Threat Groups

RansomHouse

1. Overview

RansomHouse is a data extortion group that diverges from traditional ransomware models by focusing almost entirely on data theft rather than file encryption. First identified in December 2021, the group has grown rapidly in visibility throughout 2022 and 2023, publishing victim data on its dedicated leak site and leveraging public shaming to extract ransom payments.

Positioning itself as a collective of “professional mediators” and security enthusiasts, RansomHouse claims its aim is to help companies identify cybersecurity flaws. In reality, it executes well-planned intrusions, steals sensitive internal data, and demands payment under the threat of public exposure—making it a financially motivated criminal operation masquerading behind pseudo-ethical rhetoric.

2. Origin and Evolution

RansomHouse emerged following attacks against targets in Africa and Europe in late 2021. Its leak site launched in early 2022, listing victims with samples of stolen files and countdowns to full data publication. The group does not deploy encryption payloads, instead prioritising rapid data exfiltration and post-breach extortion.

Over time, RansomHouse expanded its victim list to include governments, healthcare providers, banks, and telecoms, with a growing footprint in Western Europe, North America, and Southeast Asia. The group has also been observed working with third-party initial access brokers, and possibly collaborating with other extortion gangs for logistics and infrastructure.

3. Tactics, Techniques, and Procedures (TTPs)

RansomHouse intrusions follow a classic data breach-to-extortion flow:

  • Initial Access:
    Exploitation of exposed services (T1190), credential reuse (T1078), and sometimes phishing campaigns (T1566.001) are used to gain entry. In many cases, the group exploits weak or default credentials and lacks persistence mechanisms.
  • Lateral Movement:
    Utilises RDP, WMI, and PsExec for traversal (T1021), with privilege escalation achieved through standard credential dumping and password reuse across systems.
  • Data Exfiltration:
    Primary emphasis is placed on locating, staging, and exfiltrating sensitive documents (T1041). Tools such as Rclone, MEGASync, and WinSCP are commonly used.
  • Extortion:
    Victims receive contact instructions and threats of publication. The group maintains a dark web leak site where files are posted in stages if the victim does not pay.
  • No Encryption:
    Notably, RansomHouse avoids deploying ransomware payloads. This enables faster operations and reduces the risk of detection during the attack phase.

4. Targeting Profile

RansomHouse focuses on organisations with significant data value but inadequate cybersecurity postures, including:

  • Healthcare providers and private clinics
  • Municipal and regional governments
  • Telecommunications and ISPs
  • Financial services and accounting firms
  • Retail chains and logistics providers

The group is geographically diverse in its targeting but has been observed listing UK organisations, particularly in public services and legal sectors.

5. Notable Campaigns and Victims

RansomHouse has named dozens of victims on its leak site, including:

  • Shoprite (Africa’s largest retailer): Customer data and internal reports were exfiltrated and published.
  • Amey (UK-based infrastructure firm): Confidential contracts and employee records were leaked.
  • South American energy providers: Technical documentation and operational data were posted online.
  • Healthcare institutions in the EU: Patient records, billing data, and staff credentials were compromised.

Unlike many ransomware groups, RansomHouse does not always issue ransom notes immediately, instead contacting victims only after the exfiltration is complete.

6. Leak Site and Extortion Tactics

RansomHouse operates a dark web portal where victims are listed alongside:

  • Organisation logos
  • Description of the breach and types of data stolen
  • Sample files (usually PDFs, DOCX, XLSX, emails)
  • Countdown timers to full publication
  • Links for journalists or researchers to request data access

Their communications often claim to be acting “ethically” by exposing corporate negligence—but the tactics used, and the pressure applied, reflect a classic extortion operation.

7. Technical Indicators

While IOCs vary per target, common traits include:

  • Use of rclone.exe, winscp.exe, and 7z.exe for compression and data exfiltration
  • File staging in hidden directories or temp shares
  • Connections to MEGA, pCloud, or custom FTP/SFTP endpoints
  • Absence of encryption or ransomware binaries
  • Registry changes to disable Windows Defender or security logs (T1112)

Detection requires focusing on data movement anomalies, privilege misuse, and archive creation patterns.

8. Defensive Measures and Recommendations

To reduce the risk of RansomHouse extortion:

  • Monitor for unusual outbound traffic, especially to cloud storage and FTP services
  • Enforce strong password policies and block default credentials
  • Implement multi-factor authentication for all remote access
  • Segment data repositories and audit access to sensitive folders
  • Employ DLP (Data Loss Prevention) solutions where possible
  • Maintain crisis communication playbooks in case of extortion scenarios

9. Attribution and Alliances

RansomHouse has not been definitively linked to a larger ransomware ecosystem, but tactical and infrastructure overlaps have been observed with other data leak collectives. Its messaging suggests operators fluent in English and Russian, and some backend components are shared with lesser-known actors such as KelvinSec and MalasLocker.

The group claims to operate independently, though it may rely on access brokers and contractors for intrusion support.

10. Conclusion

RansomHouse represents a growing shift in cyber extortion—from ransomware encryption to pure-play data theft and reputational coercion. Its minimalist tooling, fast operations, and aggressive leak tactics make it particularly dangerous to organisations with poor visibility into outbound data flows.

For UK organisations—especially in healthcare, infrastructure, and local government—RansomHouse is a credible and ongoing threat that requires both technical defence and communications readiness to manage the fallout of a data breach.

Author:
Threat Intelligence Team, UK Cyber Defence Ltd
All intelligence current as of May 2025

  • 29 Views

you may also like

Kettering Health crippled by ransomware: 14 hospitals on emergency reroute

On May 20, 2025, Kettering Health’s network was hit by a ransomware attack, forcing 14 hospitals to switch to emergency reroutes and manual operations. The attack spread rapidly across critical systems due to undetected lateral movement, highlighting gaps in early threat detection. Patients reported suspicious calls, indicating potential data misuse. This incident underscores the urgent need for healthcare organizations to strengthen identity security, implement layered defenses, and prepare robust response plans.

Pro-Russian Cyber Activity: Hybrid Threats and the UK Response

An insights article assessing pro-Russian cyber activity with a situational briefing on hybrid threats to UK-aligned institutions. Includes a side-by-side comparison of key threat groups including KillNet, NoName057(16), and XakNet.

Donation-Based Ransomware Groups

An insights article comparing donation-model ransomware operators such as MalasLocker, exploring the ethics, tactics, and implications of threat actors who demand charitable giving instead of cryptocurrency payments.

Western Alliance Data Breach Tied to Cleo Software Flaw

Western Alliance Bank confirmed a data breach in April 2025 linked to a vulnerability in Cleo Integration Cloud. The breach, attributed to the Cl0p ransomware group, underscores the growing risks from third-party software vulnerabilities. Learn how the bank is responding and the increasing role of SOC in protecting financial institutions.

DBS Data Breach 2025: Ransomware Attack Exposes 11,000 Customers

An insights article examining the 2025 DBS data breach, focusing on how a ransomware attack on vendor Toppan Next Tech exposed thousands of customer records, and what it reveals about the growing threat of third-party supply chain vulnerabilities in the financial sector.

Emerging Ransomware Threats and Securing Open-Source Email Infrastructure

An insights article highlighting the rise of unconventional ransomware groups targeting open-source email platforms like Zimbra, including a technical bulletin with actionable guidance for UK organisations.

Stay Informed. Stay Secure.

Subscribe to our newsletter.
Linkedin-in
© 2025 CyberDefence