A recent research has established connections between affiliates and , , and ransom.
According to ESET, the link comes from the use of a tailor-made device that was created to turn off terminal detection and response ( EDR) application on affected visitors. , an EDR killer instrument, was first identified as a tool by RansomHub stars in August 2024.
Use a legitimate but vulnerable driver ( BYOVD ) to terminate security solutions protecting the endpoints is a well-known tactic used by EDRKillShifter to accomplish its goals.
The purpose of using these tools is to ensure that the ransom encryptor’s execution is clean without getting caught up in security measures.
In a statement shared with The Hacker News, ESET researchers Jakub Souek and Jan Holman stated that the affiliate’s goal is to obtain administration or website admin privileges during an intrusion.
Ransomware developers don’t update their encryptors as frequently because they run the risk of fixing bugs that may harm their popularity. Security vendors therefore are able to identify the encryptors fairly also, which the affiliates do so by using EDR killers to “get rid of” the security solution just before the encryptor is executed.
What’s interesting about this is that another specialized instrument created by the RansomHub creators and distributed to its affiliates is being used in different ransomware attacks involving Play, BianLian, and Medusa. This is something of a rare event in itself.
Given that both Play and BianLian operate under the sealed RaaS model, where the operators aren’t actively looking to find fresh affiliates, and their collaborations are based on long-term mutual respect, this element has a special significance.
ESET theorized that” trusted members of Play and BianLian are collaborating with adversaries, yet newly emerged ones like RansomHub, and then repurposing the equipment they receive from those competitors in their own attacks.” This is particularly intriguing because such tightly regulated gangs normally use a number of key tools for their intrusions.
Due to tradecraft that are commonly associated with Play intrusions, it is thought that QuadSwitcher, the threat actor responsible for all these ransomware attacks, is the one who comes the closest.
In addition, another unique malware online known as has been spotted using EDRKillShifter as part of three different fake LockBit and RansomHub attacks.
The growth comes as a rise in ransomware attacks that target compromised devices with . Embargo, a ransomware group, was discovered last year using a system called to mitigate security software. The Medusa ransom team has been linked to a specialty harmful vehicle with the codename as late as this quarter.
Threat actors require administrative rights to deploy an EDR killer, but essentially their presence may be detected and mitigated before they get there, according to ESET.
Users should make sure that the diagnosis of potentially unsafe applications is enabled, particularly in business environments. This can stop susceptible drivers from being installed.