ESET researchers have published an in-depth analysis highlighting significant shifts within the ransomware landscape, spotlighting the rise of RansomHub. This relatively new ransomware-as-a-service operation has quickly come to dominate the scene.
“The fight against ransomware reached two milestones in 2024: LockBit and BlackCat, formerly the top two gangs, dropped out of the picture. And for the first time since 2022, recorded ransomware payments dropped significantly by a stunning 35%. On the other hand, the recorded number of victims announced (to be outed publicly) on dedicated leak sites increased by roughly 15%. A big part of this increase is due to RansomHub, a new ransomware-as-a-service (RaaS) gang that emerged around the time of law-enforcement Operation Cronos, which disrupted LockBit activities,” says ESET researcher Jakub Souček, who investigated RansomHub.
Attracting affliates
Just as any emerging RaaS gang, RansomHub needed to attract affiliates — who rent ransomware services from operators — and since there is strength in numbers, the operators weren’t very picky.
The initial advertisement was posted on the Russian-speaking RAMP forum in early February 2024, eight days before the first victims were posted. RansomHub prohibits attacking nations from the post-Soviet Commonwealth of Independent States, Cuba, North Korea, or China. Interestingly, it lures affiliates in with the promise that they will receive the whole ransom payment to their wallet, and the operators trust the affiliates to share 10% with them, something quite unique.
EDRKillShifter
In May, RansomHub operators made a significant update: They introduced their own EDR killer — a special type of malware designed to terminate, blind, or crash the security product installed on a victim’s system — typically by abusing a vulnerable driver.
RansomHub’s EDR killer, named EDRKillShifter, is a custom tool developed and maintained by the gang. EDRKillShifter is offered to RansomHub affiliates. Functionality-wise, it is a typical EDR killer targeting a large variety of security solutions that the RansomHub operators expect to find protecting the networks they aim to breach.
“The decision to implement a killer and offer it to affiliates as part of the RaaS program is rare. Affiliates are typically on their own to find ways to evade security products — some reuse existing tools, while more technically oriented ones modify existing proofs of concept or utilize EDR killers available as a service on the dark web. ESET researchers saw a steep increase in the use of EDRKillShifter, and not exclusively in RansomHub cases,” explains Souček.
Advanced EDR killers consist of two parts — a user mode component responsible for orchestration (the killer code) and a legitimate, but vulnerable, driver. The execution is typically very straightforward — the killer code installs the vulnerable driver, typically embedded in its data or resources, iterates over a list of process names of security software, and issues a command to the vulnerable driver, resulting in triggering the vulnerability and killing the process from kernel mode.
“Defending against EDR killers is challenging. Threat actors need admin privileges to deploy an EDR killer, so ideally, their presence should be detected and mitigated before they reach that point,” adds Souček.
Multi-gang affiliations
ESET discovered that RansomHub’s affiliates are working for three rival gangs — Play, Medusa, and BianLian. Discovering a link between RansomHub and Medusa is not that surprising, as it is common knowledge that ransomware affiliates often work for multiple operators simultaneously.
Schematic overview of the links between Medusa, RansomHub, BianLian, and Play. Source: ESET
On the other hand, one way to explain Play and BianLian having access to EDRKillShifter is that they hired the same RansomHub affiliate, which is unlikely given the closed nature of both gangs.
Another, more plausible explanation is that trusted members of Play and BianLian are collaborating with rivals, even newly emerged ones like RansomHub, and then repurposing the tooling they receive from those rivals in their own attacks. Play has been linked to the North Korea-aligned group Andariel.
