ESET researchers have delved into the ransomware ecosystem in 2024, focusing on the emergence of the dominant RansomHub gang, a ransomware-as-a-service (RaaS) group. Through previously unpublished insights, we have uncovered connections between RansomHub and established gangs like Play, Medusa, and BianLian.
Our research highlights the threat posed by EDR killers, specifically EDRKillShifter, a custom tool developed by RansomHub. We have observed an increase in affiliates using code derived from publicly available proofs of concept, with a fixed set of drivers being abused.
Following Operation Cronos and the downfall of the BlackCat gang, we provide insights on how to combat ransomware effectively. By tracing the tooling offered by RansomHub to its affiliates, we were able to establish clear links between RansomHub and other ransomware groups.
In 2024, the ransomware landscape saw significant changes with LockBit and BlackCat exiting the scene. Despite a decrease in recorded ransom payments, the number of victims posted on leak sites rose by 15%, largely due to RansomHub’s emergence.
RansomHub first appeared in February 2024, gradually gaining momentum and surpassing LockBit in victim postings. Skilled affiliates, including those from BlackCat, likely joined RansomHub, contributing to its rapid growth.
Through our research, we have shed light on RansomHub’s operations and affiliations, highlighting the gang’s dominance in the ransomware arena. The ransom note left by RansomHub affiliates underscores the seriousness of the threat posed by this group and the challenges faced by victims seeking decryption solutions.
Overall, our analysis reveals the evolving landscape of ransomware threats in 2024, emphasizing the need for proactive measures to combat these malicious actors effectively. Our actions towards your company will result in irreparable damage to your business reputation. If you refuse to pay, we will use our expertise to ensure that your partners, clients, employees, and anyone associated with your company will be compelled to distance themselves from you, leading to the eventual closure of your business.
In exchange for payment, we offer the following:
- Decryption and restoration of all systems and data within 24 hours, guaranteed.
- Confidentiality regarding the data breach outside of your company.
- Permanent deletion of all data from our servers after decryption and restoration.
- Valuable advice on enhancing your company’s IT security to prevent future attacks.
To initiate negotiations, follow these steps:
- Install and run the ‘Tor Browser’ from https://www.torproject.org/download/
- Use the ‘Tor Browser’ to visit http://ubfofxonwdb32wpcmgmcpfos5tdskfizdft6j54l76x3nrwu2idaigid.onion/
- Enter your Client ID: [REDACTED]
- Do not disclose your ID to avoid being banned and unable to decrypt your files.
Successful negotiations will benefit both parties, but failed negotiations will result in negative consequences. Focus on negotiations, payment, and decryption to resolve all issues promptly by our specialists within 24 hours of receiving payment.
****
Recruitment Phase:
To attract affiliates, RansomHub posted an advertisement on the Russian-speaking RAMP forum, offering 90% of the ransom to affiliates and providing an obfuscated encryptor supporting multiple platforms. Affiliates can join the RaaS program through recommendations, proof of reputation, past cooperation, or a deposit.RansomHub prohibits attacks on specific regions and prefers communication via qTox. The encryptor is based on repurposed code from another gang, with affiliates receiving a unique encryptor for each victim.
On June 21st, 2024, RansomHub changed affiliate rules, requiring a US$ 5,000 deposit. The operators introduced an EDR killer named EDRKillShifter on May 8th, 2024, to disable security products on victims’ systems. This custom tool, protected by a 64-character password, is offered to affiliates through the web panel.
RansomHub updated EDRKillShifter on June 3rd, 2024, leading to increased usage by affiliates. ESET researchers capitalized on the popularity of EDRKillShifter to expand their research. Utilizing its capabilities, we were able to connect RansomHub affiliates to multiple rival gangs they work for and obtain a clearer understanding of the EDR killer being used. One significant discovery was that a RansomHub affiliate was found to be working for three rival gangs – Play, Medusa, and BianLian.
These rival gangs have distinct characteristics:
- BianLian primarily focuses on extortion-only attacks and does not offer a RaaS program on its DLS.
- Medusa does not have a RaaS program on its DLS but advertises it on the RAMP underground forum.
- Play categorically denies running a RaaS program on its DLS.
The unexpected alliance between RansomHub and well-established closed RaaS gangs like BianLian and Play sheds light on the evolving landscape of ransomware operations. It is intriguing to see these closed gangs collaborating with a newcomer like RansomHub and repurposing tools received from them in their own attacks. This is particularly interesting given that closed gangs typically stick to a consistent set of core tools in their intrusions.
The discovery of a link between RansomHub, Medusa, BianLian, and Play suggests that a threat actor, referred to as QuadSwitcher, is working as an affiliate for all four gangs. The interconnected intrusions reveal common elements such as EDRKillShifter samples, payload delivery servers, and C&C servers, indicating a coordinated effort by QuadSwitcher across multiple attacks.
Detailed investigations into each intrusion show QuadSwitcher’s involvement in deploying various tools and malware, including EDRKillShifter, SystemBC, and WKTools, across different targets. The modus operandi of each gang, such as Play’s focus on SMBs and Medusa’s association with Andariel, further highlights the diverse tactics employed by QuadSwitcher in carrying out these attacks.
Overall, the puzzle of the interconnected intrusions paints a complex picture of collaboration and shared resources among rival gangs, facilitated by a common affiliate like QuadSwitcher. The detailed analysis of the links and TTPs involved in these attacks provides valuable insights into the evolving landscape of ransomware operations and the intricate relationships between threat actors and criminal organizations. These links suggest a connection between QuadSwitcher and Play. Additionally, it is evident that QuadSwitcher has access to at least two samples of EDRKillShifter, compiled two months apart, indicating that the threat actor had prolonged access to RansomHub’s tools. By reconstructing the development timeline of EDRKillShifter, we can see how it was utilized by various ransomware affiliates, including CosmicBeetle, who used it in attacks against different companies in various regions. The use of EDRKillShifter by multiple immature affiliates highlights a weakness in RansomHub’s vetting process, leading to security breaches and increased visibility for researchers. The versioning of EDRKillShifter and its deployment paths provide insight into its evolution and usage by different threat actors. Furthermore, the rise of EDR killers, including EDRKillShifter, among ransomware affiliates indicates a growing trend in bypassing security solutions to facilitate ransomware attacks. The anatomy of an EDR killer and the utilization of vulnerable drivers underscore the sophistication and effectiveness of these tools in evading detection. The incorporation of EDR killers into RaaS offerings, as seen with Embargo implementing MS4Killer, demonstrates the expanding capabilities and tactics employed by ransomware gangs to maximize their impact. As of the time of writing this post, the group had only identified 14 victims on its DLS. However, they had already dedicated time and resources to developing their own EDR killer. It remains uncertain if EDR killers will become more prevalent among different gangs in the future. Nevertheless, this blog post has highlighted how researchers can use them to uncover connections between rival gangs and categorize affiliates.
Defending against EDR killers poses a significant challenge. Threat actors must obtain administrative privileges to deploy an EDR killer, making early detection and mitigation crucial. While preventing the execution of the killer code is the best defense, code obfuscation can complicate this process. Focusing on vulnerable drivers provides an additional layer of defense. ESET deems drivers exploited by EDR killers unsafe, so users, particularly in corporate settings, should enable the detection of potentially unsafe applications to prevent the installation of vulnerable drivers.
Although uncommon, sophisticated threat actors may exploit an existing vulnerable driver on a compromised machine instead of utilizing BYOVD. Implementing robust patch management protocols is an effective defense strategy in such cases.
In conclusion, the ransomware landscape experienced significant disruptions in 2024, with the elimination of two dominant ransomware gangs. While the number of attacks increased overall, the impact of dismantling these long-standing criminal groups should not be overlooked. The emergence of RansomHub, a new sophisticated ransomware group, signifies the evolving nature of the threat landscape. Law enforcement-led interventions have been successful in disrupting RaaS operators, but affiliates can regroup swiftly, underscoring the need to focus on tracking down and removing active affiliates to prevent the rapid rise of new ransomware operators.
For any inquiries regarding the research presented on WeLiveSecurity, kindly reach out to us at threatintel@eset.com. ESET Research also offers private APT intelligence reports and data feeds. To learn more about this service, visit the ESET Threat Intelligence page.
For a detailed list of indicators of compromise and samples, please refer to our GitHub repository.
[Include the IOCs and MITRE ATT&CK techniques tables as they are essential for identifying threats and potential defenses in a WordPress environment] Rewrite the following sentence: "The cat pounced on the mouse and quickly caught it in its sharp claws."
The cat quickly caught the mouse in its sharp claws after pouncing on it.
