#ESETresearch discovered previously unknown links between the
#RansomHub,
#Medusa,
#BianLian, and
#Play ransomware gangs, and leveraged
#EDRKillShifter to learn more about RansomHub’s affiliates. @SCrow357
https://www.welivesecurity.com/en/eset-research/shifting-sands-ransomhub-edrkillshifter/ RansomHub emerged in February 2024 and in just three months reached the top of the ransomware ladder, recruiting affiliates from disrupted
#LockBit and
#BlackCat. Since then, it dominated the ransomware world, showing similar growth as LockBit once did.
Previously linked to North Korea-aligned group
#Andariel, Play strictly denies operating as
#RaaS. We found its members utilized RansomHub’s EDR killer EDRKillShifter, multiple times during their intrusions, meaning some members likely became RansomHub affiliates.
BianLian focuses on extortion-only attacks and does not publicly recruit new affiliates. Its access to EDRKillShifter suggests a similar approach as Play – having trusted members, who are not limited to working only with them.
Medusa, same as RansomHub, is a typical RaaS gang, actively recruiting new affiliates. Since it is common knowledge that affiliates of such RaaS groups often work for multiple operators, this connection is to be expected.
Our blogpost also emphasizes the growing threat of EDR killers. We observed an increase in the number of such tools, while the set of abused drivers remains quite small. Gangs such as RansomHub and
#Embargo offer their killers as part of the affiliate program.
IoCs available on our GitHub:
https://github.com/eset/malware-ioc/tree/master/ransomhub 
Hackread.com
Thế Giới Trong Tầm Tay
Dissent Doe 
The Threat Codex
RansomLook
ESET Research