A new analysis has uncovered connections between affiliates of RansomHub and other ransomware groups like Medusa, BianLian, and Play.
The connection stems from the use of a custom tool that’s designed to disable endpoint detection and response (EDR) software on compromised hosts, according to ESET. The EDR killing tool, dubbed EDRKillShifter, was first documented as used by RansomHub actors in August 2024.
EDRKillShifter accomplishes its goals by means of a known tactic called Bring Your Own Vulnerable Driver (BYOVD) that involves using a legitimate but vulnerable driver to terminate security solutions protecting the endpoints.
The idea with using such tools is to ensure the smooth execution of the ransomware encryptor without it being flagged by security solutions.
“During an intrusion, the goal of the affiliate is to obtain admin or domain admin privileges,” ESET researchers Jakub Souček and Jan Holman said in a report shared with The Hacker News.
“Ransomware operators tend not to do major updates of their encryptors too often due to the risk of introducing a flaw that could cause issues, ultimately damaging their reputation. As a result, security vendors detect the encryptors quite well, which the affiliates react to by using EDR killers to ‘get rid of’ the security solution just before executing the encryptor.”
What’s notable here is that a bespoke tool developed by the operators of RansomHub and offered to its affiliates – something of a rare phenomenon in itself – is being used in other ransomware attacks associated with Medusa, BianLian, and Play.
This aspect assumes special significance in light of the fact that both Play and BianLian operate under the closed RaaS model, wherein the operators are not actively looking to hire new affiliates and their partnerships are based on long-term mutual trust.
“Trusted members of Play and BianLian are collaborating with rivals, even newly emerged ones like RansomHub, and then repurposing the tooling they receive from those rivals in their own attacks,” ESET theorized. “This is especially interesting, since such closed gangs typically employ a rather consistent set of core tools during their intrusions.”
It’s being suspected that all these ransomware attacks have been carried out by the same threat actor, dubbed QuadSwitcher, who is likely related to Play the closest owing to similarities in tradecraft typically associated with Play intrusions.
EDRKillShifter has also been observed being used by another individual ransomware affiliate known as CosmicBeetle as part of three different RansomHub and fake LockBit attacks.
The development comes amid a surge in ransomware attacks using BYOVD techniques to deploy EDR killers on compromised systems. Last year, the ransomware gang known as Embargo was discovered using a program called MS4Killer to neutralize security software. As recently as this month, the Medusa ransomware crew has been linked to a custom malicious driver codenamed ABYSSWORKER.
“Threat actors need admin privileges to deploy an EDR killer, so ideally, their presence should be detected and mitigated before they reach that point,” ESET said.
“Users, especially in corporate environments, should ensure that the detection of potentially unsafe applications is enabled. This can prevent the installation of vulnerable drivers.”
