ESET Research has released a new analysis highlighting significant shifts within the ransomware ecosystem, focusing on the rapid rise of the ransomware-as-a-service (RaaS) gang, RansomHub. The report outlines how this group has quickly become a dominant player in the field, and reveals connections between RansomHub and other major ransomware gangs, including Play, Medusa, and BianLian.
The findings also explore a concerning trend involving Endpoint Detection and Response (EDR) killers, specifically EDRKillShifter — a customised EDR killer tool created and distributed by RansomHub. ESET researchers have documented how this tool has contributed to growing threats in the cybersecurity landscape.
RansomHub rises after LockBit and BlackCat disappear
In 2024, the cybersecurity community witnessed two milestones. LockBit and BlackCat, once the leading ransomware gangs, were disrupted and ceased their operations. At the same time, there was a significant 35% drop in ransomware payment volumes, marking the first such decline since 2022. However, ESET noted a contrasting 15% increase in victim disclosures on leak sites, which was largely attributed to the emergence of RansomHub.
Jakub Souček, an ESET researcher involved in the investigation, explained that RansomHub appeared around the time of Operation Cronos, a law enforcement action targeting LockBit. Like most new RaaS gangs, RansomHub needed to attract affiliates — cybercriminals who rent ransomware services to carry out attacks. To do this, they posted recruitment messages on the Russian-speaking RAMP forum in early February 2024, with their first known victim posted just eight days later.
RansomHub’s affiliate programme includes a unique offer: affiliates receive the full ransom amount in their own wallets and are then trusted to voluntarily send 10% back to the operators. The group also restricts attacks on countries in the Commonwealth of Independent States (CIS), as well as Cuba, North Korea, and China.
EDRKillShifter offers new tools for attackers
In May 2024, RansomHub introduced a critical development in its arsenal — a bespoke EDR killer called EDRKillShifter. This type of malware is designed to disable or crash the security software on victims’ systems, usually by exploiting a vulnerable driver. By disabling protective tools, ransomware attacks can proceed without being detected or blocked.
Souček explained that while RaaS affiliates often rely on existing tools or proof-of-concept codes available on the dark web, RansomHub stood out by offering EDRKillShifter directly to its affiliates. “The decision to implement a killer and offer it to affiliates as part of the RaaS program is rare. Affiliates are typically on their own to find ways to evade security products,” he said.
EDRKillShifter works by combining two key components: a user-mode orchestrator and a vulnerable but legitimate driver. The user-mode code installs the driver, scans for known security processes, and then uses the driver to terminate those processes from kernel mode. According to Souček, “Defending against EDR killers is challenging. Threat actors need admin privileges to deploy an EDR killer, so ideally, their presence should be detected and mitigated before they reach that point.”
Links to Play, Medusa, and BianLian revealed
ESET’s analysis also reveals that RansomHub affiliates appear to be working across multiple ransomware groups. While it’s not uncommon for affiliates to collaborate with more than one operator, ESET found particularly striking overlaps involving Medusa, Play, and BianLian.
The connection to Medusa was expected, given the flexibility of many ransomware affiliates. However, the ties to Play and BianLian were more surprising, as both gangs are known for being more closed off. ESET suggests that these groups may be repurposing tools obtained from RansomHub, possibly through collaboration or shared trusted members. Notably, the Play group has previously been linked to the North Korean-aligned threat group Andariel.
More details about the investigation can be found in ESET Research’s full blog post, titled “Shifting the sands of RansomHub’s EDRKillShifter”, available on WeLiveSecurity.com. Updates and further insights are also shared regularly via ESET Research’s accounts on Twitter (now X), BlueSky, and Mastodon.
ESET continues its commitment to cyber protection
ESET remains a global leader in digital security, providing proactive protection through a combination of artificial intelligence and human expertise. Its solutions cover endpoints, cloud environments, and mobile platforms, with a focus on usability and real-time threat defence.
