RansomHub’s EDR-Killer Shows Up in Medusa, BianLian and Play Attacks

A recent analysis has uncovered that affiliates of the RansomHub ransomware group are employing a custom tool, EDRKillShifter, to disable Endpoint Detection and Response (EDR) software on compromised systems.  

This tool utilizes the Bring Your Own Vulnerable Driver (BYOVD) technique, exploiting legitimate but vulnerable drivers to terminate security solutions, thereby facilitating the unobstructed execution of ransomware encryptors.  

Notably, EDRKillShifter, initially associated with RansomHub actors since August 2024, has also been identified in attacks linked to other ransomware groups, including Medusa, BianLian, and Play, The Hacker News reports.

This cross-group utilization suggests a level of collaboration among these typically closed ransomware-as-a-service (RaaS) operations, which usually maintain exclusive, trusted partnerships.  

Researchers propose that trusted members within Play and BianLian may be cooperating with rivals like RansomHub, repurposing shared tools in their own attacks.  

The analysis also points to a threat actor, dubbed QuadSwitcher, potentially orchestrating these attacks, with a modus operandi closely resembling that of Play intrusions. Additionally, another affiliate, CosmicBeetle, has been observed deploying EDRKillShifter in various RansomHub and counterfeit LockBit attacks.  

These findings underscore a rising trend in ransomware attacks employing BYOVD techniques to deploy EDR killers.  

Takeaway: Threat actors are getting crafty with these BYOVD techniques, slipping in legit, signed drivers that have known security holes to burrow deep into your systems. Since these drivers come with a stamp of approval, they waltz right past many security defenses without raising an eyebrow.  

Once they're in, it's game over. These bad actors can shut down your security tools— even those fancy Endpoint Detection and Response (EDR) systems you paid top dollar for. BYOVD techniques that disable EDR are the equivalent to your digital bouncers getting knocked out cold, leaving the door wide open for ransomware to strut in and wreak havoc.  

The scary part? Most security teams are blissfully unaware of this backdoor maneuver. They're investing in all the latest cybersecurity gadgets, thinking they're locked down tight, while attackers are exploiting this overlooked weakness. So, what's the right move here?  

Keep those drivers updated—don't let outdated software be your vulnerability. Set up strict controls on what gets installed, limit who has the keys to the kingdom by restricting admin privileges, and for the love of data, make sure you have the right solutions in place to catch these kinds of shady behaviors.  

Bottom line, the cyber threat landscape is always shifting, and BYOVD is the latest curveball. Stay alert, stay informed, and don't let your guard down—because the moment you do, these threat actors are ready to pounce.

Halcyon.ai eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more, and check out our quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.