New Research Links RansomHub’s EDRKillShifter to Established Ransomware Gangs

ESET researchers have connections between the newly emerged ransomware-as-a-service (RaaS) group RansomHub and established ransomware gangs, including Play, Medusa, and BianLian.

Emerging Threat Actor Connects Multiple Ransomware Operations

The investigation centered on RansomHub’s custom EDR killer tool, EDRKillShifter, which has gained popularity among ransomware affiliates since its introduction in May 2024.

The research team identified a threat actor, dubbed QuadSwitcher, who deployed EDRKillShifter across multiple ransomware operations.

This actor utilized two specific EDRKillShifter samples (with SHA-1 hashes BF84712C5314DF2AA851B8D4356EA51A9AD50257 and 77DAF77D9D2A08CC22981C004689B870F74544B5) in attacks attributed to RansomHub, Play, Medusa, and BianLian between July and August 2024.

EDR Killers: A Rising Trend in Ransomware Attacks

EDRKillShifter represents a growing trend in the ransomware ecosystem the use of specialized tools designed to disable or evade endpoint detection and response (EDR) systems.

These EDR killers typically consist of a user-mode component for orchestration and a legitimate but vulnerable driver to execute malicious actions from kernel mode.

The researchers noted that while there are over 1,700 known vulnerable drivers, only a handful are commonly abused by EDR killers.

This suggests that threat actors prefer to reuse tested exploitation code rather than develop new techniques from scratch.

The discovery of links between RansomHub and established ransomware gangs through shared tooling highlights the complex and interconnected nature of the ransomware ecosystem.

It suggests that even well-established gangs operating under closed RaaS models may be collaborating with newer entrants like RansomHub.

This research also demonstrates how tracking the use of specific tools like EDRKillShifter can help identify connections between seemingly disparate ransomware operations.

Such insights could prove valuable for law enforcement efforts aimed at disrupting ransomware networks.

As ransomware groups continue to evolve their tactics, the inclusion of EDR killers in RaaS offerings may become more common.

This trend poses additional challenges for defenders and underscores the importance of comprehensive security strategies that go beyond traditional endpoint protection measures.

Are you from SOC/DFIR Teams? – Analyse Malware, Phishing Incidents & get live Access with ANY.RUN -> Start Now for Free.