Thursday, May 8, 2025
Homecyber securityNew Research Links RansomHub’s EDRKillShifter to Established Ransomware Gangs

New Research Links RansomHub’s EDRKillShifter to Established Ransomware Gangs

Published on

SIEM as a Service

Follow Us on Google News

ESET researchers have connections between the newly emerged ransomware-as-a-service (RaaS) group RansomHub and established ransomware gangs, including Play, Medusa, and BianLian.

Ransomware Gangs
Schematic overview of the links between Medusa, RansomHub, BianLian, and Play

Emerging Threat Actor Connects Multiple Ransomware Operations

The investigation centered on RansomHub’s custom EDR killer tool, EDRKillShifter, which has gained popularity among ransomware affiliates since its introduction in May 2024.

The research team identified a threat actor, dubbed QuadSwitcher, who deployed EDRKillShifter across multiple ransomware operations.

- Advertisement - Google News

This actor utilized two specific EDRKillShifter samples (with SHA-1 hashes BF84712C5314DF2AA851B8D4356EA51A9AD50257 and 77DAF77D9D2A08CC22981C004689B870F74544B5) in attacks attributed to RansomHub, Play, Medusa, and BianLian between July and August 2024.

EDR Killers: A Rising Trend in Ransomware Attacks

EDRKillShifter represents a growing trend in the ransomware ecosystem the use of specialized tools designed to disable or evade endpoint detection and response (EDR) systems.

These EDR killers typically consist of a user-mode component for orchestration and a legitimate but vulnerable driver to execute malicious actions from kernel mode.

The researchers noted that while there are over 1,700 known vulnerable drivers, only a handful are commonly abused by EDR killers.

This suggests that threat actors prefer to reuse tested exploitation code rather than develop new techniques from scratch.

The discovery of links between RansomHub and established ransomware gangs through shared tooling highlights the complex and interconnected nature of the ransomware ecosystem.

Ransomware Gangs
RansomHub’s DLS

It suggests that even well-established gangs operating under closed RaaS models may be collaborating with newer entrants like RansomHub.

This research also demonstrates how tracking the use of specific tools like EDRKillShifter can help identify connections between seemingly disparate ransomware operations.

Such insights could prove valuable for law enforcement efforts aimed at disrupting ransomware networks.

As ransomware groups continue to evolve their tactics, the inclusion of EDR killers in RaaS offerings may become more common.

This trend poses additional challenges for defenders and underscores the importance of comprehensive security strategies that go beyond traditional endpoint protection measures.

Are you from SOC/DFIR Teams? – Analyse Malware, Phishing Incidents & get live Access with ANY.RUN -> Start Now for Free

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

LockBit Ransomware Group Breached: Internal Chats and Data Leaked Online

The notorious LockBit ransomware group, once considered one of the world’s most prolific cyber...

Cisco IOS XE Wireless Controllers Vulnerability Lets Attackers Seize Full Control

A critical security flaw has been discovered in Cisco IOS XE Wireless LAN Controllers...

Top Ransomware Groups Target Financial Sector, 406 Incidents Revealed

Flashpoint analysts have reported that between April 2024 and April 2025, the financial sector...

Agenda Ransomware Group Enhances Tactics with SmokeLoader and NETXLOADER

The Agenda ransomware group, also known as Qilin, has been reported to intensify its...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

LockBit Ransomware Group Breached: Internal Chats and Data Leaked Online

The notorious LockBit ransomware group, once considered one of the world’s most prolific cyber...

Cisco IOS XE Wireless Controllers Vulnerability Lets Attackers Seize Full Control

A critical security flaw has been discovered in Cisco IOS XE Wireless LAN Controllers...

Top Ransomware Groups Target Financial Sector, 406 Incidents Revealed

Flashpoint analysts have reported that between April 2024 and April 2025, the financial sector...