A security evasion tool from the RansomHub malware group has been used by ESET researchers to trace and connect attacks conducted by three other cybercrime groups.
The findings, published Wednesday, show how use of RansomHub’s custom endpoint detection and response (EDR) tool EDRKillShifter has expanded beyond the gang’s own ransomware-as-a-service (RaaS) program to reflect an overall increase in the use of EDR killers in ransomware attacks.
What is EDRKillShifter?
EDRKillShifter is a tool specifically developed by RansomHub for its RaaS affiliates to disrupt EDR software by abusing vulnerable drivers.
The tool, first introduced on May 8, 2024, uses the bring your own vulnerable driver (BYOD) technique and comes in variants that abuse different vulnerable drivers with public exploits, including RentDrv2 and ThreatFireMonitor, according to Sophos.
“The decision to implement a killer and offer it to affiliates as part of the RaaS program is rare,” ESET noted. “Affiliates are typically on their own to find ways to evade security products.”
Similar to RansomHub’s encryptor, EDRKillShifter requires a 64-character password provided by RansomHub to execute, making it difficult for security researchers to investigate the tool.
However, unlike the encryptor which is uniquely generated for each attack based on a victim ID, the same EDRKillShifter sample may be used across multiple different attacks. This enabled researchers to track its use against different victims.
One affiliate, four gangs
Tracking the use of EDRKillShifter across different cyberattacks enabled ESET researchers to discover a link between RansomHub and three other rival ransomware and extortion gangs: Play, Medusa and BianLian.
The researchers found that a single threat actor, whom they dubbed QuadSwitcher, had conducted attacks on behalf of all four groups, all of which involved the use of EDRKillShifter.
The attacks were tied together by the use of two specific EDRKillShifter samples and two command and control (C2) servers, which were used to host the EDR Killer, the Windows kernel modification tool WKTools and the SOCKS5 proxy malware SystemBC in several attacks.
The attacks involving EDRKillShifter and linked to QuadSwitcher included RansomHub attacks against European manufacturing and automotive companies in July 2024, a BianLian-claimed attack against a North American legal company in July 2024, a Play-claimed attack against a North American manufacturing company in August 2024 and a Medusa-claimed attack against a Western European technology company in August 2024.
The same attacker was also spotted using a signature BianLian backdoor and tactics, techniques and procedures (TTPs) closely associated with the Play ransomware gang, further solidifying their associations with the different rival groups.
ESET noted that both BianLian and Play work under a closed RaaS model where only trusted members conduct attacks on behalf of the group rather than the gangs actively recruiting new affiliates. The researchers concluded that trusted members of these groups may have chosen to join or collaborate with RansomHub in order to repurpose its tools for their own attacks.
EDR killers gaining traction with ransomware affiliates
ESET’s report also notes that researchers have observed an increased use and variety of EDR killers among ransomware affiliates. Disrupting EDR software is a valuable tactic for RaaS affiliates, as signature RaaS encryptors can often be easily detected by such tools.
Many of these EDR killers used BYOD tactics leveraging publicly available PoCs like BadRentdrv2 for Rentdrv2 and TFSysMon-Killer for ThreatFireMonitor. They may also use living-off-the-land (LOTL) exploits for potentially vulnerable drivers already present on the victim’s machine.
While providing affiliates with an EDR killer is not common among RaaS groups, RansomHub is not the only gang to do so; for example, Embargo ransomware published its own EDR killer in October 2024 called MS4Killer, which is based on a publicly available PoC, ESET noted.
Deploying an EDR killer requires an attacker to have already gained administrative access, making this tactic difficult to defend against once the intrusion has already reached this point. However, monitoring for potentially unsafe drivers that are commonly used by EDR killing tools is one measure that can be used to detect and prevent their use.
