EDR Killer Links Ransomhub With Play, Medusa, Bianlian Gangs
Summary:
ESET researchers have uncovered that a custom security evasion tool developed by the RansomHub ransomware group has been used in attacks linked to three additional cybercrime gangs: Play, Medusa, and BianLian. The tool, known as EDRKillShifter, was originally created for RansomHub’s ransomware-as-a-service affiliates to disable endpoint detection and response software by exploiting vulnerable drivers. It uses a bring your own vulnerable driver approach, where attackers load signed but exploitable drivers onto compromised systems to bypass security mechanisms. First observed on May 8, 2024, EDRKillShifter comes in multiple variants that abuse drivers like RentDrv2 and ThreatFireMonitor using publicly available exploits.
Unlike typical RaaS models, where affiliates are expected to find their own ways to evade detection, RansomHub offers EDRKillShifter directly as part of its toolkit. The tool requires a 64-character password from RansomHub to run, making it difficult for researchers to analyze. While each encryption payload is unique to a victim, EDRKillShifter samples are reused across attacks, allowing ESET to track their deployment.
Through this reuse, ESET identified a single threat actor, referred to as QuadSwitcher, who conducted attacks on behalf of RansomHub, Play, Medusa, and BianLian. These attacks shared common elements, including two EDRKillShifter samples and command and control infrastructure hosting the EDR killer, a Windows kernel modification tool called WKTools, and the SOCKS5 proxy malware SystemBC. The incidents included attacks on European manufacturing and automotive firms by RansomHub in July 2024, a BianLian-claimed attack on a North American legal company the same month, a Play-claimed attack on a North American manufacturing company in August 2024, and a Medusa-claimed attack on a Western European tech company in August 2024. QuadSwitcher also used a backdoor typically associated with BianLian and techniques commonly used by the Play ransomware group, further linking them to the broader campaign.
Security Officer Comments:
ESET notes that both Play and BianLian use closed RaaS models, meaning only trusted insiders carry out attacks rather than openly recruiting affiliates. This suggests that members of these groups may be collaborating with or transitioning to RansomHub to take advantage of its tools. The report also emphasizes a broader trend: ransomware affiliates are increasingly relying on EDR killers to disable security tools and avoid detection. These tools often leverage BYOD techniques using public proof-of-concept exploits such as BadRentdrv2 for RentDrv2 and TFSysMon-Killer for ThreatFireMonitor. Some also use "living off the land" techniques to exploit vulnerable drivers already present on victim machines. Although providing EDR killers directly to affiliates is uncommon, RansomHub is not the only group to do so. For example, Embargo ransomware released its own tool, MS4Killer, in October 2024, based on a publicly available exploit.
Suggested Corrections:
Backup your data, system images, and configurations, regularly test them, and keep the backups offline: Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems.
Update and patch systems promptly: This includes maintaining the security of operating systems, applications, and firmware in a timely manner. Consider using a centralized patch management system; use a risk-based assessment strategy to drive your patch management program.
Test your incident response plan: There's nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?
Check your security team's work: Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.
Segment your networks: There's been a recent shift in ransomware attacks – from stealing data to disrupting operations. It's critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks, and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety-critical functions can be maintained during a cyber incident.
Train employees: Email remains the most vulnerable attack vector for organizations. Users should be trained on how to avoid and spot phishing emails. Multi-factor authentication can help prevent malicious access to sensitive services.
Implement multi-factor authentication (MFA): External-facing assets that leverage single-factor authentication (SFA) are highly susceptible to brute-forcing attacks, password spraying, or unauthorized remote access using valid (stolen) credentials. Implementing MFA enhances security and adds an extra layer of protection.
Link(s):
https://www.scworld.com/news/edr-killer-use-links-ransomhub-with-play-medusa-bianlian-gangs
ESET researchers have uncovered that a custom security evasion tool developed by the RansomHub ransomware group has been used in attacks linked to three additional cybercrime gangs: Play, Medusa, and BianLian. The tool, known as EDRKillShifter, was originally created for RansomHub’s ransomware-as-a-service affiliates to disable endpoint detection and response software by exploiting vulnerable drivers. It uses a bring your own vulnerable driver approach, where attackers load signed but exploitable drivers onto compromised systems to bypass security mechanisms. First observed on May 8, 2024, EDRKillShifter comes in multiple variants that abuse drivers like RentDrv2 and ThreatFireMonitor using publicly available exploits.
Unlike typical RaaS models, where affiliates are expected to find their own ways to evade detection, RansomHub offers EDRKillShifter directly as part of its toolkit. The tool requires a 64-character password from RansomHub to run, making it difficult for researchers to analyze. While each encryption payload is unique to a victim, EDRKillShifter samples are reused across attacks, allowing ESET to track their deployment.
Through this reuse, ESET identified a single threat actor, referred to as QuadSwitcher, who conducted attacks on behalf of RansomHub, Play, Medusa, and BianLian. These attacks shared common elements, including two EDRKillShifter samples and command and control infrastructure hosting the EDR killer, a Windows kernel modification tool called WKTools, and the SOCKS5 proxy malware SystemBC. The incidents included attacks on European manufacturing and automotive firms by RansomHub in July 2024, a BianLian-claimed attack on a North American legal company the same month, a Play-claimed attack on a North American manufacturing company in August 2024, and a Medusa-claimed attack on a Western European tech company in August 2024. QuadSwitcher also used a backdoor typically associated with BianLian and techniques commonly used by the Play ransomware group, further linking them to the broader campaign.
Security Officer Comments:
ESET notes that both Play and BianLian use closed RaaS models, meaning only trusted insiders carry out attacks rather than openly recruiting affiliates. This suggests that members of these groups may be collaborating with or transitioning to RansomHub to take advantage of its tools. The report also emphasizes a broader trend: ransomware affiliates are increasingly relying on EDR killers to disable security tools and avoid detection. These tools often leverage BYOD techniques using public proof-of-concept exploits such as BadRentdrv2 for RentDrv2 and TFSysMon-Killer for ThreatFireMonitor. Some also use "living off the land" techniques to exploit vulnerable drivers already present on victim machines. Although providing EDR killers directly to affiliates is uncommon, RansomHub is not the only group to do so. For example, Embargo ransomware released its own tool, MS4Killer, in October 2024, based on a publicly available exploit.
Suggested Corrections:
Backup your data, system images, and configurations, regularly test them, and keep the backups offline: Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems.
Update and patch systems promptly: This includes maintaining the security of operating systems, applications, and firmware in a timely manner. Consider using a centralized patch management system; use a risk-based assessment strategy to drive your patch management program.
Test your incident response plan: There's nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?
Check your security team's work: Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.
Segment your networks: There's been a recent shift in ransomware attacks – from stealing data to disrupting operations. It's critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks, and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety-critical functions can be maintained during a cyber incident.
Train employees: Email remains the most vulnerable attack vector for organizations. Users should be trained on how to avoid and spot phishing emails. Multi-factor authentication can help prevent malicious access to sensitive services.
Implement multi-factor authentication (MFA): External-facing assets that leverage single-factor authentication (SFA) are highly susceptible to brute-forcing attacks, password spraying, or unauthorized remote access using valid (stolen) credentials. Implementing MFA enhances security and adds an extra layer of protection.
Link(s):
https://www.scworld.com/news/edr-killer-use-links-ransomhub-with-play-medusa-bianlian-gangs