In 2024, ESET researchers conducted a thorough analysis of the evolving ransomware ecosystem, delving into the rise of RansomHub, a newly emerged ransomware-as-a-service (RaaS) gang that quickly dominated the scene. Through their research, they discovered significant connections between RansomHub and established gangs like Play, Medusa, and BianLian.
RansomHub emerged shortly before the law-enforcement-led Operation Cronos and swiftly gained notoriety in the ransomware landscape. By analyzing the tooling offered by RansomHub to affiliates, researchers were able to establish clear links between RansomHub and its rivals. This was evidenced by the trail of victims posted on dedicated leak sites (DLSs), indicating RansomHub’s dominance in the ransomware arena.
The blogpost also shed light on the emergence of EDRKillShifter, a custom EDR killer developed and maintained by RansomHub to bypass security solutions and facilitate ransomware attacks. EDRKillShifter quickly gained popularity among ransomware affiliates, who found it to be an effective tool in evading detection and executing ransomware payloads.
Furthermore, the researchers detailed the recruitment phase initiated by RansomHub, highlighting the low entry barrier for affiliates and the various ways in which individuals could enter the RaaS program. Noteworthy was the change in affiliate rules due to a breach by security researchers, requiring a US$ 5,000 deposit for aspiring affiliates.
The blogpost also touched upon the anatomy of EDR killers, explaining how these tools function to disable security products on victim systems and pave the way for successful ransomware attacks. The rise of EDR killers in the ransomware landscape posed unique challenges for defenders, requiring a proactive approach to detecting and mitigating the threats.
Additionally, the researchers explored the deployment of EDRKillShifter by a threat actor referred to as QuadSwitcher, who was identified as working for multiple rival gangs simultaneously, including Play, Medusa, and BianLian. This discovery highlighted the interconnected nature of ransomware operations and the collaboration between threat actors associated with different ransomware gangs.
Ultimately, the blogpost emphasized the need for continued vigilance and collaborative efforts to combat ransomware threats effectively. By understanding the tactics and tooling used by ransomware gangs like RansomHub, researchers and defenders can better prepare and respond to evolving cyber threats.
As ransomware attacks continue to evolve and proliferate, the insights provided by ESET researchers serve as a valuable resource for understanding the dynamics of the ransomware ecosystem and developing effective strategies to counter these persistent threats.