ESET researchers examine the ransomware landscape in 2024, highlighting the emergence of RansomHub, a prominent ransomware-as-a-service (RaaS) group linked to established gangs like Play, Medusa, and BianLian. The article discusses the rise of EDR killers, particularly EDRKillShifter, developed by RansomHub, and reflects on the shifting dynamics of ransomware payments and victim statistics. Affected: RansomHub, Play, Medusa, BianLian, ransomware ecosystem, victims
Keypoints :
- RansomHub has connections to existing gangs such as Play, Medusa, and BianLian.
- EDRKillShifter is a custom EDR killer created by RansomHub to target security solutions.
- RansomHub’s affiliates have been using publicly available code and tools for ransomware attacks.
- Overall ransomware payments plummeted by 35% in 2024, but the number of victims increased by 15%.
- Law enforcement operations like Operation Cronos have disrupted traditional ransomware operations.
MITRE Techniques :
- T1583 – Acquire Infrastructure: RansomHub affiliates acquire infrastructure to host their tools.
- T1587.001 – Develop Capabilities: Malware: RansomHub and its affiliates develop and maintain their own ransomware tools.
- T1078.002 – Valid Accounts: Domain Accounts: Affiliates gain access through compromised accounts for lateral movement.
- T1480 – Execution Guardrails: RansomHub’s encryptor requires a unique password for execution.
- T1562.001 – Impair Defenses: Disable or Modify Tools: EDRKillShifter is specifically designed to disable endpoint detection and response products.
Indicator of Compromise :
- [SHA-1] BF84712C5314DF2AA851B8D4356EA51A9AD50257
- [Filename] Loader.exe
- [SHA-1] 77DAF77D9D2A08CC22981C004689B870F74544B5
- [Filename] Killer.exe
- [IP Address] 45.32.206[.]169
Full Story: https://www.welivesecurity.com/en/eset-research/shifting-sands-ransomhub-edrkillshifter/