Summary: A recent analysis reveals a connection between RansomHub affiliates and several other ransomware groups through a custom tool called EDRKillShifter, which disables endpoint detection and response software. This tool utilizes a method known as Bring Your Own Vulnerable Driver (BYOVD) to ensure ransomware execution is not flagged by security measures. The findings indicate potential collaboration among rival ransomware groups, raising concerns about the evolving tactics employed by threat actors.
Affected: RansomHub, Medusa, BianLian, Play
Keypoints :
- EDRKillShifter is a tool developed by RansomHub actors to disable security software on compromised systems.
- The tool exploits vulnerable drivers to facilitate the unhindered operation of ransomware encryptors.
- Collaborations between rival ransomware groups have been identified, suggesting a disturbing trend in ransomware tactics.
- Researchers highlight the importance of early detection and prevention of admin privileges for mitigating attacks involving EDR killers.
Source: https://thehackernews.com/2025/03/hackers-repurpose-ransomhubs.html