Researchers at ESET have discovered significant connections between the emerging ransomware-as-a-service (RaaS) group RansomHub and well-established gangs Play, Medusa, and BianLian.
The investigation, which focused on RansomHub’s custom EDR killer tool named EDRKillShifter, has revealed a complex web of relationships within the ransomware ecosystem.
ESET Uncovers Links Between RansomHub, Play, Medusa, and BianLian
RansomHub, which emerged in February 2024, quickly rose to prominence in the wake of law enforcement actions against major players like BlackCat and LockBit.
The group’s rapid ascent was facilitated by its attractive affiliate program, offering a 90% cut of ransom payments and various entry options for potential collaborators.
In May 2024, RansomHub introduced EDRKillShifter, a specialized malware designed to terminate, blind, or crash security products on victim systems.
This tool quickly gained popularity among ransomware affiliates, extending its use beyond RansomHub operations.
ESET researchers leveraged the widespread adoption of EDRKillShifter to uncover connections between RansomHub affiliates and rival gangs.
By tracking the usage of specific EDRKillShifter samples and associated infrastructure, they identified a threat actor, dubbed QuadSwitcher, working simultaneously for RansomHub, Play, Medusa, and BianLian.
EDR Killers on the Rise
The research also highlights the growing trend of EDR killers in the ransomware landscape.
These tools, which often exploit vulnerable drivers through the Bring Your Own Vulnerable Driver (BYOVD) technique, have become an essential part of ransomware affiliates’ arsenals.
ESET noted that while thousands of vulnerable drivers exist, only a handful are commonly abused by EDR killers.
This preference is likely due to the ease of reusing existing exploit code rather than developing new exploits from scratch.
The addition of EDR killers to RaaS offerings, as seen with RansomHub’s EDRKillShifter and Embargo’s MS4Killer, represents a significant evolution in the ransomware ecosystem.
This trend may lead to increased sophistication and success rates for ransomware attacks.
Defending against EDR killers poses challenges for cybersecurity professionals.
ESET recommends focusing on preventing the execution of killer code, enabling detection of potentially unsafe applications, and maintaining proper patch management to mitigate the risk posed by vulnerable drivers.
The research underscores the resilience of the ransomware ecosystem, despite recent law enforcement successes.
While disruptions of major RaaS operators have proven effective, the quick regrouping of affiliates highlights the need for a multifaceted approach to combating ransomware.
ESET suggests that targeting affiliates and tracking their connections between various gangs may be key to long-term success in the fight against ransomware.
Find this Story Interesting! Follow us on LinkedIn, and X to Get More Instant Updates
.webp?w=1200&resize=1200,0&ssl=1&description=Researchers at ESET have discovered significant connections between the emerging ransomware-as-a-service (RaaS) group RansomHub.){kind=link}