RansomHub’s EDRKillShifter Tool Linked to Medusa, BianLian, and Play Ransomware Groups

Introduction

A recent analysis has revealed connections between affiliates of the RansomHub ransomware group and other notorious groups, including Medusa, BianLian, and Play. This connection is attributed to the use of a custom tool designed to disable endpoint detection and response (EDR) software on compromised hosts.

The EDRKillShifter Tool

The EDR killing tool, dubbed EDRKillShifter, was first documented in August 2024 as being used by RansomHub actors. This tool accomplishes its goals through a known tactic called Bring Your Own Vulnerable Driver (BYOVD), which involves using a legitimate but vulnerable driver to terminate security solutions protecting the endpoints.

Connections to Other Ransomware Groups

The use of EDRKillShifter has been linked to other ransomware attacks associated with Medusa, BianLian, and Play. This is notable, as a bespoke tool developed by the operators of RansomHub and offered to its affiliates is being used in other ransomware attacks. This aspect assumes special significance in light of the fact that both Play and BianLian operate under the closed RaaS model, wherein the operators are not actively looking to hire new affiliates and their partnerships are based on long-term mutual trust.

Implications

ESET researchers have theorized that trusted members of Play and BianLian are collaborating with rivals, even newly emerged ones like RansomHub, and then repurposing the tooling they receive from those rivals in their own attacks. This is especially interesting, since such closed gangs typically employ a rather consistent set of core tools during their intrusions.

Suspected Threat Actor

It is suspected that all these ransomware attacks have been carried out by the same threat actor, dubbed QuadSwitcher, who is likely related to Play due to similarities in tradecraft typically associated with Play intrusions.

Additional Findings

EDRKillShifter has also been observed being used by another individual ransomware affiliate known as CosmicBeetle as part of three different RansomHub and fake LockBit attacks.

Surge in Ransomware Attacks

The development comes amid a surge in ransomware attacks using BYOVD techniques to deploy EDR killers on compromised systems. Last year, the ransomware gang known as Embargo was discovered using a program called MS4Killer to neutralize security software. As recently as this month, the Medusa ransomware crew has been linked to a custom malicious driver codenamed ABYSSWORKER.

Recommendations

ESET has advised that threat actors need admin privileges to deploy an EDR killer, so ideally, their presence should be detected and mitigated before they reach that point. Users, especially in corporate environments, should ensure that the detection of potentially unsafe applications is enabled to prevent the installation of vulnerable drivers.

Follow Us

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.