RansomHub Is Gone—But Their ESXi Ransomware Tactics Still Threaten Virtual Infrastructure

In 2024, one ransomware group surged to the forefront: RansomHub. Rapidly dominating the ransomware-as-a-service (RaaS) ecosystem, this formidable network successfully breached more than 600 organizations worldwide, targeting sectors from healthcare and finance to critical infrastructure.

RansomHub: 2024’s Most Active Ransomware Group

RansomHub’s meteoric rise wasn’t coincidence. The group capitalized on a perfect storm of opportunity, technique, and timing to outpace even the most established ransomware operations. Emerging in February 2024, they quickly gained traction by:

• Recruiting experienced affiliates from groups such as BlackCat/ALPHV and Knight (Cyclops).
• Leveraging publicly available exploits like Zerologon (CVE-2020-1472), Citrix ADC, and Fortinet SSL-VPN.
• Using double-extortion tactics, encrypting data while simultaneously exfiltrating sensitive information.
• Launching “big-game hunting” campaigns that struck over 200 victims within their first seven months.

But RansomHub didn’t stop at traditional endpoints. By mid-2024, they had pivoted to virtual infrastructure, creating a custom ESXi variant with specialized capabilities — including native command execution (vim-cmd, esxcli), snapshot deletion, and service disablement to evade detection and hinder recovery.

This move reflected a broader trend: ransomware operators shifting toward the hypervisor layer, where compromising one system can impact hundreds of workloads.

Disappearance and Reorganization: DragonForce Takes the Stage

Then, in April 2025, RansomHub vanished. Their infrastructure went offline overnight — domains dark, payloads gone.

Within weeks, however, a new group filled the void: DragonForce. Known for its aggressive tactics and focus on virtualization attacks, DragonForce appeared to inherit not only RansomHub’s infrastructure but also its talent and tactics.

Reports link DragonForce to several ESXi-specific incidents, including the high-profile Marks & Spencer breach. Their rise marks a new era in ransomware operations — one characterized by fluid branding, shared resources, and decentralized leadership. The dissolution of RansomHub didn’t end the threat; it simply evolved it.

What This Means for Virtual Infrastructure Security

RansomHub’s legacy underscores a fundamental reality: virtualization platforms are now prime targets. Ransomware developers have realized that encrypting a single hypervisor can yield exponentially higher impact than compromising multiple endpoints.

Defenders should take several lessons from this evolution:

1. Patching alone is no longer sufficient: Threat actors increasingly use zero-days or living-off-the-land techniques to exploit management interfaces. Patch hygiene remains essential, but it must be paired with continuous visibility and behavior monitoring.
2. Traditional endpoint tools can’t see this layer: Hypervisors and management consoles often operate outside the scope of endpoint detection and response (EDR) solutions. Security controls must extend into the virtualization layer itself to provide meaningful protection.
3. Authentication is the first line of defense: Many ESXi and vCenter systems still lack multi-factor authentication (MFA) or are protected only by passwords. Implementing MFA across privileged access points is one of the most effective ways to block credential-based compromise.
4. Segmentation limits blast radius: Isolating management networks, enforcing role-based access control (RBAC), and minimizing administrative exposure can drastically reduce lateral movement opportunities.
5. Resilience requires recovery planning: Regular snapshot verification, offline backups, and disaster-recovery exercises remain critical. Once a hypervisor is encrypted, restoring operations depends entirely on the availability and integrity of backup data.

The Bottom Line

RansomHub may be gone, but its tactics—and the affiliates who refined them—persist. The group’s focus on ESXi wasn’t a one-off experiment; it was a glimpse of ransomware’s future.

As successors like DragonForce adapt and reorganize, virtual infrastructure will remain a lucrative target. Defenders who recognize this shift and secure their hypervisors today will be far better positioned to withstand tomorrow’s ransomware campaigns.