Security researchers have identified significant connections between two major ransomware-as-a-service (RaaS) operations, with evidence suggesting affiliates from the recently-disabled RansomHub group may have migrated to the Qilin ransomware operation.
The investigation reveals sophisticated technical capabilities within both groups and highlights the dynamic nature of ransomware ecosystems.
RansomHub’s Technical Arsenal and Rise to Prominence
RansomHub emerged in February 2024 following a suspected acquisition of web application and ransomware source code from the Knight (formerly Cyclops) operation.
.png
)
The group quickly gained notoriety for its sophisticated multi-platform ransomware that targets Windows, Linux, FreeBSD, and ESXi operating systems across x86, x64, and ARM architectures.
This versatility enabled affiliates to encrypt both local and network file systems via SMB and SFTP protocols.
What distinguished RansomHub was its aggressive affiliate-friendly business model, offering a remarkably low 10% commission fee (later increased to 15%), significantly below the industry standard of 20-30%.
This approach successfully attracted former members from competing groups including LockBit and ALPHV, who were facing increased pressure from law enforcement actions.
According to researchers, this low-fee strategy helped RansomHub attack over 200 victims across multiple sectors including infrastructure, IT, government, healthcare, and financial services.
Operational Disruption and Underground Market Shifts
On April 1, 2025, RansomHub’s infrastructure unexpectedly went offline.
Prior to this disruption, the group had been actively recruiting affiliates by exploiting competitor vulnerabilities, specifically highlighting law enforcement operations against LockBit and ALPHV’s alleged exit scam.
Their recruitment strategy emphasized affiliate autonomy in communication and payment collection.
The shutdown occurred shortly after the advertisement of a “Ransomware Cartel” on the RAMP underground forum by an entity known as DragonForce.
This timing has raised questions about possible connections between these events and created significant uncertainty in the cybercriminal underground.
Qilin’s Suspicious Activity Surge and Connection Evidence
Following RansomHub’s disappearance, researchers observed a dramatic increase in activity from the Qilin ransomware group.
Qilin, operational since July 2022, historically maintains a strict RaaS model offering affiliates 80% of ransom payments under $3 million and 85% for larger amounts.
The most compelling evidence of migration between the groups is the timing of Qilin’s increased activity. From July 2024 to January 2025, Qilin never disclosed more than 23 victim companies per month, but this number doubled to 48 in February 2025, with similar levels in March and April.
Simultaneously, a Qilin administrator known as “Haise” became unusually active on underground forums, advertising a new ransomware version released precisely on April 1st-the same day RansomHub went offline.
Technical analysis indicates both operations use similar encryption techniques and affiliate panel designs, with Qilin’s ransomware written in both Golang and Rust programming languages.
These developments suggest a potential organizational shift as affiliates seek new platforms following RansomHub’s disruption.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
 operations.){kind=link}