Shifting the sands of RansomHub’s EDRKillShifter
Contents
ESET researchers take a look back at the significant changes in the ransomware ecosystem in 2024 and focus on the newly emerged and currently dominating ransomware-as-a-service (RaaS) gang, RansomHub. We share previously unpublished insights into RansomHub’s affiliate structure and uncover clear connections between this newly emerged giant and well-established gangs Play, Medusa, and BianLian.
We also emphasize the emerging threat of EDR killers, unmasking EDRKillShifter, a custom EDR killer developed and maintained by RansomHub. We have observed an increase in ransomware affiliates using code derived from publicly available proofs of concept, while the set of drivers being abused is largely fixed.
Finally, based on our observations following the law-enforcement-led Operation Cronos and the demise of the infamous BlackCat gang, we offer our insights into how to assist in this intensive fight against ransomware.
Key points of this blogpost:
- We discovered clear links between the RansomHub, Play, Medusa, and BianLian ransomware gangs.
- We achieved …
We also emphasize the emerging threat of EDR killers, unmasking EDRKillShifter, a custom EDR killer developed and maintained by RansomHub. We have observed an increase in ransomware affiliates using code derived from publicly available proofs of concept, while the set of drivers being abused is largely fixed.
Finally, based on our observations following the law-enforcement-led Operation Cronos and the demise of the infamous BlackCat gang, we offer our insights into how to assist in this intensive fight against ransomware.
Key points of this blogpost:
- We discovered clear links between the RansomHub, Play, Medusa, and BianLian ransomware gangs.
- We achieved …