A new analysis has revealed connections between RansomHub affiliates and several notorious ransomware groups, including Medusa, BianLian, and Play. The findings, reported by ESET, indicate that these groups are utilizing a custom tool designed to disable endpoint detection and response (EDR) software on compromised hosts. This EDR-killing tool, known as EDRKillShifter, was first documented being used by RansomHub actors back in August 2024.
The EDRKillShifter operates by employing a tactic referred to as Bring Your Own Vulnerable Driver (BYOVD), which utilizes legitimate but vulnerable drivers to terminate the security software protecting endpoints. According to ESET researchers Jakub Souček and Jan Holman, the primary objective during an intrusion is for the affiliate to gain admin or domain admin privileges, thus facilitating the successful deployment of ransomware without detection.
Interestingly, the use of a bespoke tool by RansomHub’s operators is noteworthy because it indicates a level of collaboration among rival ransomware groups. ESET theorizes that members of the Play and BianLian groups—operating under a closed Ransomware-as-a-Service (RaaS) model—are engaging with new affiliates like RansomHub, repurposing the tools provided by these rivals for their own malicious activities. This has raised concerns among cybersecurity experts, given that seasoned threat actors generally employ a consistent set of core tools during their incursions.
The origin of these coordinated attacks appears to stem from a singular threat actor, referred to as QuadSwitcher, who likely has the closest ties to Play given the commonalities in their operational techniques. The analysis has also observed EDRKillShifter being utilized by another affiliate known as CosmicBeetle, further underscoring the interconnectedness of the threat landscape.
As ransomware attacks continue to proliferate, the deployment of EDR killers like EDRKillShifter becomes increasingly prominent. Notably, the ransomware group Embargo made headlines last year following the discovery of their use of a similar program called MS4Killer to disable security measures. Moreover, the Medusa ransomware crew has recently been linked to another malicious driver named ABYSSWORKER.
In light of these developments, ESET recommends that users, particularly within corporate environments, maintain vigilance by ensuring detection of potentially unsafe applications is enabled. Doing so can help thwart the installation of vulnerable drivers and improve overall security resilience.