Full Report
ESET researchers also examine the growing threat posed by tools that ransomware affiliates deploy in an attempt to disrupt EDR security solutions
Analysis Summary
# Threat Actor: RansomHub (RaaS Affiliates)
## Attribution & Identity
The focus is on the RansomHub ransomware-as-a-service (RaaS) gang and its affiliates. RansomHub is described as a "new but highly prolific" RaaS gang observed in 2024. Connections were uncovered between RansomHub affiliates and known peer groups, specifically **Play, Medusa, and BianLian**.
## Activity Summary
ESET researchers conducted a deep-dive analysis focusing on changes in the ransomware ecosystem in 2024, with a particular focus on RansomHub's affiliate structure and operations. RansomHub is noted for deploying tools designed to disrupt Endpoint Detection and Response (EDR) security solutions.
## Tactics, Techniques & Procedures
- **Disrupting EDR Solutions:** Affiliates deploy specialized tools to interfere with security defenses.
- **EDR Killers:** RansomHub is associated with the development and maintenance of a specific tool, **EDRKillShifter**, designed to counter EDR systems.
## Targeting
- Sectors: Not explicitly detailed in the provided snippet, but the focus on EDR disruption implies targeting organizations with robust security postures.
- Geography: Not specified.
- Victims: No specific victim organizations were named.
## Tools & Infrastructure
- **Malware families used:** RansomHub (RaaS).
- **Specific Tool:** **EDRKillShifter** (developed/maintained by RansomHub).
- **Infrastructure (C2, domains, IPs):** None mentioned in the snippet.
## Implications
RansomHub represents a significant, rapidly growing threat (highly prolific) in the RaaS landscape of 2024. Their active development of EDR evasion tools like EDRKillShifter suggests a strong commitment to overcoming key enterprise security controls, increasing the potential impact of their ransomware campaigns.
## Mitigations
- **Defense against EDR disruption:** Organizations should focus on defenses that can withstand or quickly recover from attacks specifically targeting EDR capabilities, given the deployment of tools like EDRKillShifter.
- **Monitoring for peer group activity:** Since affiliates link to known groups like Play, Medusa, and BianLian, monitoring associated TTPs and intelligence relevant to those groups may aid prediction and defense.