RansomHub emerged in February 2024, just as Operation Cronos dismantled major ransomware players BlackCat and LockBit.
This new ransomware-as-a-service operation quickly attracted affiliates with generous terms—keeping 90% of ransom payments and offering direct wallet transfers.
By July 2024, RansomHub had dominated the ransomware scene, accumulating more victims than LockBit had since February.
.png
)
In May 2024, RansomHub introduced EDRKillShifter, a custom endpoint detection and response killer designed to terminate security products by abusing vulnerable drivers, effectively blinding defensive systems before encryption begins.
The tool gained immediate popularity among affiliates, who deployed it not just in RansomHub operations but across attacks for multiple gangs.
ESET researchers detected unexpected connections between RansomHub and established ransomware gangs including Play, Medusa, and BianLian.
By tracking identical EDRKillShifter samples across multiple attacks, they uncovered a threat actor dubbed “QuadSwitcher” operating simultaneously for all four groups.
The researchers followed the trail of tooling that RansomHub offers its affiliates, discovering clear links between attacks previously attributed to separate operations.
.png)
The network of connections identified between these supposedly rival gangs through shared infrastructure and attack patterns.
Technical Analysis of Cross-Gang Connections
EDRKillShifter’s technical implementation requires a unique 64-character password to unlock shellcode that functions as a middle execution layer.
.png)
Without this password, security researchers cannot access the list of targeted processes or identify the vulnerable driver being exploited.
The tool primarily focuses on blindsiding security solutions just before ransomware deployment.
powershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\temp1' q q"This code, found in multiple attacks, shows how the threat actor dumps Active Directory information before deploying EDRKillShifter.
Additionally, the researchers partially reconstructed EDRKillShifter’s versioning timeline through telemetry, tracing its development from version 1.2.0.1 in May 2024 through multiple updates.
The discovery challenges previous assumptions about rivalry in the ransomware ecosystem, revealing that even closed RaaS operations with supposedly trusted affiliates share tooling with competitors.
This suggests skilled affiliates operate across multiple groups, maximizing profits while helping emerging threats like RansomHub quickly rise to prominence.
The connections between these ransomware gangs, facilitated by shared EDRKillShifter samples and infrastructure, represent a significant evolution in the ransomware landscape.
ESET’s research demonstrates that focusing on affiliate connections may be as important as targeting the operators themselves in the ongoing fight against ransomware.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
