Tools designed to disable endpoint detection and response (EDR) solutions are making their way to the arsenal of more and more ransomware gangs, ESET concluded during an investigation into a link between several well-known groups.
Following the demise of the LockBit and BlackCat ransomware groups in 2024, new threat actors rose to fame, including RansomHub, a ransomware-as-a-service (RaaS) organization that emerged in February 2024.
As ransomware affiliates migrated from different groups to it, such as the BlackCat affiliate allegedly behind the Change Healthcare hack, RansomHub became and remained the dominating threat on the landscape.
In May 2024, the group added to its arsenal EDRKillShifter, a custom EDR killer tool targeting numerous security solutions that relies on a password to protect the shellcode acting as a middle layer during its execution.
EDR killers are executed on a victim’s network to blind, corrupt, or terminate any security solution running on the local endpoints. While simple scripts can be used, more sophisticated tools deploy vulnerable drivers they then abuse to perform the malicious activity.
RansomHub made EDRKillShifter available to its affiliates through the RaaS panel they had access to, but ESET observed it being used in attacks involving other ransomware variants, including Play, Medusa, and BianLian.
Because BianLian and Play are rather closed ransomware operations, their access to EDRKillShifter suggests that they might be collaborating with RansomHub, repurposing the RaaS’s tools in their attacks.
“We believe with high confidence that all these attacks were performed by the same threat actor, working as an affiliate of the four ransomware gangs,” ESET notes, referring to the threat actor as QuadSwitcher.
Other ransomware affiliates too were seen using EDRKillShifter, ESET says, adding that this is not the only tool that threat actors have been employing to disable security software. In fact, it says, there has been “an increase in the variety of EDR killers used by ransomware affiliates”.
The increased use of EDR killers is seen as a reaction to security solutions being more effective at detecting file-encrypting malware. The encryptors, ESET notes, rarely received major updates, to avoid the risk of introducing flaws.
The cybersecurity firm also notes that, while there are over 1,700 vulnerable drivers that EDR killer solutions could use, only a handful of them are abused, as there is tested code targeting them and threat actors do not have to write new code from scratch.
Aside from RansomHub, only one other RaaS operator has been observed adding an EDR killer to its offering, namely Embargo, which only has 14 victims listed on its leak site. Dubbed MS4Killer, its tool is based on public proof-of-concept (PoC) code.
Related: Medusa Ransomware Uses Malicious Driver to Disable Security Tools
Related: New Ransomware Group Claims Attack on US Telecom Firm WideOpenWest
