RansomHub Ransomware (random 6 chars; README_[random 6.txt]) Support Topic

Any files that are encrypted with RansomHub Ransomware will have a random 6 character (CAP LTRS/Numbers) extension appended to the end of the encrypted data filename and typically will leave files (ransom notes) which include the same README_[random 6 char].txt as part of its name. These are some examples.

.D6CDC8
README_d6cdc8.txt

Ransomhub Description
RansomHub (Active)

Crypto-Ransomware
Data Broker
RaaS
TOR http://ransomxifxwc5eteopdobynonjctkxxvap77yqifu2emfbecgbqdw6qd.onion

 
 
 
I got a ransomware and all my files are encrypted with filename.(old_extension).D6CDC8. Has anyone seen this ransomware variant or can Identify it?
 
The ransomware note looks similar to lockbit:
 
Hello!
 
Visit our Blog: 
    Tor Browser Links:
        http://ransomxifxwc5eteopdobynonjctkxxvap77yqifu2emfbecgbqdw6qd.onion/
    Links for normal browser:
        http://ransomxifxwc5eteopdobynonjctkxxvap77yqifu2emfbecgbqdw6qd.onion.ly/
 
 
>>> Your data is stolen and encrypted.
 
If you don't pay the ransom, the data will be published on our TOR darknet sites. Keep in mind that once your data appears on our leak site, it could be bought by your competitors at any second, so don't hesitate for a long time. The sooner you pay the ransom, the sooner your company will be safe.

What is the actual name of the ransom note? 
 
Please attach the original (unedited) ransom note and several samples of encrypted files (different formats - doc, png, jpg) AND its original (unencrypted) file in a "zip file" for comparison so our crypto malware experts can manually inspect them and possibly identify/confirm the infection if they see this topic. To attach files....Click the More Reply Options button in the bottom right corner of the Board Editor, then click the Choose File button under Attach Files.
 
Did you submit (upload) samples of encrypted files, ransom notes and any contact email addresses provided by the cyber-criminals to ID Ransomware (IDR) for assistance with identification and confirmation of the infection? ID Ransomware can identify ransomware which adds a prefix instead of an extension and more accurately identifies ransomware by filemarkers if applicable. Uploading both encrypted files and ransom notes together along with any email addresses provided gives a more positive match with identification and helps to avoid false detections. Please provide a link to the ID Ransomware results.

The ransom note is called README_d6cdc8.txt I have attached some encrypted files but I will have to get more samples from the device today when I get back home. 

The ID ransomware reference is SHA1: cc36f0e377d29d0d4d26eefe708657eafb17148e

Edited by ITman1240, 02 March 2024 - 09:55 AM.

This is new ransom gang RansomHub.

Unveiling RansomHub

Ransomhub Description
RansomHub (Active)

Crypto-Ransomware
Data Broker
RaaS
TOR http://ransomxifxwc5eteopdobynonjctkxxvap77yqifu2emfbecgbqdw6qd.onion

Its definitely going to be impossible to decrypt these files due to the lack of information surrounding this new group and their ransomware variant. Thanks again guys for at least pointing me in the right direction. Ill continue to follow the news about this group. Do they post the data immediately to their blog for companies and what would be a good indication of them leaking a small companies information?

If we receive any updates or anything new to report, that information will be posted here.

When or if a free (or legitimate paid for) decryption solution is found, that information will be provided in this topic and victims will receive notification if subscribed to it. In addition, a news article most likely will be posted on the Bleeping Computer front page.

i am the affiliate that has ransomwared you, just pay it bro i've been waiting for too long.

instead of contacting us with your link you decide to ask for help on bleepingcomputer?? they should fire you lol