RansomHouse is a cyber-extortion group active since 2021. Unlike traditional ransomware gangs that rely on encrypting files, RansomHouse is best known for data-theft–only extortion: they steal sensitive data and threaten to leak it publicly unless a ransom is paid.

---

How RansomHouse attacks work

1. Initial access – Often via stolen credentials, phishing, exposed VPN/RDP, or exploiting unpatched systems.
2. Data exfiltration – Large volumes of data are quietly copied out (no encryption required).
3. Extortion – Victims are contacted and given a deadline to pay.
4. Leak pressure – If unpaid, data is posted on the group’s leak site to pressure victims and regulators.

---

Notable characteristics

• No encryption (usually): This bypasses some backup-based recovery strategies.
• Public shaming: Data is released in stages to increase pressure.
• Target profile: Large enterprises, critical infrastructure, healthcare, manufacturing, and government-adjacent organizations.
• Double extortion: Even if systems keep running, the data exposure risk (legal, regulatory, reputational) is severe.

---

Impact on victims

• Exposure of PII, IP, contracts, emails, and credentials
• Regulatory fines (GDPR, HIPAA, etc.)
• Legal action and loss of customer trust
• Long-term reputational damage even without downtime

---

RansomHouse — specific victims by industry

• Education / Research — Paris-Saclay University (France): RansomHouse claimed theft of large volumes of applicant/student documents and posted samples on its leak site; the incident disrupted campus systems and prompted a criminal investigation.
• Manufacturing / Supply chain — Fulgar (Italian yarn/fiber supplier): Reported by trade press as hit by RansomHouse; internal documents, invoices and banking details were reportedly exposed — demonstrating supply-chain ripple effects for customers/brands.
• Healthcare / Life sciences — Multiple healthcare providers have appeared on RansomHouse leak lists (RansomHouse frequently posts healthcare victims because of high-value personal data). Security trackers and vendor reports list healthcare among the commonly affected sectors.
• Finance & Professional Services — Financial and professional services firms appear repeatedly on aggregated leak trackers; exposed documents can include contracts and banking info. (See leak-site aggregators and industry monitoring).
• Government / Education-adjacent research — Universities, municipal services, and government-adjacent organizations appear on RansomHouse leak pages; these incidents raise data-privacy and regulatory-notification concerns.

Notes: RansomHouse operates a public leak site and has posted dozens–>100+ victims over time (researchers have counted many postings). This makes it easy to track sectoral patterns via leak-site monitoring.

How to detect RansomHouse activity in logs

RansomHouse is primarily a data-exfiltration / extortion actor (often no encryption). Detection focuses on early access vectors, lateral movement, and large/abnormal data transfers. Below are high-value detection techniques, concrete log signals, and sample SIEM/search queries you can adapt.

High-value detection signals

1. Initial access indicators
   • Successful logins after many failed attempts (brute force / credential stuffing) on VPN, RDP, SSO.
   • New service account usage, unusual admin logins out of hours, or from geolocations unusual for the account.
2. Post-compromise tooling
   • Cobalt Strike beacons, unusual PowerShell/WMIC usage, suspicious scheduled tasks, and bespoke web shells. (RansomHouse affiliates commonly use off-the-shelf tooling such as Cobalt Strike).
3. Data-staging / exfiltration
   • Large aggregated file reads (database exports, many files opened in short timeframe) followed by outbound uploads.
   • Use of atypical protocols for upload (SCP/SFTP to external servers, large HTTPS POSTs to unknown domains, FTP, or cloud storage abuse).
4. Command & control (C2) indicators
   • Periodic beacons, DNS tunneling (long TXT/NULL queries), connections to known malicious IPs/domains from threat feeds.
5. Leak-site / extortion indicators
   • External posting of victim identifiers on leak sites — use leak monitoring feeds to correlate with internal events. RansomHouse maintains a public leak/blog which researchers monitor.

Example detection queries

(Adapt to your SIEM fields; these are conceptual templates.)

• Detect suspicious large file reads (Windows) — Splunk/ELK style

index=files sourcetype=wineventlog
EventID=4663 OR EventID=5145
| stats count, sum(FileSize) as total_bytes by AccountName, ComputerName
| where total_bytes > 1000000000 // tune thresholds

• Detect unusual RDP/VPN successful login after many failures

index=auth sourcetype=VPN OR sourcetype=RDP
| stats count(eval(action="failure")) as fails, count(eval(action="success")) as succ by src_ip, user
| where succ>=1 AND fails>10 // tune thresholds

• Detect Cobalt Strike-like HTTP beaconing (periodic small POSTs)

index=network sourcetype=proxy
| timechart span=1m count by dest_host
| where count > 10  // tune thresholds

• Detect large outbound HTTPS uploads (proxy/NGFW logs)

index=proxy sourcetype=web
| where method="POST" AND bytes_out > 50000000
| stats sum(bytes_out) as total_out by src_ip, dest_host
| where total_out > 50000000 // tune thresholds

• Search for known tooling indicators (YARA / EDR telemetry)
  • Look for processes named cobaltstrike.jar, java with suspicious parent processes, powershell.exe with encoded commands, or regsvr32 invoked in user context.

Enrich detection with threat intel

• Feed your SIEM/EDR with curated RansomHouse IoCs (domains, IPs, file hashes) and monitor leak-site aggregators (e.g., ransomware.live, vendor trackers) to rapidly correlate exposure.

Compare RansomHouse with other extortion-only / ransomware groups

• Primary technique
  • RansomHouse: Primarily data-theft / leak-only extortion (rarely encrypts). Uses exfiltration + leak site to extort.
  • Cl0p / MOVEit actors: Large-scale data exfiltration using supply-chain vulnerabilities (e.g., MOVEit) and extortion — they may or may not encrypt systems, but their big wins are mass data theft. (Supply-chain focused).
  • BlackCat/ALPHV, LockBit, Conti: Typically encrypt-first (ransomware) and frequently double-extort (steal data then encrypt), using both downtime and data-release pressure.
• Business model
  • RansomHouse: Leak-site + negotiations; portrays a “professional” FAQ/rules on their site. Affiliates may operate under a RaaS-like model.
  • Others (ALPHV, LockBit): Mature RaaS ecosystems with affiliate programs, encryption toolkits, and negotiation support.
• Detection & response implications
  • RansomHouse: Because systems may not be encrypted, defenders might miss incidents if they focus only on encryption indicators. Emphasize data-access and egress monitoring.
  • Encryption groups: Detect via sudden mass file encryption patterns and ransomware binaries; backups are more effective for recovery.
• Regulatory risk
  • All groups that exfiltrate personal data create direct data-breach notification obligations (GDPR, HIPAA, etc.). No encryption does not reduce legal/regulatory exposure — data theft triggers notification rules. (General regulatory guidance; see vendor advisories).

Incident response checklist for a RansomHouse (data-exfiltration) attack

Immediate (0–24 hours)

1. Activate IR team & communication channels. Triage call with exec sponsor, legal, PR, IT, security, and external counsel.
2. Isolate affected systems (but preserve evidence). Remove network access for compromised hosts (network segmentation, deny lists). Do not wipe or reimage before forensic capture.
3. Preserve logs & artifacts. Snapshot EDR telemetry, host images, firewall/proxy logs, VPN logs, application DB backups and file server event logs. (Forensics team should collect chain-of-custody).
4. Block identified IOCs (IPs/domains/hashes) at perimeter, EDR, DNS sinkholing and firewall. Update detection rules immediately.
5. Change credentials / rotate keys for accounts suspected of compromise — prioritize privileged accounts, service accounts, cloud admin keys, and VPN SSO tokens. Use a secure out-of-band channel for coordination.

Short term (24–72 hours)

6. Hunt for lateral movement & data staging. Use SIEM to run the queries listed above (mass file reads, unusual database exports, SMB access bursts). Look for unusual scheduled tasks or RMM tooling activity.
7. Engage external specialists (forensics, breach counsel). Consider notifying law enforcement (e.g., national cyber units) early.
8. Legal & regulatory assessment. Determine personal data types exfiltrated, jurisdictions affected, and notification timelines (e.g., GDPR 72-hour considerations). Consult counsel before public statements.
9. Communications plan. Draft internal notifications and a holding statement for customers and regulators. Keep messaging factual (what happened, what you are doing). Coordinate with PR and legal.
10. Negotiation stance. Do not negotiate or pay without executive approval and legal counsel — document any attacker communications. Consider law enforcement advice before engaging.

Medium term (after containment)

11. Remediation & hardening
    • Revoke/rotate affected credentials, rebuild compromised hosts from known-good images, apply critical patches (VPN, perimeter appliances).
    • Enforce MFA for all remote access and privileged accounts.
    • Harden backups (air-gapped / immutable backups) and test restoration.
12. Data recovery & integrity checks. Validate integrity of restored systems and check for backdoors/web shells that may persist.
13. Post-incident review & lessons learned. Update IR plan, detection rules, and tabletop exercises based on findings.
14. Threat intel sharing. Share non-sensitive IoCs with industry ISACs and use vendor feeds to block repeat compromises.

For detection tuning & evidence collection (concrete items to gather)

• Full EDR timelines, host images, process trees, memory captures (for beacon C2), proxy/firewall logs (HTTP POSTs), database audit logs, Windows Event logs (4624/4634/4663), SMB access logs.

Sample forensic / SIEM actions to add now

• Add correlation rule: “High volume of file reads on file server + outbound upload to unknown host within 24 hours” → trigger IR pager.
• Add alert: “Privileged credential used from novel IP + subsequent large SMB read count” → immediate quarantine.

Quick prioritized recommendations

1. Enable/verify MFA on all admin, VPN, and remote access.
2. Start egress monitoring (proxy/NGFW) and set alerts for large uploads and new destinations.
3. Feed RansomHouse IoCs into EDR/NGFW/DNS and block immediately (use vendor feeds and leak trackers).
4. Run rapid hunt queries for abnormal file access and Cobalt Strike-like beacons (examples above).