The research highlights connections between bands active in the ransomware and the evolution of tools designed to evade safety systems
Researchers of ESET, a global European leader in the cybersecurity market, have analyzed the most recent changes in the ransomware ecosystem, with a focus on Ransomhub, a new Ransomware-AS-A-Service (Radas) band emerged in 2024 and quickly became dominant. The report offers an unprecedented overview of the affiliate structure and reveals direct connections with already established groups such as Play, Medusa and Biancian. The analysis also deepens the growing use of Endpoint Detection and Response (EDR) killers, with particular attention to EdrkillShifter, a tool developed and managed directly by Ransomhub.
In 2024, the fight against Ransomware reached two significant goals: the disappearance of the Lockbit and Blackcat bands, previously among the most active, and a significant drop - equal to 35% - in documented payments. However, the number of victims published on Leak sites has increased by 15% (where the data stolen from companies that do not pay the redemption are publicly exposed), an increase largely attributable to Ransomhub, active from the period immediately following the Cronos operation, conducted by the police against Lockbit.
As happens for each new reality Radas, Ransomanhub had to attract affiliates, advertising its services in the forum in Russian language, Ramp in early February 2024, just eight days before the publication of the first names of victims. The group explicitly prohibits attacks against the countries of the community of independent states (CSI), Cuba, North Korea and China. A distinctive element of its proposal is the promise aimed at affiliates: receiving the entire redemption amount directly on your Wallet, with the sole expectation of voluntarily sharing 10% with operators, a rather unusual formula.
In May, Ransomanub operators introduced a significant update, presenting their personalized EDR killer: EdrkillShifter. It is a type of malware designed to deactivate, make it ineffective or crash the safety solutions on the victim's system, generally taking advantage of vulnerable drivers.
EdrkillShifter was developed internally and integrated into the equipment made available by the group. On an operational level it behaves like a typical EDR killer, designed to get around the protection software that the group expects to find during the attacks. The choice to provide this tool directly to the affiliates is rare: normally, each affiliate must independently find a way to evade the protection systems, reusing existing tools, adapting public proof of concept or by purchasing EDR killer available in the Dark Web. ESET observed a strong increase in the use of EdrkillShifter, even outside the cases directly attributable to Ransomhub.
The most advanced edr killers are made up of two elements: a component in user mode, manager of coordination, and a legitimate but vulnerable driver. The execution takes place directly: the code installs the vulnerable driver (generally included in the malware itself), a list of process names related to safety software flows and sends the driver a command to activate vulnerability and finish the processes from the kernel. "Defending yourself from Edr Killer is complex. Cybercriminals need administrative privileges to install them, so the goal is to detect them and block them before they arrive at that point," explains Souček.
ESET discovered that some affiliates of Ransomhub also work for three rival bands: Play, Medusa and Bianian. The link with Medusa is not surprising, since it is known that the affiliates often collaborate with multiple operators simultaneously. More unexpected is the sharing of tools between Ransomhub, Play and Bianlian: it is unlikely that the latter two have hired the same affiliate. A more plausible explanation is that trusted members of Play and Bianlian are collaborating with Ransomhub, reusing the tools received in its attacks. It should also be remembered that Play was previously connected to the North Korean group Andariel.
For further technical details on Ransomhub and EdrkillShifter, you can consult the article "Shifting the sands of RansomHub’s EDRKillShifter"Published on the blog of ESET Research on WeliveSecurity.com. It is recommended to follow ESET Research On Twitter (now X) for updates on the latest news of the ESET search.
