A new analysis revealed the connection between affiliates RansomHub and other groups of ransomers like Jellyfish. Biosand Play.
The connection is related to the use of a custom tool designed to disconnect the software to detect and respond to the final points (EDR) on compromised hosts, ESET reports. The Edr Murder Tool called EdrkillhifterIt was first recorded as RansomHub actors in August 2024.
Edrkillshifter performs its goals with the help of a well -known tactic called “Give your own vulnerable driver (BYOVD), which involves the use of a legitimate but vulnerable driver to stop security solutions that protect the final points.
The idea of using such tools is to ensure the smooth ransonfire, without the safety decisions.
“During the invasion of the partner’s goal is to receive the privileges of the administrator or the administrator,” – ESET researchers Jakub Suchek and Jan Holman – Note In a report that shared with Hacker News.
“Redemption operators usually do not make the main updates of their encryption too often because of the risk of introduction, which can cause problems by eventually harming their reputation. As a result, security providers detect the encrypts quite well, which affiliates are reacting using the EDR killers to” get rid of security. “
It is noteworthy that the registered tools developed by RansomHub operators and offered by its affiliates – something rare on its own – used in other jelly -related ransom attacks, bio and play.
This aspect is of particular importance in the light of the fact that both the game and the bio work under the closed RAAS model, in which the operators do not seek to hire new branches, and their partnerships are based on long -term mutual trust.
“The trusted members of the Play and Bianalian cooperate with the opponents, even recently appeared such as RansomHub, and then rearrange the tool they receive from these competitors in their attacks,” ESET expressed theoretically. “This is especially interesting, because such closed gangs usually use a fairly consistent set of basic tools during their invasion.”
It is suspected that all these ransomware attacks were conducted by the same threat actor called Quadswitcher, who is probably related to the closest in connection with the trade mode usually related to the intervention of the game.
Also observed is Edrkillshifter used by another individual partner known as Cosmicbeetle As part of three different ransomHub attacks and fake castles.
Development occurs against the background of the surge attack on the ransom using Technique byovd Expand EDR killers on compromised systems. Last year was discovered gang ransomware, known as Embargo using a program called Ms4killer To neutralize the safety software. Recently this month crew Medusa Ransomware was associated with a custom malicious driver called Abrasion.
“The actors of the threats need the administrator’s privileges to deploy the EDR killer, so ideally their presence should be discovered and mitigated before they reach this item,” Eset said.
“Users, especially in corporate conditions, must provide discrepancies in potentially dangerous applications. This can prevent the installation of vulnerable drivers.”
