The cybersecurity landscape is witnessing a significant shift as threat actors increasingly leverage Ransomware as a Service (RaaS) platforms enhanced by sophisticated Endpoint Detection and Response (EDR) killers.
Despite successful law enforcement operations against established ransomware gangs like LockBit, new players have swiftly emerged to fill the void, employing aggressive business strategies and advanced tools designed to bypass security protections.
February 2024 marked the emergence of RansomHub, a ransomware group that rapidly ascended to dominance within the cybercriminal ecosystem.
The group’s meteoric rise can be attributed to its attractive affiliate program, offering partners the opportunity to retain 90% of collected ransoms and guaranteeing direct payments to affiliate wallets.
This business model has successfully attracted both skilled and novice cybercriminals to their platform.
ESET researchers identified a concerning development by May 2024, when RansomHub introduced its proprietary EDR killer, dubbed “EDRKillShifter” by Sophos analysts.
Unlike traditional approaches that repurpose existing proof-of-concepts, RansomHub developed and maintains this custom tool specifically designed to terminate, blind, or crash installed security solutions by exploiting vulnerable drivers.
The financial impact of these evolving threats cannot be overstated. Between 2022 and 2024, ransomware and extortion breaches accounted for nearly two-thirds of financially motivated attacks.
Organizations experiencing successful breaches face revenue losses averaging 9% of annual earnings, stock value declines of 2.5%, and significant difficulty attracting or retaining customers, according to the latest cybersecurity reports.
The EDRKillShifter tool represents a sophisticated evolution in EDR evasion techniques. It operates through a Bring-Your-Own-Vulnerable-Driver (BYOVD) attack pattern, loading legitimate but vulnerable drivers into system memory.
Once loaded, the tool exploits known vulnerabilities in these signed drivers to gain kernel-level access, effectively bypassing standard security controls.
ESET researchers discovered instances where a single threat actor possessed multiple EDRKillShifter variants linked to various ransomware groups including BianLian, RansomHub, Medusa, and Play, indicating skilled affiliates simultaneously working across multiple ransomware operations.
This cross-pollination of advanced tools across different ransomware ecosystems represents a significant escalation in the collaborative capabilities of the ransomware underworld.
The identification of these relationships between seemingly separate ransomware operations demonstrates how the boundaries between competing criminal enterprises have become increasingly porous, creating a more formidable collective threat to organizational security worldwide.
Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy
A new information-stealing malware dubbed "PupkinStealer" has been identified by cybersecurity researchers, targeting sensitive user…
The cybersecurity landscape in 2025 is defined by increasingly sophisticated malware threats, with attackers leveraging…
As artificial intelligence transforms industries and enhances human capabilities, the need for strong AI security…
Cryptocurrency exchanges are intensifying security measures in 2025 to focus on preventing phishing attacks, as…
As AI systems using adversarial machine learning integrate into critical infrastructure, healthcare, and autonomous technologies,…
NGINX monitoring tools ensure NGINX web servers' optimal performance and reliability. These tools provide comprehensive…