforcement action
Double-extortion with dedicated leak site
EDR evasion and disabling of security tools

Known Targets

Healthcare sector (NHS, hospitals)Critical infrastructureGovernment and public sectorManufacturing and logisticsLaw firms and professional services

Analyst Notes

RansomHub emerged in early 2024 and rapidly absorbed affiliates displaced by law enforcement action against ALPHV/BlackCat and LockBit. Now one of the most active RaaS platforms by victim count.

Also Known As

Greenbottle (former ALPHV affiliates)Various ex-LockBit affiliates

Intelligence Reports

Briefing healthcare

NHS Trusts Targeted in Coordinated Ransomware Wave as RaaS Affiliates Shift Focus

A cluster of ransomware affiliates, several previously linked to ALPHV/BlackCat, has targeted three NHS trusts in the past six weeks. Attackers are exploiting legacy VPN appliances and unpatched remote access infrastructure.

14 May 2026 · 4 min read