The Many Doors of RansomHouse: Mapping an Evolving Ransomware Ecosystem

Ransomware groups rarely disappear when their infrastructure goes offline. Domains change, communication channels are abandoned, and public leak sites evolve over time, leaving behind fragments that can make long-term investigations difficult. While many ransomware reports focus on a single attack or victim, understanding how these groups maintain their presence across multiple platforms often provides a more complete picture of how they operate.

Among the many ransomware operations that have emerged in recent years, RansomHouse has established itself as a distinct actor. Since appearing in 2021, the group has publicly positioned itself as a data extortion operation, frequently claiming that victims are targeted for poor cybersecurity practices rather than relying solely on traditional ransomware deployment. Over time, it has published numerous victim disclosures through its leak site while continuously adapting the infrastructure used to support those operations.

This investigation takes a different approach. Instead of examining a single breach, it follows the digital footprint left behind by RansomHouse across its public infrastructure. Using StealthMole, the investigation reconstructs pieces of the group's online presence that are no longer readily accessible, revealing how websites, communication channels, and supporting infrastructure evolved over time.

Where the Trail Began

The investigation began with StealthMole's Ransomware Monitoring module, where RansomHouse was identified as an active ransomware operation. The group's most recent claimed victim at the time of investigation was a U.S.-based construction company, which appeared on the platform with an attack date of 29 June 2026. While the individual incident was noteworthy, it also raised a broader question: how extensive was RansomHouse's activity, and what digital footprint had the group left behind over the years?

To answer that, a broader search was conducted within the Ransomware Monitoring module using the RansomHouse identifier. The results showed that between May 2022 and June 2026, the group had claimed responsibility for more than 186 victim organizations, spanning multiple industries and geographic regions. The steady stream of disclosures over a four-year period suggested that RansomHouse was not a short-lived operation but one that had maintained a consistent presence within the ransomware landscape.

Beyond victim statistics, the platform also identified the group's primary leak site:

  • zohlm7********************************************2yid.onion

The leak site served as the public face of the operation, hosting victim listings and data disclosures. Rather than ending the investigation with the group's victim count, this onion domain became the next investigative pivot. By tracing the infrastructure connected to the leak portal through StealthMole's Dark Web Tracker, the investigation aimed to determine whether RansomHouse relied on additional websites, communication channels, or supporting infrastructure that could help reconstruct its broader operational ecosystem.

Inside RansomHouse

Pivoting from the leak site into StealthMole's Dark Web Tracker provided a closer look at how RansomHouse presents itself beyond its victim listings. Rather than functioning solely as a repository for leaked data, the website is structured as a centralized platform that explains the group's operating model, manages victim interactions, and facilitates communication with external parties.

At the center of the website are two categories used to organize victims: Evidence and Disclosed. Organizations listed under Evidence have samples of stolen data published as proof of compromise, while those marked as Disclosed have had their full datasets released publicly. This staged approach allows RansomHouse to apply pressure during negotiations before proceeding to a complete disclosure if an agreement cannot be reached.

The website also contains a detailed Frequently Asked Questions (FAQ) section that offers insight into how the group portrays its activities. One of the recurring themes is its attempt to distinguish itself from conventional ransomware operations. Rather than describing itself simply as a group that encrypts systems for financial gain, RansomHouse claims to target organizations with weak cybersecurity practices and presents data disclosure as a consequence of inadequate security rather than the primary objective of the operation.

For affected organizations, the FAQ explains how victims can establish contact, negotiate, or request the removal of published material. It also provides guidance for organizations wishing to purchase their undisclosed data before it is made public, illustrating that the website serves not only as a disclosure platform but also as a negotiation and transaction portal.

Interestingly, RansomHouse also dedicates a section of the website to journalists and researchers. Media representatives are encouraged to contact the group directly for additional information or clarification regarding published breaches, reflecting an effort to shape public reporting around its activities. Alongside its Tor-based infrastructure, the group also advertises alternative communication methods, including an I2P address, providing additional resilience should parts of its infrastructure become unavailable.

Following the Mirrors

With a clearer understanding of how RansomHouse presents itself, the investigation shifted from examining the contents of the website to tracing the infrastructure supporting it. Using the group's primary onion domain as the investigative pivot, StealthMole's Dark Web Tracker revealed that the public leak site represented only a small portion of a much larger network of interconnected services.

One of the first discoveries was the existence of an additional RansomHouse-branded onion domain:

  • xw7au5pnwtl6lozbsudkmyd32n6gnqdngitjdppybudan3x3pjgpmpid.onion

Although no longer active, the domain hosted a mirror of the RansomHouse leak site during its operational lifetime. The preserved records indicate that it remained active throughout 2022 before eventually disappearing. Its discovery suggests that RansomHouse maintained multiple public-facing portals over time, providing redundancy while preserving access to victim disclosures.

As the investigation expanded, StealthMole identified a much broader layer of infrastructure supporting the operation. Rather than storing stolen data directly on the main leak portal, RansomHouse relied on numerous dedicated onion-based file servers to host disclosed datasets. Hundreds of these domains were identified, many of which are now inactive. Examples include:

  • vopa354z4toilkjn4ileaf6rinkzn2givaokvj4yguq5kbiqoulxnzyd.onion
  • m7vtnbsgctdcsccqmpnmi6igg3pcuiliqqqsq6uonkzg4blpa4eysiad.onion
  • nuhnnxg3owawo36mwdffyblbzplhthfswny55mh7yhbxq74en6jihyad.onion
  • q2bwuip5xq4qjn2vyevprcddhk26cigyqfqfu6yki7korjys2rposaad.onion
  • ge74uts2ybu22kzwahiayovxelbq5fwhywl73agev5w4fef2e5ikplid.onion

The use of separate file hosting infrastructure demonstrates a deliberate separation between the group's public leak portal and the servers responsible for distributing stolen data. This layered approach not only improves operational resilience but also allows individual file servers to be rotated or abandoned without disrupting the primary website.

Additional infrastructure was uncovered while examining individual victim disclosures. One example involved Prince George County, where the published disclosure page directed investigators to another onion domain:

  • yvqyd**********************************************raid.onion

The domain appeared to function as another dedicated file server containing the victim's disclosed data, reinforcing the pattern of decentralized data hosting observed throughout the investigation.

Beyond data hosting, StealthMole also identified two onion-based negotiation portals associated with the operation:

  • secxrosqawaefsio3biv2dmi2c5yunf3t7ilwf54czq3v4bi7w6mbfad.onion
  • am26uhnrvhikyekz7h5qgjhv6x4arnzpcr2tw4wxqdg7hw525xs4o2qd.onion

These portals appear to facilitate direct communication between RansomHouse and affected organizations, complementing the public-facing leak site and supporting the negotiation process described within the group's FAQ.

More Than Just a Hash

While the infrastructure analysis revealed how RansomHouse managed its public-facing operations, StealthMole also uncovered a technical artifact that offered another avenue for investigation. Unlike onion domains or communication channels, malware hashes can serve as persistent identifiers, helping investigators associate malicious files with related infrastructure and previously observed activity.

During the investigation, StealthMole identified the following SHA-256 malware hash associated with RansomHouse:

  • efe27717*****************************************6a582

Rather than examining the hash in isolation, it was used as the next investigative pivot. This led to the discovery of another onion domain:

  • jqmxd4j***************************************fktqd.onion

Although the domain appeared in connection with the malware artifact, the available evidence did not conclusively establish that it belonged to RansomHouse. No additional infrastructure, communication channels, or operational artifacts were identified that could confidently attribute the onion service to the group.

For that reason, the domain has been retained as an investigative lead rather than a confirmed component of the RansomHouse ecosystem. Maintaining this distinction is important, particularly in cyber investigations where infrastructure may be shared, repurposed, or coincidentally linked through third-party reporting. Treating every associated artifact as confirmed infrastructure risks creating inaccurate attribution.

Beyond the Onion

By this stage, the investigation had revealed a substantial network of websites, file servers, and negotiation portals supporting RansomHouse's public operations. However, ransomware groups rarely rely on websites alone. Communication platforms often provide a more dynamic view of how these groups announce new victims, interact with followers, and direct users across their infrastructure. With this in mind, the investigation expanded into StealthMole's Telegram Tracker to identify any channels or accounts associated with RansomHouse.

One of the first artifacts identified was the Telegram channel:

  • https://t.me/ransom*******e

The channel primarily served as a public announcement platform, publishing updates on newly disclosed victims while directing users back to the group's onion infrastructure. During its investigation, StealthMole also identified another RansomHouse-branded onion domain referenced through the channel:

  • xw7au5pnwtl6lozbsudkmyd32n6gnqdngitjdppybudan3x3pjgpmpid.onion

Although the domain is now inactive, its discovery further supports the observation that RansomHouse maintained multiple public-facing portals throughout its operation.

The investigation then shifted to another Telegram artifact:

  • https://t.me/R********s

Unlike the announcement channel, this account contained very little publicly available information. No significant digital footprint or public activity was observed, suggesting that it primarily functioned as a point of contact rather than a channel used for publishing operational updates.

Further analysis led to https://t.me/RH****s, which proved to be considerably more active. StealthMole identified both the associated user account @RH******s and the public Telegram channel of the same name. Historical records also showed that the account had changed its username on three separate occasions, indicating that its identity had evolved over time while remaining connected to the group's communication ecosystem.

Within the channel, investigators also identified an invitation to a private Telegram group named RH_Group:

  • https://t.me/+VzR**********DUx

Alongside the invitation, the channel directed users to @RH******s as the primary contact point, illustrating how RansomHouse separated public announcements from direct communication.

Conclusion

What began as a routine review of a ransomware operation in StealthMole's Ransomware Monitoring module quickly evolved into a broader investigation of RansomHouse's digital footprint. Rather than identifying a single leak site, the investigation uncovered an interconnected ecosystem consisting of historical mirror domains, dedicated file servers, negotiation portals, malware artifacts, and a structured Telegram presence that supported the group's public operations.

The findings also highlight an important aspect of cyber threat investigations: the visible leak site is often only one component of a much larger infrastructure. By following each investigative pivot, it was possible to reconstruct parts of RansomHouse's operational ecosystem that are no longer publicly accessible, while also distinguishing verified infrastructure from artifacts requiring further validation. Maintaining this level of attribution discipline is essential, particularly when infrastructure overlaps or redistributed content can easily create misleading associations between unrelated threat actors.

This investigation demonstrates how StealthMole enables analysts to move beyond individual ransomware incidents and develop a broader understanding of how threat actors build, maintain, and adapt their digital infrastructure over time. By connecting historical records, dark web infrastructure, malware artifacts, and communication channels, investigators can reconstruct operational ecosystems that would otherwise remain fragmented across multiple sources.

Editorial Note

Attributing cybercriminal infrastructure is rarely straightforward. Domains are abandoned, communication channels change, and leaked data is frequently redistributed by unrelated actors, making careful validation an essential part of any investigation. This case illustrates StealthMole allows investigators to piece together a more complete picture while avoiding unsupported attribution, reinforcing the importance of evidence-driven intelligence throughout the investigative process.

To access the unmasked report or full details, please reach out to us separately.

Contact us: support@stealthmole.com


Labels: ,

Learn more about StealthMole

Talk to our team of experts today to learn how you can manage your dark web exposure.
Request demo More Reports

Share this report