What is RansomHub, the ransomware gang behind some of today’s biggest cyberattacks?

Energy company Halliburton filed a notice with the Securities and Exchange Commission on Tuesday to inform the regulator that it had fallen victim to a “material cybersecurity incident.”

While details remain hazy, the company said in its filing that “the unauthorized third party accessed and exfiltrated information from the Company’s systems.” Halliburton is now reportedly evaluating what information was stolen, and what public notifications are required. (The company’s stock price took a 3.5% hit in the first four hours of trading on Tuesday.)

Halliburton has declined to comment further about the attack, and didn’t name the gang believed to be responsible for the breach. But TechCrunch reported on Tuesday the existence of a ransom note sent to the energy giant that suggests a ransomware gang called RansomHub is taking credit for the incident.

RansomHub has been in the news quite a bit lately, following a warning in August by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) that criminals affiliated with the gang have been responsible for at least 210 known attacks in the last six months.

It’s believed that the RansomHub malware is an updated version of the Knight ransomware, which was itself originally known as Cyclops, according to anti-virus company Symantec. Knight was offered for sale by its developers in February 2024—around the time that RansomHub came on the scene—as they sought to shut down their cybercrime operation. Symantec says it is “very difficult to differentiate between” RansomHub and Knight.

RansomHub victims include Change Healthcare, one of the world’s biggest health payment processing companies, according to the CISA. About 40% of the victims are North America-based organizations, according to one count; one-third are based in Europe.

It’s not totally clear who exactly is behind RansomHub—or who belongs to the gang. “It’s always difficult to tell,” says Alan Woodward, professor of cybersecurity at the University of Surrey. “Even if they are a gang, they are often geographically spread and act as a virtual gang.”

Group-IB, a cyberdefense firm, believes many of the key actors in the RansomHub gang used to belong to Scattered Spider, a group of hackers in their late teens and early 20s who are believed to be responsible for launching a massive cyberattack against Las Vegas casinos in 2023. “RansomHub’s ransom demands are also noticeably high, rumored to be as steep as $50 million in attacks on companies in Northern Africa,” Group-IB wrote in a blog post. “However, their interest is usually aligned with publicly available financial information about the victim, as well as analysis of leaked data that often contains accounts balance details.”

RansomHub has quickly gained a reputation as one a major cyber threat in the last few months: More than one attack per day has been reported by ZeroFox Intelligence in July and August. “They seem to be one of the more successful ransomware attackers,” says Woodward. “Their site often lists their latest victim, but they don’t seem to have done that for Halliburton so I’m wondering if they’re still ‘negotiating’ with Halliburton.”

Woodward, for his part, would advise that Halliburton doesn’t pay up—even if they’ve lost access to highly important data. The principle of paying criminals after being hacked is “contentious,” he says, and ought to prompt “the thorny question of whether it should be made illegal to pay a ransom.”