CyberSecurity news

FlagThis

Aman Mishra@gbhackers.com //
ESET researchers have uncovered connections between RansomHub affiliates and other ransomware groups, including Medusa, BianLian, and Play. This link is established through the shared use of EDRKillShifter, a custom tool designed to disable endpoint detection and response (EDR) software on compromised systems. EDRKillShifter utilizes a "Bring Your Own Vulnerable Driver" (BYOVD) tactic, leveraging a legitimate but vulnerable driver to terminate security solutions, ensuring the smooth execution of ransomware encryptors without detection.

This sharing of tools highlights an evolving trend in the ransomware landscape, where groups collaborate and repurpose tooling from rivals. ESET's analysis reveals that even closed ransomware-as-a-service (RaaS) operations like Play and BianLian, known for their consistent use of core tools, have members utilizing EDRKillShifter in their attacks. RansomHub, a relatively new player, quickly rose to prominence in the ransomware scene after emerging in February 2024, dominating the landscape by recruiting affiliates from disrupted groups such as LockBit and BlackCat. The tool, custom-developed by RansomHub, is offered to its affiliates as part of its RaaS program.
Original img attribution: https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhiGJHTqoVoGWSEYjCnoD4QQJXcMjaxAZppzQzAiGDSJT-0oz5vv9TdgxmZ1itmh46ZymYfN3-_p1f3AQhRL-dn0EkCREgFrs_CjrP8Mkq88KCAdRjG3RdK6jpnuor47Enpa8i9Af47j00FvoRW98EHSgClWkYdD9bMVr3ySKyzhloGxY_bs0EFWXYWgCQ/s16000/Ransomware%20Gangs.webp
ImgSrc: blogger.googleu

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • DataBreaches.Net: The RansomHub ransomware-as-a-service (RaaS) operation affiliates were linked to established gangs Medusa, BianLian, and Play, which share the use of RansomHub’s custom-developed EDRKillShifter.
  • The Hacker News: Hackers Repurpose RansomHub's EDRKillShifter in Medusa, BianLian, and Play Attacks
  • hackread.com: Cybercriminals exploit AbyssWorker driver to disable EDR systems, deploying MEDUSA ransomware with revoked certificates for stealthy attacks.
  • gbhackers.com: New Research Links RansomHub’s EDRKillShifter to Established Ransomware Gangs
  • Cyber Security News: New Research Reveals RansomHub’s EDRKillShifter Connected to Major Ransomware Gangs
  • www.cybersecuritydive.com: Custom tool developed by RansomHub, dubbed “EDRKillShifter,â€� is used by several other rival ransomware gangs.
Classification: