ESET researchers have a look again on the vital adjustments within the ransomware ecosystem in 2024 and deal with the newly emerged and at the moment dominating ransomware-as-a-service (RaaS) gang, RansomHub. We share beforehand unpublished insights into RansomHub\u2019s affiliate construction and uncover clear connections between this newly emerged large and well-established gangs Play, Medusa, and BianLian.<\/p>\n
We additionally emphasize the rising risk of EDR killers, unmasking EDRKillShifter, a customized EDR killer developed and maintained by RansomHub. Now we have noticed a rise in ransomware associates utilizing code derived from publicly out there proofs of idea, whereas the set of drivers being abused is basically fastened.<\/p>\n
Lastly, primarily based on our observations following the law-enforcement-led Operation Cronos and the demise of the notorious BlackCat gang, we provide our insights into how one can help on this intensive struggle in opposition to ransomware.<\/p>\n
\nKey factors of this blogpost:<\/strong><\/p>\n
\n
- We found clear hyperlinks between the RansomHub, Play, Medusa, and BianLian ransomware gangs.<\/li>\n
- We achieved this by following the path of tooling that RansomHub gives its associates.<\/li>\n
- We doc extra findings about EDRKillShifter, correlating our observations with RansomHub\u2019s public exercise.<\/li>\n
- We provide insights into the rising risk of EDR killers, their anatomy, and their position within the ransomware world.<\/li>\n<\/ul>\n<\/blockquote>\n
Overview<\/h2>\n
The struggle in opposition to ransomware reached two milestones in 2024: LockBit<\/a> and BlackCat<\/a>, previously the highest two gangs, dropped out of the image. And for the primary time since 2022, recorded ransomware funds dropped, particularly by a gorgeous 35%<\/a> regardless of reverse expectations in the course of the yr<\/a>. Then again, the recorded variety of victims posted on devoted leak websites (DLSs) elevated by roughly 15%.<\/p>\n
An enormous a part of this improve is because of RansomHub, a brand new RaaS gang that emerged across the time of Operation Cronos<\/a>. On this blogpost, we glance in depth at RansomHub and reveal how we leveraged to our benefit the best way associates use RansomHub\u2019s tooling, permitting us to attract connections between RansomHub and its rivals, together with well-established ones like Play<\/a>, Medusa<\/a>, and BianLian<\/a>.<\/p>\n
All through this blogpost, we confer with entities forming the ransomware-as-a-service mannequin as follows:<\/p>\n
\n
- Operators<\/strong>, who develop the ransomware payload, keep the DLS, and provide companies to associates, often for a month-to-month charge and a proportion of the ransom cost (sometimes 5\u201320%).<\/li>\n
- Associates<\/strong>, who hire ransomware companies from operators, and deploy the encryptors to victims\u2019 networks and generally additionally follow information exfiltration.<\/li>\n<\/ul>\n
The rise of RansomHub<\/h2>\n
RansomHub introduced its first sufferer on its DLS (see Determine 1) on February 10th<\/sup>, 2024, 10 days earlier than the general public announcement of Operation Cronos. Whereas the gang\u2019s rise was gradual, it was additionally constant, and when \u2013 in April 2024 \u2013 RansomHub achieved probably the most sufferer postings of all lively ransomware teams (disregarding LockBit posting fakes<\/a>), it was clear that this was a gang to maintain an in depth eye on. Since then, RansomHub has dominated the ransomware scene.<\/p>\n
Determine 1. RansomHub\u2019s DLS<\/em><\/figcaption><\/figure>\n To additional reveal how harmful RansomHub is, let\u2019s examine it to LockBit. Determine 2 exhibits the day by day cumulative sum (on the y-axis) of recent victims posted on the DLS of LockBit vs. RansomHub, ranging from RansomHub\u2019s look in February 2024.<\/p>\n
Determine 2. Development of DLS posts by RansomHub and LockBit since RansomHub\u2019s look. Souce: ecrime.ch<\/a><\/em><\/figcaption><\/figure>\n As you may clearly see, whereas RansomHub began saying victims extra slowly, practically 9 months later the gang was capable of accumulate extra victims because it began than LockBit, and that development continues to today. Contemplating that each BlackCat and LockBit suffered large blows proper across the time RansomHub emerged, we are able to confidently assume that many expert associates migrated to RansomHub; Notchy<\/a>, the BlackCat affiliate who stole greater than 4 TB of knowledge from Change Healthcare, is only one publicly recognized instance.<\/p>\n
Determine 3 exhibits the ransom be aware that RansomHub associates depart on their victims\u2019 machines.<\/p>\n
We're the RansomHub.\n\nYour organization Servers are locked and Information has been taken to our servers. That is critical. \n\nExcellent news:\n- your server system and information shall be restored by our Decryption Device, we assist trial decryption to show that your recordsdata could be decrypted;\n- for now, your information is secured and safely saved on our server;\n- no person on the planet is conscious in regards to the information leak out of your firm besides you and RansomHub staff;\n- we offer free trial decryption for recordsdata smaller than 1MB. If anybody claims they will decrypt our recordsdata, you may ask them to attempt to decrypt a file bigger than 1MB.\n\nFAQs:\nWho we're?\n- Regular Browser Hyperlinks: https:\/\/ransomxifxwc5eteopdobynonjctkxxvap77yqifu2emfbecgbqdw6qd.onion.ly\/\n- Tor Browser Hyperlinks: http:\/\/ransomxifxwc5eteopdobynonjctkxxvap77yqifu2emfbecgbqdw6qd.onion\/\n\nWish to go to authorities for defense?\n- Searching for their assistance will solely make the state of affairs worse,They may attempt to forestall you from negotiating with us, as a result of the negotiations will make them look incompetent,After the incident report is handed over to the federal government division, you may be fined,The federal government makes use of your high quality to reward them.And you'll not get something, and besides you and your organization, the remainder of the individuals will neglect what occurred!!!!!\n\nSuppose you may deal with it with out us by decrypting your servers and information utilizing some IT Answer from third-party \"specialists\"?\n- they'll solely make vital injury to your entire information; each encrypted file shall be corrupted endlessly. Solely our Decryption Device will make decryption assured; \n\nDo not go to restoration corporations, they're basically simply middlemen who will generate profits off you and cheat you. \n- We're nicely conscious of circumstances the place restoration corporations inform you that the ransom worth is 5 million {dollars}, however in truth they secretly negotiate with us for 1 million {dollars}, in order that they earn 4 million {dollars} from you. If you happen to approached us immediately with out intermediaries you'd pay 5 occasions much less, that's 1 million {dollars}.\n\nSuppose your companion IT Restoration Firm will do recordsdata restoration? \n- no they won't do restoration, solely take 3-4 weeks for nothing; apart from your entire information is on our servers and we are able to publish it at any time; \n in addition to ship the data in regards to the information breach out of your firm servers to your key companions and shoppers, rivals, media and youtubers, and so forth. \n These actions from our aspect in direction of your organization may have irreversible detrimental penalties for your small business status.\n\nYou do not care in any case, since you simply do not wish to pay? \n- We'll make you enterprise cease endlessly by utilizing all of our expertise to make your companions, shoppers, workers and whoever cooperates together with your firm change their minds by having no alternative however to keep away from your organization. \n In consequence, in midterm you'll have to shut your small business. \n\n\nSo lets get straight to the purpose.\n\nWhat do we provide in change in your cost:\n- decryption and restoration of all of your programs and information inside 24 hours with assure;\n- by no means inform anybody in regards to the information breach out out of your firm;\n- after information decryption and system restoration, we'll delete your entire information from our servers endlessly;\n- present priceless advising in your firm IT safety so nobody can assault your once more.```\n\nNow, with a purpose to begin negotiations, you should do the next: \n- set up and run 'Tor Browser' from https:\/\/www.torproject.org\/obtain\/\n- use 'Tor Browser' open http:\/\/ubfofxonwdb32wpcmgmcpfos5tdskfizdft6j54l76x3nrwu2idaigid.onion\/\n- enter your Consumer ID: [REDACTED]\n* don't leak your ID or you may be banned and can by no means be capable of decrypt your recordsdata.\n\nThere shall be no dangerous information to your firm after profitable negotiations for either side. However there shall be loads of these dangerous information if case of failed negotiations, so do not take into consideration how one can keep away from it.\nSimply deal with negotiations, cost and decryption to make your entire issues solved by our specialists inside 1 day after cost acquired: servers and information restored, every part will work good as new.\n\n************************************************<\/this><\/code><\/pre>\n Determine 3. RansomHub ransom be aware<\/em><\/p>\n
Recruiting section<\/h3>\n
Simply as any rising RaaS gang, RansomHub wanted to draw associates, and since there’s energy in numbers, the operators weren\u2019t very choosy. The preliminary commercial was posted on the Russian-speaking RAMP discussion board on February 2nd<\/sup>, 2024, eight days earlier than the primary victims had been posted. There are some things to notice in regards to the preliminary announcement:<\/p>\n
\n
- Associates can obtain ransoms with their very own pockets after which afterward pay the operator.<\/li>\n
- Associates get to maintain 90% of the ransom.<\/li>\n
- The encryptor is obfuscated and helps Home windows, Linux, and ESXi platforms.<\/li>\n
- RansomHub gives varied methods to enter its RaaS program:\n
\n
- Suggestion by an current affiliate.<\/li>\n
- Proof of status.<\/li>\n
- Proof of previous RaaS cooperation.<\/li>\n
- Paying a deposit that’s returned after first profitable cost.<\/li>\n<\/ul>\n<\/li>\n
- Attacking Commonwealth of Impartial States<\/a>, Cuba, North Korea, and China is prohibited.<\/li>\n
- Most well-liked communication is over qTox<\/a> utilizing the ID 4D598799696AD5399FABF7D40C4D1BE9F05D74CFB311047D7391AC0BF64BED47B56EEE66A528<\/span>.<\/li>\n<\/ul>\n
Ensures like receiving ransom cost on to the affiliate\u2019s pockets and retaining a beneficiant 90% actually sound promising, particularly within the chaos following the BlackCat and LockBit disruptions. Moreover, the entry barrier may be very low, permitting even low-skilled associates to attempt their luck.<\/p>\n
Additionally it is value mentioning that RansomHub\u2019s encryptor just isn’t written from scratch, however primarily based on repurposed code from Knight, a once-rival ransomware gang that bought its supply code<\/a> in February 2024. The associates request the encryptor (usually referred to as a locker by RaaS operators) by means of the net panel provided by RansomHub (as is typical for RaaS gangs); the part chargeable for producing the encryptor is usually known as a builder. As a result of data such because the distinctive sufferer ID is hardcoded within the encryptor, an affiliate must request a brand new one for each sufferer. RansomHub\u2019s builder provides an extra layer of safety to its encryptors, a 64-character password, with out which the encryptor doesn’t work. This password is exclusive for every pattern, generated by the builder, and recognized solely to the affiliate who requested the encryptor.<\/p>\n
On June 21st<\/sup>, 2024, RansomHub operators modified the affiliate guidelines in response to an alleged breach by safety researchers. In response, the operator now not allowed vouching by current members as ample and strictly required a US$ 5,000 deposit for aspiring associates. This was the final noteworthy message from the RansomHub operators. Nevertheless, between the preliminary announcement and this rule change, yet another necessary occasion occurred, which we dive into within the subsequent part.<\/p>\n
Increasing the arsenal \u2013 EDRKillShifter<\/h3>\n
On Could 8th<\/sup>, 2024, the RansomHub operators made a major replace \u2013 they launched their very own EDR killer, a particular sort of malware designed to terminate, blind, or crash the safety product put in on a vicim\u2019s system, sometimes by abusing a weak driver.<\/p>\n
RansomHub\u2019s EDR killer, named EDRKillShifter by Sophos<\/a>, is a customized instrument developed and maintained by the operator. EDRKillShifter is obtainable to RansomHub associates by means of the net panel, identical because the encryptor; it too is protected by a 64-character password. Performance-wise, it’s a typical EDR killer focusing on a big number of safety options that the RansomHub operators anticipate finding defending the networks they purpose to breach. A notable distinction lies within the code safety \u2013 the password protects shellcode that acts as a center layer of the killer\u2019s execution. With out the password, safety researchers can neither retrieve the listing of focused course of names nor the abused weak driver.<\/p>\n
Sophos in all probability selected \u201cshifter\u201d within the title to replicate the truth that the abused driver just isn’t at all times the identical \u2013 not less than two totally different weak drivers (abused by different recognized EDR killers too) had been noticed. We dive extra in depth into EDRKillShifter and different EDR killers within the EDR killers on the rise<\/a><\/em> part.<\/p>\n
The choice to implement a killer and provide it to associates as a part of the RaaS program is uncommon. Associates are sometimes on their very own to seek out methods to evade safety merchandise \u2013 some reuse current instruments, whereas extra technically oriented ones modify current proofs of idea or make the most of EDR killers out there as a service on the darkish internet<\/a>. Evidently, ransomware associates thought this was a good suggestion, as a result of quickly after the announcement, ESET researchers noticed a steep improve in the usage of EDRKillShifter, and never completely in RansomHub circumstances, as we reveal within the subsequent part.<\/p>\n
Roughly a month after EDRKillShifter\u2019s announcement, on June 3rd<\/sup>, 2024, RansomHub operators posted yet one more replace, stating that they improved EDRKillShifter. ESET telemetry exhibits that some associates deployed this up to date model solely 4 days later.<\/p>\n
Leveraging EDRKillShifter<\/h2>\n
ESET researchers took benefit of the broad recognition that EDRKillShifter gained upon its launch to develop our analysis. We had been capable of leverage its utilization to affiliate RansomHub associates with the a number of rival gangs that additionally they work for, in addition to to retrieve clearer inside versioning of this EDR killer.<\/p>\n
Linking associates to rival gangs<\/h3>\n
The distinction between RansomHub\u2019s encryptor and EDRKillShifter is that there is no such thing as a cause for associates to construct a brand new pattern of EDRKillShifter for each intrusion (until there’s a main replace) \u2013 which is strictly what allowed us to uncover one in all RansomHub\u2019s associates working for 3 rival gangs \u2013 Play, Medusa, and BianLian.<\/p>\n
These three gangs differ considerably:<\/p>\n
\n
- BianLian focuses totally on extortion-only assaults, with no RaaS program providing on its DLS.<\/li>\n
- Medusa doesn’t provide a RaaS program on its DLS both, however advertises its RaaS program on the RAMP underground discussion board.<\/li>\n
- Play strictly denies ever operating a RaaS program on its DLS.<\/li>\n<\/ul>\n
Discovering a hyperlink between RansomHub and Medusa just isn’t that shocking, as it’s common data that ransomware associates usually work for a number of operators concurrently. Nevertheless, we didn’t count on well-established gangs working below the closed RaaS mannequin (that means that they don’t actively search for new recruits and their partnerships are primarily based on long-term mutual belief) to kind alliances with RansomHub so shortly. Different well-established gangs, along with BianLian and Play, additionally function below the closed RaaS mannequin \u2013 the latest BlackBasta leak<\/a> provided distinctive perception into the interior workings of such teams.<\/p>\n
One method to clarify Play and BianLian gaining access to EDRKillShifter is that they employed the identical RansomHub affiliate, which is unlikely given the closed nature of each gangs. One other, extra believable clarification is that trusted members of Play and BianLian are collaborating with rivals, even newly emerged ones like RansomHub, after which repurposing the tooling they obtain from these rivals in their very own assaults. That is particularly attention-grabbing, since such closed gangs sometimes make use of a reasonably constant set of core instruments throughout their intrusions. Earlier than diving into the specifics of the found overlaps, let\u2019s briefly introduce the modus operandi of the Play gang.<\/p>\n
Play\u2019s modus operandi<\/h4>\n
The Play gang posted the primary victims to its DLS on November 26th<\/sup>, 2022; the gang has proven regular progress since then. In April 2024, Play made it to the highest three most lively ransomware gangs on the scene and constantly remained within the prime 10 for the entire yr. The gang posts 25 new victims every month, on common, specializing in SMBs, hinting that the gang has not less than a number of skilled, loyal associates. Not too long ago, Play has been linked<\/a> to the North Korea-aligned group Andariel.<\/p>\n
As anticipated from a closed RaaS gang, most circumstances involving the Play encryptor present similarities. Usually, in such intrusions:<\/p>\n
\n
- the encryptors are saved in %PUBLICpercentMusic<6_random_alphanumeric_characters>.exe<\/span>,<\/li>\n
- SystemBC<\/a> is utilized for payload supply and serves as a proxy,<\/li>\n
- Grixba<\/a>, a customized community scanner, is usually used, and<\/li>\n
- extra tooling is usually downloaded immediately from an IP tackle.<\/li>\n<\/ul>\n
The rest of the assault sometimes employs a large arsenal of instruments, in addition to living-off-the-land strategies.<\/p>\n
The puzzle<\/h4>\n
Let\u2019s look in depth on the hyperlinks we found. We emphasize first crucial ones in Determine 4 after which dive into the main points of every of the intrusions. We consider with excessive confidence that each one these assaults had been carried out by the identical risk actor, working as an affiliate of the 4 ransomware gangs proven in Determine 4. We’re not monitoring this risk actor below a devoted title at this level, however for comfort, we\u2019ll confer with this risk actor as QuadSwitcher.<\/p>\n
Determine 4. Schematic overview of the hyperlinks between Medusa, RansomHub, BianLian, and Play<\/em><\/figcaption><\/figure>\n As you may see in Determine 4, there are a complete of 5 intrusions from 4 totally different ransomware gangs interlinked by:<\/p>\n
\n
- two EDRKillShifter samples (SHA-1: BF84712C5314DF2AA851B8D4356EA51A9AD50257<\/span> and 77DAF77D9D2A08CC22981C004689B870F74544B5<\/span>),<\/li>\n
- the payload supply server 45.32.206[.]169<\/span> internet hosting EDRKillShifter and WKTools<\/a> (a utility to discover and modify the Home windows kernel, utilized in many Play intrusions), and<\/li>\n
- SystemBC<\/a> with C&C server 45.32.210[.]151<\/span>.<\/li>\n<\/ul>\n
The next sections go into the person intrusions in additional element.<\/p>\n
RansomHub<\/h5>\n
In July 2024, QuadSwitcher deployed the RansomHub encryptor together with EDRKillShifter (SHA-1: BF84712C5314DF2AA851B8D4356EA51A9AD50257<\/span>) to a producing firm in Western Europe and an automotive firm in Central Europe.<\/p>\n
In August, QuadSwitcher compromised a governmental establishment in North America utilizing PuTTY<\/a>, and shortly after Rclone<\/a>. They proceeded by putting in AnyDesk<\/a> and defending it with a password through a PowerShell script, anydes.ps1<\/a> (a part of the Conti leaks<\/a>). Making an attempt to evade the safety resolution, the risk actor deployed EDRKillShifter (SHA-1: BF84712C5314DF2AA851B8D4356EA51A9AD50257<\/span>) and TDSSKiller<\/a>.<\/p>\n
BianLian<\/h5>\n
On the finish of July 2024, QuadSwitcher compromised an organization within the authorized sector in North America. Throughout that intrusion, the risk actor dumped the Energetic Listing by executing<\/p>\n
powershell “ntdsutil.exe ‘ac i ntds’ ‘ifm’ ‘create full c:temp1’ q q”,<\/span><\/p>\n
deployed AnyDesk through the identical set up script from the Conti leaks, and used Superior IP Scanner<\/a> to scan the community. Six days later, the attacker put in the ScreenConnect<\/a> and Ammyy Admin<\/a> distant monitoring and administration (RMM) instruments and deployed EDRKillShifter (SHA-1: BF84712C5314DF2AA851B8D4356EA51A9AD50257<\/span>). After nearly a month of no exercise, the attacker returned and downloaded two payloads from http:\/\/45.32.206[.]169\/<\/span>:<\/p>\n
\n
- WKTools.exe<\/span>, the WKTools, utility usually utilized by Play<\/li>\n
- Killer.exe<\/span>, an occasion of EDRKillShifter (SHA-1: 77DAF77D9D2A08CC22981C004689B870F74544B5<\/span>)<\/li>\n<\/ul>\n
Moreover, QuadSwitcher deployed SystemBC utilizing 45.32.210[.]151<\/span> as its C&C server, and a signature BianLian backdoor<\/a> with C&C server 92.243.64[.]200:6991<\/span> from http:\/\/149.154.158[.]222:33031\/win64_1.exe<\/span>. The sufferer was later introduced on BianLian\u2019s DLS.<\/p>\n
Play<\/h5>\n
In early August 2024, QuadSwitcher compromised a producing firm in North America. They deployed SystemBC with C&C 45.32.210[.]151<\/span>, EDRKillShifter (SHA-1: 77DAF77D9D2A08CC22981C004689B870F74544B5<\/span>), and WKTools, downloaded from http:\/\/45.32.206[.]169\/WKTools.exe<\/span>. Finally, the risk actor deployed the Play encryptor.<\/p>\n
Medusa<\/h5>\n
On the finish of August 2024, QuadSwitcher compromised a expertise firm in Western Europe, downloading PuTTY from http:\/\/130.185.75[.]198:8000\/plink.exe<\/span> utilizing certutil.exe<\/span>, adopted by utilizing Course of Explorer<\/a> and EDRKillShifter (SHA-1: BF84712C5314DF2AA851B8D4356EA51A9AD50257<\/span>). The risk actor additionally downloaded MeshAgent<\/a> from http:\/\/79.124.58[.]130\/dl\/git.exe<\/span>, additionally through certutil.exe<\/span>. The sufferer was later introduced on Medusa\u2019s DLS.<\/p>\n
The puzzle \u2013 conclusion<\/h3>\n
Moreover the hyperlinks summarized in Determine 4, there are TTPs that almost all resemble typical Play intrusions. In three of the circumstances, extra malware and instruments had been downloaded from a root folder of a server accessed through an IP tackle utilizing HTTP and QuadSwitcher additionally used SystemBC, commodity malware closely utilized by the Play gang. These hyperlinks lead us to consider QuadSwitcher is said to Play the closest.<\/p>\n
Moreover, QuadSwitcher has entry to not less than two EDRKillShifter samples, compiled two months aside, signaling the risk actor had prolonged entry to RansomHub\u2019s tooling.<\/p>\n
Reconstructing EDRKillShifter improvement timeline<\/h3>\n
In September 2024, ESET researchers documented<\/a> a case the place CosmicBeetle, an immature ransomware risk actor utilizing its personal signature encryptor, ScRansom, and the leaked LockBit 3.0 builder, turned an affiliate of RansomHub. Observe that CosmicBeetle just isn’t a gang, however a person distributing and growing varied ransomware. Following the publication of our findings, we noticed CosmicBeetle additional make the most of EDRKillShifter throughout:<\/p>\n
\n
- a RansomHub assault in opposition to a hospitality firm in South America in August 2024,<\/li>\n
- a pretend LockBit assault in opposition to an automotive firm in Central Europe in August 2024,<\/li>\n
- a pretend LockBit assault in opposition to a producing firm in East Asia in September 2024, and<\/li>\n
- an assault with no encryptor deployed in opposition to an unknown firm within the Center East in January 2025.<\/li>\n<\/ul>\n
Different immature ransomware associates had been noticed utilizing EDRKillShifter earlier than deploying their customized encryptors (usually created just by utilizing the leaked LockBit 3.0 builder) as nicely. This exhibits one weak point of RansomHub \u2013 in its greed to develop as shortly as attainable, it wasn\u2019t very choosy about its associates. In consequence, it was, by its personal admission, breached by safety researchers in June 2024. Moreover, immature associates have a tendency to depart considerably extra trails, which enabled us to be taught extra about each them and RansomHub.<\/p>\n
Within the blogpost about CosmicBeetle, we talked about EDRKillShifter being deployed from an uncommon path C:UsersAdministratorMusic1.0.8.zip<\/span>. Within the following months, a number of different immature associates left comparable trails that enabled us to partially reconstruct EDRKillShifter\u2019s versioning, demonstrated in Desk 1. The VERSIONINFO column refers to EDRKillShifter\u2019s model as listed in its VERSIONINFO useful resource<\/a>, whereas the Deployment path refers back to the model talked about within the path found by ESET telemetry.<\/p>\n
Desk 1. EDRKillShifter versioning<\/em><\/p>\n
![\"Figure](\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/03-25\/ransomhub\/figure-1.png\" "\\"Figure")
![\"Figure](\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/03-25\/ransomhub\/figure-2.png\" "\\"Figure")
![\"Figure](\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/03-25\/ransomhub\/figure-4.png\" "\\"Figure")
![\"Figure](\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/03-25\/ransomhub\/figure-5.png\" "\\"Figure")