ESET researchers take a look back at the significant changes in the ransomware ecosystem in 2024 and focus on the newly emerged and currently dominating ransomware-as-a-service (RaaS) gang, RansomHub. We share previously unpublished insights into RansomHub’s affiliate structure and uncover clear connections between this newly emerged giant and well-established gangs Play, Medusa, and BianLian.

We also emphasize the emerging threat of EDR killers, unmasking EDRKillShifter, a custom EDR killer developed and maintained by RansomHub. We have observed an increase in ransomware affiliates using code derived from publicly available proofs of concept, while the set of drivers being abused is largely fixed.

Finally, based on our observations following the law-enforcement-led Operation Cronos and the demise of the infamous BlackCat gang, we offer our insights into how to assist in this intensive fight against ransomware.

Key points of this blogpost:
  • We discovered clear links between the RansomHub, Play, Medusa, and BianLian ransomware gangs.
  • We achieved this by following the trail of tooling that RansomHub offers its affiliates.
  • We document additional findings about EDRKillShifter, correlating our observations with RansomHub’s public activity.
  • We offer insights into the emerging threat of EDR killers, their anatomy, and their role in the ransomware world.

Overview

The fight against ransomware reached two milestones in 2024: LockBit and BlackCat, formerly the top two gangs, dropped out of the picture. And for the first time since 2022, recorded ransomware payments dropped, in particular by a stunning 35% despite reverse expectations in the middle of the year. On the other hand, the recorded number of victims posted on dedicated leak sites (DLSs) increased by roughly 15%.

A big part of this increase is due to RansomHub, a new RaaS gang that emerged around the time of Operation Cronos. In this blogpost, we look in depth at RansomHub and demonstrate how we leveraged to our advantage the way affiliates use RansomHub’s tooling, allowing us to draw connections between RansomHub and its rivals, including well-established ones like Play, Medusa, and BianLian.

Throughout this blogpost, we refer to entities forming the ransomware-as-a-service model as follows:

  • Operators, who develop the ransomware payload, maintain the DLS, and offer services to affiliates, usually for a monthly fee and a percentage of the ransom payment (typically 5–20%).
  • Affiliates, who rent ransomware services from operators, and deploy the encryptors to victims’ networks and commonly also practice data exfiltration.

The rise of RansomHub

RansomHub announced its first victim on its DLS (see Figure 1) on February 10th, 2024, 10 days before the public announcement of Operation Cronos. While the gang’s rise was slow, it was also consistent, and when – in April 2024 – RansomHub achieved the most victim postings of all active ransomware groups (disregarding LockBit posting fakes), it was clear that this was a gang to keep a close eye on. Since then, RansomHub has dominated the ransomware scene.

Figure 1. RansomHub’s DLS
Figure 1. RansomHub’s DLS

To further demonstrate how dangerous RansomHub is, let’s compare it to LockBit. Figure 2 shows the daily cumulative sum (on the y-axis) of new victims posted on the DLS of LockBit vs. RansomHub, starting from RansomHub’s appearance in February 2024.

Figure 2. Progression of DLS posts by RansomHub and LockBit since RansomHub’s appearance
Figure 2. Progression of DLS posts by RansomHub and LockBit since RansomHub’s appearance. Souce: ecrime.ch

As you can clearly see, while RansomHub started announcing victims more slowly, nearly nine months later the gang was able to accumulate more victims since it started than LockBit, and that trend continues to this day. Considering that both BlackCat and LockBit suffered huge blows right around the time RansomHub emerged, we can confidently assume that many skilled affiliates migrated to RansomHub; Notchy, the BlackCat affiliate who stole more than 4 TB of data from Change Healthcare, is just one publicly known example.

Figure 3 shows the ransom note that RansomHub affiliates leave on their victims’ machines.

We are the RansomHub.

Your company Servers are locked and Data has been taken to our servers. This is serious. 

Good news:
- your server system and data will be restored by our Decryption Tool, we support trial decryption to prove that your files can be decrypted;
- for now, your data is secured and safely stored on our server;
- nobody in the world is aware about the data leak from your company except you and RansomHub team;
- we provide free trial decryption for files smaller than 1MB. If anyone claims they can decrypt our files, you can ask them to try to decrypt a file larger than 1MB.

FAQs:
Who we are?
- Normal Browser Links: https://ransomxifxwc5eteopdobynonjctkxxvap77yqifu2emfbecgbqdw6qd.onion.ly/
- Tor Browser Links: http://ransomxifxwc5eteopdobynonjctkxxvap77yqifu2emfbecgbqdw6qd.onion/

Want to go to authorities for protection?
- Seeking their help will only make the situation worse,They will try to prevent you from negotiating with us, because the negotiations will make them look incompetent,After the incident report is handed over to the government department, you will be fined <This will be a huge amount,Read more about the GDRP legislation:https://en.wikipedia.org/wiki/General_Data_Protection_Regulation>,The government uses your fine to reward them.And you will not get anything, and except you and your company, the rest of the people will forget what happened!!!!!

Think you can handle it without us by decrypting your servers and data using some IT Solution from third-party "specialists"?
- they will only make significant damage to all of your data; every encrypted file will be corrupted forever. Only our Decryption Tool will make decryption guaranteed;  

Don't go to recovery companies, they are essentially just middlemen who will make money off you and cheat you. 
- We are well aware of cases where recovery companies tell you that the ransom price is 5 million dollars, but in fact they secretly negotiate with us for 1 million dollars, so they earn 4 million dollars from you. If you approached us directly without intermediaries you would pay 5 times less, that is 1 million dollars.

Think your partner IT Recovery Company will do files restoration? 
- no they will not do restoration, only take 3-4 weeks for nothing; besides all of your data is on our servers and we can publish it at any time; 
  as well as send the info about the data breach from your company servers to your key partners and clients, competitors, media and youtubers, etc. 
  Those actions from our side towards your company will have irreversible negative consequences for your business reputation.

You don't care in any case, because you just don't want to pay? 
- We will make you business stop forever by using all of our experience to make your partners, clients, employees and whoever cooperates with your company change their minds by having no choice but to stay away from your company. 
  As a result, in midterm you will have to close your business. 


So lets get straight to the point.

What do we offer in exchange on your payment:
- decryption and restoration of all your systems and data within 24 hours with guarantee;
- never inform anyone about the data breach out from your company;
- after data decryption and system restoration, we will delete all of your data from our servers forever;
- provide valuable advising on your company IT protection so no one can attack your again.```

Now, in order to start negotiations, you need to do the following: 
- install and run 'Tor Browser' from https://www.torproject.org/download/
- use 'Tor Browser' open http://ubfofxonwdb32wpcmgmcpfos5tdskfizdft6j54l76x3nrwu2idaigid.onion/
- enter your Client ID: [REDACTED]
* do not leak your ID or you will be banned and will never be able to decrypt your files.

There will be no bad news for your company after successful negotiations for both sides. But there will be plenty of those bad news if case of failed negotiations, so don't think about how to avoid it.
Just focus on negotiations, payment and decryption to make all of your problems solved by our specialists within 1 day after payment received: servers and data restored, everything will work good as new.

************************************************

Figure 3. RansomHub ransom note

Recruiting phase

Just as any emerging RaaS gang, RansomHub needed to attract affiliates, and since there is strength in numbers, the operators weren’t very picky. The initial advertisement was posted on the Russian-speaking RAMP forum on February 2nd, 2024, eight days before the first victims were posted. There are a few things to note about the initial announcement:

  • Affiliates can receive ransoms with their own wallet and then afterward pay the operator.
  • Affiliates get to keep 90% of the ransom.
  • The encryptor is obfuscated and supports Windows, Linux, and ESXi platforms.
  • RansomHub offers various ways to enter its RaaS program:
    • Recommendation by an existing affiliate.
    • Proof of reputation.
    • Evidence of past RaaS cooperation.
    • Paying a deposit that is returned after first successful payment.
  • Attacking Commonwealth of Independent States, Cuba, North Korea, and China is prohibited.
  • Preferred communication is over qTox using the ID 4D598799696AD5399FABF7D40C4D1BE9F05D74CFB311047D7391AC0BF64BED47B56EEE66A528.

Guarantees like receiving ransom payment directly to the affiliate’s wallet and keeping a generous 90% certainly sound promising, especially in the chaos following the BlackCat and LockBit disruptions. Additionally, the entry barrier is very low, allowing even low-skilled affiliates to try their luck.

It is also worth mentioning that RansomHub’s encryptor is not written from scratch, but based on repurposed code from Knight, a once-rival ransomware gang that sold its source code in February 2024. The affiliates request the encryptor (often called a locker by RaaS operators) through the web panel offered by RansomHub (as is typical for RaaS gangs); the component responsible for generating the encryptor is typically referred to as a builder. Because information such as the unique victim ID is hardcoded in the encryptor, an affiliate needs to request a new one for every victim. RansomHub’s builder adds an additional layer of protection to its encryptors, a 64-character password, without which the encryptor does not work. This password is unique for each sample, generated by the builder, and known only to the affiliate who requested the encryptor.

On June 21st, 2024, RansomHub operators changed the affiliate rules in reaction to an alleged breach by security researchers. In response, the operator no longer allowed vouching by existing members as sufficient and strictly required a US$ 5,000 deposit for aspiring affiliates. This was the last noteworthy message from the RansomHub operators. However, between the initial announcement and this rule change, one more important event happened, which we dive into in the next section.

Expanding the arsenal – EDRKillShifter

On May 8th, 2024, the RansomHub operators made a significant update – they introduced their own EDR killer, a special type of malware designed to terminate, blind, or crash the security product installed on a vicim’s system, typically by abusing a vulnerable driver.

RansomHub’s EDR killer, named EDRKillShifter by Sophos, is a custom tool developed and maintained by the operator. EDRKillShifter is offered to RansomHub affiliates through the web panel, same as the encryptor; it too is protected by a 64-character password. Functionality-wise, it is a typical EDR killer targeting a large variety of security solutions that the RansomHub operators expect to find protecting the networks they aim to breach. A notable distinction lies in the code protection – the password protects shellcode that acts as a middle layer of the killer’s execution. Without the password, security researchers can neither retrieve the list of targeted process names nor the abused vulnerable driver.

Sophos probably chose “shifter” in the name to reflect the fact that the abused driver is not always the same – at least two different vulnerable drivers (abused by other known EDR killers too) were observed. We dive more in depth into EDRKillShifter and other EDR killers in the EDR killers on the rise section.

The decision to implement a killer and offer it to affiliates as part of the RaaS program is rare. Affiliates are typically on their own to find ways to evade security products – some reuse existing tools, while more technically oriented ones modify existing proofs of concept or utilize EDR killers available as a service on the dark web. Evidently, ransomware affiliates thought this was a good idea, because soon after the announcement, ESET researchers saw a steep increase in the use of EDRKillShifter, and not exclusively in RansomHub cases, as we demonstrate in the next section.

Roughly a month after EDRKillShifter’s announcement, on June 3rd, 2024, RansomHub operators posted yet another update, stating that they improved EDRKillShifter. ESET telemetry shows that some affiliates deployed this updated version only four days later.

Leveraging EDRKillShifter

ESET researchers took advantage of the wide popularity that EDRKillShifter gained upon its launch to expand our research. We were able to leverage its usage to associate RansomHub affiliates with the multiple rival gangs that they also work for, as well as to retrieve clearer internal versioning of this EDR killer.

Linking affiliates to rival gangs

The difference between RansomHub’s encryptor and EDRKillShifter is that there is no reason for affiliates to build a new sample of EDRKillShifter for every intrusion (unless there is a major update) – which is exactly what allowed us to uncover one of RansomHub’s affiliates working for three rival gangs – Play, Medusa, and BianLian.

These three gangs differ significantly:

  • BianLian focuses mostly on extortion-only attacks, with no RaaS program offering on its DLS.
  • Medusa does not offer a RaaS program on its DLS either, but advertises its RaaS program on the RAMP underground forum.
  • Play strictly denies ever running a RaaS program on its DLS.

Discovering a link between RansomHub and Medusa is not that surprising, as it is common knowledge that ransomware affiliates often work for multiple operators simultaneously. However, we did not expect well-established gangs operating under the closed RaaS model (meaning that they do not actively look for new recruits and their partnerships are based on long-term mutual trust) to form alliances with RansomHub so quickly. Other well-established gangs, in addition to BianLian and Play, also operate under the closed RaaS model – the recent BlackBasta leak offered unique insight into the inner workings of such groups.

One way to explain Play and BianLian having access to EDRKillShifter is that they hired the same RansomHub affiliate, which is unlikely given the closed nature of both gangs. Another, more plausible explanation is that trusted members of Play and BianLian are collaborating with rivals, even newly emerged ones like RansomHub, and then repurposing the tooling they receive from those rivals in their own attacks. This is especially interesting, since such closed gangs typically employ a rather consistent set of core tools during their intrusions. Before diving into the specifics of the discovered overlaps, let’s briefly introduce the modus operandi of the Play gang.

Play’s modus operandi

The Play gang posted the first victims to its DLS on November 26th, 2022; the gang has shown steady growth since then. In April 2024, Play made it to the top three most active ransomware gangs on the scene and consistently remained in the top 10 for the whole year. The gang posts 25 new victims each month, on average, focusing on SMBs, hinting that the gang has at least several experienced, loyal affiliates. Recently, Play has been linked to the North Korea-aligned group Andariel.

As expected from a closed RaaS gang, most cases involving the Play encryptor show similarities. Typically, in such intrusions:

  • the encryptors are stored in %PUBLIC%\Music\<6_random_alphanumeric_characters>.exe,
  • SystemBC is utilized for payload delivery and serves as a proxy,
  • Grixba, a custom network scanner, is often used, and
  • additional tooling is often downloaded directly from an IP address.

The remainder of the attack typically employs a wide arsenal of tools, as well as living-off-the-land techniques.

The puzzle

Let’s look in depth at the links we discovered. We emphasize first the most important ones in Figure 4 and then dive into the details of each of the intrusions. We believe with high confidence that all these attacks were performed by the same threat actor, working as an affiliate of the four ransomware gangs shown in Figure 4. We are not tracking this threat actor under a dedicated name at this point, but for convenience, we’ll refer to this threat actor as QuadSwitcher.

Figure 4. Schematic overview of the links between Medusa, RansomHub, BianLian, and Play
Figure 4. Schematic overview of the links between Medusa, RansomHub, BianLian, and Play

As you can see in Figure 4, there are a total of five intrusions from four different ransomware gangs interlinked by:

  • two EDRKillShifter samples (SHA-1: BF84712C5314DF2AA851B8D4356EA51A9AD50257 and 77DAF77D9D2A08CC22981C004689B870F74544B5),
  • the payload delivery server 45.32.206[.]169 hosting EDRKillShifter and WKTools (a utility to explore and modify the Windows kernel, used in many Play intrusions), and
  • SystemBC with C&C server 45.32.210[.]151.

The following sections go into the individual intrusions in more detail.

RansomHub

In July 2024, QuadSwitcher deployed the RansomHub encryptor along with EDRKillShifter (SHA-1: BF84712C5314DF2AA851B8D4356EA51A9AD50257) to a manufacturing company in Western Europe and an automotive company in Central Europe.

In August, QuadSwitcher compromised a governmental institution in North America using PuTTY, and shortly after Rclone. They proceeded by installing AnyDesk and protecting it with a password via a PowerShell script, anydes.ps1 (part of the Conti leaks). Attempting to evade the security solution, the threat actor deployed EDRKillShifter (SHA-1: BF84712C5314DF2AA851B8D4356EA51A9AD50257) and TDSSKiller.

BianLian

At the end of July 2024, QuadSwitcher compromised a company in the legal sector in North America. During that intrusion, the threat actor dumped the Active Directory by executing

powershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\temp1' q q",

deployed AnyDesk via the same installation script from the Conti leaks, and used Advanced IP Scanner to scan the network. Six days later, the attacker installed the ScreenConnect and Ammyy Admin remote monitoring and management (RMM) tools and deployed EDRKillShifter (SHA-1: BF84712C5314DF2AA851B8D4356EA51A9AD50257). After almost a month of no activity, the attacker returned and downloaded two payloads from http://45.32.206[.]169/:

  • WKTools.exe, the WKTools, utility often used by Play
  • Killer.exe, an instance of EDRKillShifter (SHA-1: 77DAF77D9D2A08CC22981C004689B870F74544B5)

Additionally, QuadSwitcher deployed SystemBC using 45.32.210[.]151 as its C&C server, and a signature BianLian backdoor with C&C server 92.243.64[.]200:6991 from http://149.154.158[.]222:33031/win64_1.exe. The victim was later announced on BianLian’s DLS.

Play

In early August 2024, QuadSwitcher compromised a manufacturing company in North America. They deployed SystemBC with C&C 45.32.210[.]151, EDRKillShifter (SHA-1: 77DAF77D9D2A08CC22981C004689B870F74544B5), and WKTools, downloaded from http://45.32.206[.]169/WKTools.exe. Ultimately, the threat actor deployed the Play encryptor.

Medusa

At the end of August 2024, QuadSwitcher compromised a technology company in Western Europe, downloading PuTTY from http://130.185.75[.]198:8000/plink.exe using certutil.exe, followed by using Process Explorer and EDRKillShifter (SHA-1: BF84712C5314DF2AA851B8D4356EA51A9AD50257). The threat actor also downloaded MeshAgent from http://79.124.58[.]130/dl/git.exe, also via certutil.exe. The victim was later announced on Medusa’s DLS.

The puzzle – conclusion

Besides the links summarized in Figure 4, there are TTPs that most resemble typical Play intrusions. In three of the cases, additional malware and tools were downloaded from a root folder of a server accessed via an IP address using HTTP and QuadSwitcher also used SystemBC, commodity malware heavily used by the Play gang. These links lead us to believe QuadSwitcher is related to Play the closest.

Additionally, QuadSwitcher has access to at least two EDRKillShifter samples, compiled two months apart, signaling the threat actor had extended access to RansomHub’s tooling.

Reconstructing EDRKillShifter development timeline

In September 2024, ESET researchers documented a case where CosmicBeetle, an immature ransomware threat actor using its own signature encryptor, ScRansom, and the leaked LockBit 3.0 builder, became an affiliate of RansomHub. Note that CosmicBeetle is not a gang, but an individual distributing and developing various ransomware. Following the publication of our findings, we observed CosmicBeetle further utilize EDRKillShifter during:

  • a RansomHub attack against a hospitality company in South America in August 2024,
  • a fake LockBit attack against an automotive company in Central Europe in August 2024,
  • a fake LockBit attack against a manufacturing company in East Asia in September 2024, and
  • an attack with no encryptor deployed against an unknown company in the Middle East in January 2025.

Other immature ransomware affiliates were spotted using EDRKillShifter before deploying their custom encryptors (often created simply by using the leaked LockBit 3.0 builder) as well. This shows one weakness of RansomHub – in its greed to grow as quickly as possible, it wasn’t very picky about its affiliates. As a result, it was, by its own admission, breached by security researchers in June 2024. Additionally, immature affiliates tend to leave significantly more trails, which enabled us to learn more about both them and RansomHub.

In the blogpost about CosmicBeetle, we mentioned EDRKillShifter being deployed from an unusual path C:\Users\Administrator\Music\1.0.8.zip. In the following months, multiple other immature affiliates left similar trails that enabled us to partially reconstruct EDRKillShifter’s versioning, demonstrated in Table 1. The VERSIONINFO column refers to EDRKillShifter’s version as listed in its VERSIONINFO resource, while the Deployment path refers to the version mentioned in the path discovered by ESET telemetry.

Table 1. EDRKillShifter versioning

Compilation date VERSIONINFO Deployment path
2024-05-01 1.2.0.1 N/A
2024-06-06 1.2.0.1 1.0.7 / 1.0.8
2024-06-07 1.6.0.1 2.0.1
2024-07-10 2.6.0.1 2.0.4
2024-07-24 2.6.0.1 2.0.5

Following July 2024, there was only a single very generic update from the RansomHub operator posted on RAMP, correlating with our not seeing new versions of EDRKillShifter in the wild. Reconstructing the development timeline of EDRKillShifter also allowed us to spot these development practices:

  • The InternalName property of the version info resource being either Config.exe or Loader.exe.
  • The OriginalName property of the version info resource always being Loader.exe.
  • The deployment filename varying, most commonly being Killer.exe, Magic.exe, or Loader.exe.
  • The name of the argument accepting the 64-character-long password being named either pass or key.

EDR killers on the rise

EDRKillShifter quickly gained popularity among ransomware affiliates, and as we just demonstrated, they don’t use it exclusively in RansomHub intrusions. However, it is not the only EDR killer out there; in fact, ESET researchers have observed an increase in the variety of EDR killers used by ransomware affiliates.

An EDR killer is malware designed to run in a compromised network, to blind, corrupt, crash, or terminate security solutions protecting the endpoints. The obvious goal is to allow smooth execution of the ransomware encryptor. While more immature ransomware affiliates settle with scripts that simply try to terminate a list of processes, more sophisticated ones go beyond that and use the technique known as Bring Your Own Vulnerable Driver (BYOVD).

EDR killers are an effective and increasingly popular addition to ransomware affiliates’ arsenals. During an intrusion, the goal of the affiliate is to obtain admin or domain admin privileges. Ransomware operators tend not to do major updates of their encryptors too often due to the risk of introducing a flaw that could cause issues, ultimately damaging their reputation. As a result, security vendors detect the encryptors quite well, which the affiliates react to by using EDR killers to “get rid of” the security solution just before executing the encryptor.

Anatomy of an EDR killer

Advanced EDR killers consist of two parts – a user mode component responsible for orchestration (which we will refer to as the killer code) and a legitimate, but vulnerable, driver. The execution is typically very straightforward – the killer code installs the vulnerable driver, typically embedded in its data or resources, iterates over a list of process names, and issues a command to the vulnerable driver, resulting in triggering the vulnerability and killing the process from kernel mode.

Figure 5. Anatomy of an EDR killer abusing a vulnerable driver
Figure 5. Anatomy of an EDR killer abusing a vulnerable driver

Few drivers, many killers

Sophos documented in their blogpost how different builds of EDRKillShifter abuse different vulnerable drivers. One of the abused drivers, rentdrv2.sys, is also a part of BadRentdrv2, a publicly available EDR killer. The second one, TFSysMon from ThreatFire System Monitor, is also a part of TFSysMon-Killer, another publicly available PoC. The latter is part of a bigger collection of four EDR killer PoCs written in Rust, which we have observed threat actors reimplement in C++ without changing a single line of code.

While the Living Off The Land Drivers project provides over 1700 vulnerable drivers, making them a lucrative target for cybercriminals, only a handful of these drivers are abused by EDR killers – if there is tested code abusing a vulnerability in one of these drivers, it is much easier to reuse it without having to design the code from scratch. Additionally, it allows the EDR killer developers to focus on the killer code and its stealthiness.

Gray zone of EDR killers

Legitimate tools are abused by ransomware affiliates to work as EDR killers, too. Such tools, like the GMER rootkit detector and PC Hunter, by their nature require access to kernel mode and need to closely inspect the internals of the operating system. Unfortunately, they also offer a powerful functionality that can be abused when in the hands of malicious threat actors.

Adding EDR killers to RaaS offerings

RaaS programs often don’t provide affiliates only with encryptors – additional tools and playbooks may be part of the package. For instance, LockBit offered Stealbit, a custom data exfiltration tool, to its affiliates, and the Conti leaks and Dispossessor leak disclosed that playbooks, scripts, and know-how are also part of the ransomware gangs’ arsenal.

Adding an EDR killer to a RaaS offering seems logical, and RansomHub is not the only gang doing that. In October 2024, ESET researchers documented that the emerging ransomware gang Embargo implemented its own EDR killer as well, called MS4Killer, by modifying a publicly available PoC. At the time of writing: while the group listed only 14 victims on its DLS, it had already invested time and resources into developing its own EDR killer.

It remains to be seen whether EDR killers find their place in more gangs’ offerings. However, this blogpost has also demonstrated that researchers may leverage their usage to cluster affiliates and discover new relationships between rival gangs.

Defeating EDR killers

Defending against EDR killers is challenging. Threat actors need admin privileges to deploy an EDR killer, so ideally, their presence should be detected and mitigated before they reach that point.

While preventing the killer code from executing is the best approach, code obfuscation can make this unreliable. However, focusing on vulnerable drivers provides additional defense options. ESET considers drivers exploited by EDR killers potentially unsafe. Therefore, users, especially in corporate environments, should ensure that the detection of potentially unsafe applications is enabled. This can prevent the installation of vulnerable drivers.

Although not common, sophisticated threat actors may exploit a vulnerable driver already present on a compromised machine instead of relying on BYOVD. To counter this, having proper patch management in place is an effective and essential defense strategy.

Conclusion

The ransomware ecosystem suffered significant blows in 2024. Despite the overall number of recorded attacks increasing, it should not overshadow the positive effect of successfully disrupting or eliminating two ransomware gangs that had been dominating the scene for years.

We can speculate about how much the result of law enforcement actions decreased ransomware payments, or how the growing awareness and initiatives like the Counter Ransomware Initiative are helping ransomware victims understand that paying the ransom may not be the best way forward.

What is clear, unfortunately, is that a new sophisticated ransomware group, RansomHub, emerged, used the right tactics to attract affiliates (many of whom we believe transitioned from BlackCat and LockBit) in a short period, and was quickly able to climb to the top of the ladder. In the foreseeable future, RansomHub will surely try to remain among the most active RaaS gangs.

Law-enforcement-led disruptions of RaaS operators have proved effective, sowing distrust in the RaaS ecosystem. Unfortunately, 2024 showed that affiliates are able to regroup fairly quickly. After all, they have strong financial incentives to deploy encryptors to and exfiltrate sensitive data from their targets. Although more difficult to accomplish than disruptions, eliminating the most active affiliates from the picture is also effective because it can prevent new RaaS operators from gaining strength as quickly as RansomHub did. We believe that focusing on the affiliates, especially by tracking down their links between various gangs – as demonstrated in this blogpost between RansomHub, Play, Medusa, and BianLian – will ultimately lead to identification of the affiliates and their removal from the game.

For any inquiries about our research published on WeLiveSecurity, please contact us at threatintel@eset.com
ESET Research offers private APT intelligence reports and data feeds. For any inquiries about this service, visit the ESET Threat Intelligence page.

IoCs

A comprehensive list of indicators of compromise and samples can be found in our GitHub repository.

Files

SHA-1 Filename Detection Description
97E13515263002809505DC913B04B49AEB78B067 amd64.exe WinGo/Kryptik.CV RansomHub encryptor.
BF84712C5314DF2AA851B8D4356EA51A9AD50257 Loader.exe Win64/Agent.DVP EDRKillShifter.
87D0F168F049BEFE455D5B702852FFB7852E7DF6 amd64.exe WinGo/Kryptik.CV RansomHub encryptor.
2E89CF3267C8724002C3C89BE90874A22812EFC6 Magic.exe Win64/Agent.DVP EDRKillShifter.
3B035DA6C69F9B05868FFE55D7A267D098C6F290 TDSSKiller.exe Win32/RiskWare.TDSSKiller.A TDSSKiller.
5ECAFF68D36EC10337428267D05CD3CB632C0444 svchost.exe WinGo/HackTool.Agent.EY Rclone.
DCF711141D6033DF4C9149930B0E1078C3B6D156 anydes.ps1 PowerShell/Agent.AEK Script that deploys and password protects AnyDesk.
E38082AE727AEAEF4F241A1920150FDF6F149106 netscan.exe Win64/NetTool.SoftPerfectNetscan.A SoftPerfect Network Scanner.
046583DEB4B418A6F1D8DED8BED9886B7088F338 conhost.dll Win64/Coroxy.J SystemBC.
3B4AEDAFA9930C19EA889723861BF95253B0ED80 win64_1.exe Win64/Agent.RA BianLian backdoor.
460D7CB14FCED78C701E7668C168CF07BCE94BA1 WKTools.exe Win32/WKTools.A WKTools.
5AF059C44D6AC8EF92AA458C5ED77F68510F92CD pfw.exe Win64/Agent.RA BianLian backdoor.
67D17CA90880B448D5C3B40F69CEC04D3649F170 1721894530.sys Win64/RentDrv.A Vulnerable driver used by EDRKillShifter.
77DAF77D9D2A08CC22981C004689B870F74544B5 Killer.exe Win64/Agent.DVP EDRKillShifter.
180D770C4A55C62C09AAD1FC3412132D87AF5CF6 1.dll Win64/Coroxy.K SystemBC.
DD6FA8A7C1B3E009F5F17176252DE5ACABD0FB86 d.exe Win32/Filecoder.PLAY.B Play encryptor.
FDA5AAC0C0DB36D173B88EC9DED8D5EF1727B3E2 GT_NET.exe MSIL/Spy.Grixba.A Grixba.

Network

IP Domain Hosting provider First seen Details
45.32.206[.]169 N/A Vultr Holdings, LLC 2024‑07‑25 Server hosting WKTools and EDRKillShifter.
45.32.210[.]151 N/A The Constant Company, LLC 2024‑08‑09 SystemBC C&C server.
79.124.58[.]130 N/A TAMATYA-MNT 2024‑08‑22 Server hosting MeshAgent.
92.243.64[.]200 N/A EDIS GmbH - Noc Engineer 2024‑07‑25 BianLian backdoor C&C server.
130.185.75[.]198 N/A Pars Parva System LTD 2024‑08‑20 Server hosting PuTTY.
149.154.158[.]222 N/A EDIS GmbH - Noc Engineer 2024‑07‑25 Server hosting BianLian backdoor.

MITRE ATT&CK techniques

This table was built using version 16 of the MITRE ATT&CK framework.

Tactic ID Name Description
Resource Development T1583 Acquire Infrastructure QuadSwitcher acquired infrastructure to host their tooling.
T1587.001 Develop Capabilities: Malware The RansomHub, Play, Medusa, and BianLian gangs develop their own encryptors and related tooling.
T1588.001 Obtain Capabilities: Malware The Play gang uses SystemBC, a commodity malware for sale.
T1588.002 Obtain Capabilities: Tool Various third-party tools are regularly used by the gangs’ affiliates.
T1608.001 Stage Capabilities: Upload Malware The Play gang uploaded its own tooling to a dedicated server to be used during intrusions.
T1608.002 Stage Capabilities: Upload Tool The Play gang uploaded the third-party tools it uses to a dedicated server to be used during intrusions.
Execution T1059.001 Command-Line Interface: PowerShell QuadSwitcher deployed AnyDesk using a PowerShell script.
T1059.003 Command-Line Interface: Windows Command Shell Windows Command Shell is regularly used by QuadSwitcher to issue commands.
Defense Evasion T1078 Valid Accounts QuadSwitcher abuses extracted credentials of valid accounts to move in the network stealthily.
T1078.002 Valid Accounts: Domain Accounts QuadSwitcher ultimately gained domain admin privileges in some of the intrusions.
T1480 Execution Guardrails RansomHub’s encryptor requires a password to run.
T1562.001 Impair Defenses: Disable or Modify Tools EDRKillShifter’s aim is to disable security solutions.
T1562.009 Impair Defenses: Safe Mode Boot RansomHub’s encryptor allows rebooting to safe mode to encrypt files.
T1218 System Binary Proxy Execution QuadSwitcher abused certutil.exe to download payloads.
Credential Access T1110 Brute Force QuadSwitcher attempted to brute force credentials during the intrusions.
Discovery T1087 Account Discovery In order to elevate privileges, QuadSwitcher discovered additional accounts.
T1057 Process Discovery EDRKillShifter looks for specific processes related to security solutions.
Lateral Movement T1021.001 Remote Services: Remote Desktop Protocol RDP was often used for lateral movement in the compromised networks.
T1021.002 Remote Services: SMB/Windows Admin Shares RansomHub supports remote encryption of files.
Collection T1005 Data from Local System The BianLian gang focuses on data exfiltration, collecting data from local drives.
T1039 Data from Network Shared Drive The BianLian gang focuses on data exfiltration, collecting data from network drives.
Command and Control T1071 Application Layer Protocol In Play intrusions, payloads are retrieved via HTTP.
T1132.002 Data Encoding: Non-Standard Encoding SystemBC employs a custom network protocol.
T1219 Remote Access Software Multiple RMM tools were used, including AnyDesk and MeshAgent.
Exfiltration T1537 Transfer Data to Cloud Account BianLian affiliates used Rclone to exfiltrate data to a cloud account they control to avoid typical file transfers/downloads and network-based exfiltration detection.
Impact T1485 Data Destruction Some data like backups may be permanently destroyed by ransomware gangs.
T1486 Data Encrypted for Impact The ultimate result of ransomware gangs’ actions is encryption of victims’ data.
T1657 Financial Theft The ransomware gangs pressure victims to pay ransom in exchange for regaining access to their data.