Jakub Souček and Jan Holman report:
The RansomHub ransomware-as-a-service (RaaS) operation affiliates were linked to established gangs Medusa, BianLian, and Play, which share the use of RansomHub’s custom-developed EDRKillShifter.
ESET researchers take a look back at the significant changes in the ransomware ecosystem in 2024 and focus on the newly emerged and currently dominating ransomware-as-a-service (RaaS) gang, RansomHub. We share previously unpublished insights into RansomHub’s affiliate structure and uncover clear connections between this newly emerged giant and well-established gangs Play, Medusa, and BianLian.
We also emphasize the emerging threat of EDR killers, unmasking EDRKillShifter, a custom EDR killer developed and maintained by RansomHub. We have observed an increase in ransomware affiliates using code derived from publicly available proofs of concept, while the set of drivers being abused is largely fixed.
Finally, based on our observations following the law-enforcement-led Operation Cronos and the demise of the infamous BlackCat gang, we offer our insights into how to assist in this intensive fight against ransomware.
Overview
The fight against ransomware reached two milestones in 2024: LockBit and BlackCat, formerly the top two gangs, dropped out of the picture. And for the first time since 2022, recorded ransomware payments dropped, in particular by a stunning 35% despite reverse expectations in the middle of the year. On the other hand, the recorded number of victims posted on dedicated leak sites (DLSs) increased by roughly 15%.
A big part of this increase is due to RansomHub, a new RaaS gang that emerged around the time of Operation Cronos. In this blogpost, we look in depth at RansomHub and demonstrate how we leveraged to our advantage the way affiliates use RansomHub’s tooling, allowing us to draw connections between RansomHub and its rivals, including well-established ones like Play, Medusa, and BianLian.
Read more at WeLiveSecurity.