Full Report
A new analysis has uncovered connections between affiliates of RansomHub and other ransomware groups like Medusa, BianLian, and Play. The connection stems from the use of a custom tool that's designed to disable endpoint detection and response (EDR) software on compromised hosts, according to ESET. The EDR killing tool, dubbed EDRKillShifter, was first documented as used by RansomHub actors in
Analysis Summary
# Tool/Technique: EDRKillShifter
## Overview
EDRKillShifter is a custom tool originally developed by the RansomHub ransomware group and offered to its affiliates. Its primary purpose is to disable Endpoint Detection and Response (EDR) security solutions on compromised hosts, thereby ensuring the smooth execution of ransomware encryptors without detection. The tool has been observed being repurposed and used by affiliates linked to other ransomware operations, including Medusa, BianLian, and Play.
## Technical Details
- Type: Tool
- Platform: Endpoint/Windows (Implied by use against EDR)
- Capabilities: Disables Endpoint Detection and Response (EDR) software. Leverages the Bring Your Own Vulnerable Driver (BYOVD) tactic.
- First Seen: August 2024 (Used by RansomHub actors)
## MITRE ATT&CK Mapping
- TA0005 - Defense Evasion
- T1212 - Exploitation for Evasion
- T1212.003 - Bring Your Own Vulnerable Driver
- T1027 - Obfuscated Files or Information (Implied by neutralizing security visibility)
## Functionality
### Core Capabilities
- Disabling security software (EDR) immediately prior to ransomware execution.
- Utilizing a legitimate but vulnerable driver to achieve kernel-level control to terminate security processes.
### Advanced Features
- The tool itself is a bespoke piece of utility software developed by a ransomware operator, which is noted as a rare occurrence.
- Its repurposing and sharing across seemingly rival ransomware operations (RansomHub, Medusa, BianLian, Play) suggests deep collaboration or compromise among trusted actors.
## Indicators of Compromise
- File Hashes: [Not provided in the article]
- File Names: [Not provided in the article, but acts as an EDR killer utility]
- Registry Keys: [Not provided in the article]
- Network Indicators: [Not provided in the article]
- Behavioral Indicators: Execution involves loading a legitimate but vulnerable driver to interfere with security product processes, characteristic of BYOVD attacks.
## Associated Threat Actors
- RansomHub
- Medusa
- BianLian
- Play
- CosmicBeetle (Observed using it in RansomHub/fake LockBit attacks)
- QuadSwitcher (Suspected actor behind the cross-group usage)
## Detection Methods
- Signature-based detection: Potential for signatures targeting the specific driver binaries used or command patterns associated with its deployment.
- Behavioral detection: Monitoring for the use of BYOVD techniques, specifically the loading of potentially malicious or vulnerable drivers followed by attempts to terminate security monitoring processes or services.
- YARA rules: [Not provided in the article]
## Mitigation Strategies
- Prevention: Proactive blocking/whitelisting of vulnerable drivers from being loaded or executed on systems (Driver Blocklisting).
- Hardening recommendations: Implementing strong security baseline configurations, removing unnecessary vulnerable drivers, and adopting vulnerability management practices to patch drivers discovered to be vulnerable. Restricting administrative rights.
## Related Tools/Techniques
- Bring Your Own Vulnerable Driver (BYOVD) Tactic
- Other EDR killing utilities used by ransomware affiliates.