The new analysis reveals connections between Ransomhub affiliates and other ransomware groups such as Medusa, Bianlian and Play.
According to ESET, the connection is attributed to the use of custom tools designed to disable endpoint detection and response (EDR) software on compromised hosts. The EDR Killing Tool, known as Edrkillshifter, was first documented as used by Ransomhub actors in August 2024.
EdrkillShifter achieves its goals through a known tactic called Bring Your Own’s own Vulnerable Driver (BYOVD), which includes using legal but vulnerable drivers to terminate security solutions that protect endpoints.
The idea of using such a tool is to ensure smooth execution of ransomware cryptographic devices without flagging them with security solutions.
“During the intrusion, the goal of affiliate marketing is to obtain admin or domain management privileges,” ESET researchers Jakub Souček and Jan Holman said in a report shared with Hacker News.
“Ransomware operators tend not to make large-scale updates of crypto companies as they introduce flaws that can cause problems and ultimately damage their reputation. As a result, security vendors detect crypto companies very well.
What is noteworthy here is that the bespoke tool developed by Ransomhub operators and provided to its affiliates – a rare phenomenon in itself – is used in other ransomware attacks related to Medusa, Bianlian and Play.
This aspect assumes special importance in light of the fact that both Play and Bian operate under a closed RAAS model. Their partnership is based on long-term mutual trust, as operators are not actively looking to hire new affiliates.
“The trusted members of Play and Bianlian have even worked together with newly emerging rivals like Ransomhub, and have since reused the tools they received from those rivals in their own attacks,” ESET theorized. “This is particularly interesting as these closed gangs usually employ a fairly consistent set of core tools during intrusions.”
All of these ransomware attacks are suspected to have been carried out by the same threat actor called Quadswitchers. Quad Switcher may be related to the closest play due to the similarity of the trademarks that are usually associated with play intrusions.
It has also been observed that EdrkillShifter is being used by another individual ransomware affiliate known as CosmicBeetle as part of three different Ransomhub and fake Lockbit attacks.
This development uses the BYOVD technique to deploy EDR killers to compromised systems amid a surge in ransomware attacks. Last year, ransomware gangs known as embargoes were discovered to neutralize security software using a program called MS4Killer. As this month, the Medusa ransomware crew is linked to a malicious driver called CodeNead Abyssworker.
“Threat actors need administrator privileges to deploy EDR killers, so ideally they should detect and mitigate their presence before reaching that point,” ESET said.
“Users, especially in corporate environments, should ensure that detection of potentially insecure applications is enabled, which will prevent the installation of vulnerable drivers.”
Source link
