Shifting the sands of RansomHub's EDRKillShifter

March 27, 2025, 2:21 p.m.

Description

ESET researchers analyze the ransomware ecosystem in 2024, focusing on the newly emerged RansomHub gang. They uncover connections between RansomHub affiliates and rival gangs Play, Medusa, and BianLian through the use of EDRKillShifter, a custom EDR killer developed by RansomHub. The researchers leverage the widespread adoption of EDRKillShifter to track affiliate activities across multiple gangs and reconstruct its development timeline. The article also discusses the rise of EDR killers in ransomware attacks and provides insights into their anatomy and defense strategies. Despite disruptions to major ransomware groups, new threats like RansomHub quickly filled the void, highlighting the need for continued vigilance and law enforcement efforts targeting both operators and affiliates.

External References

https://www.welivesecurity.com/en/eset-research/shifting-sands-ransomhub-edrkillshifter/
https://otx.alienvault.com/pulse/67e5309c175c81db27157632
Tags
ransomware
bianlian
medusa
edrkillshifter
systembc
grixba
byovd
play
2025-03-27
scransom

Date

  • Created: March 27, 2025, 11:03 a.m.
  • Published: March 27, 2025, 11:03 a.m.
  • Modified: March 27, 2025, 2:21 p.m.

Attack Patterns

  • ScRansom
  • Grixba
  • EDRKillShifter
  • SystemBC
  • RansomHub

Additional Informations

  • Automotive
  • Hospitality
  • Technology
  • Legal
  • Government
  • Manufacturing
  • Cuba
  • China
  • United States of America