A new investigation by cybersecurity firm ESET has uncovered a growing nexus between affiliates of the RansomHub ransomware group and other major ransomware operations, including Medusa, BianLian, and Play. The connection centers around a powerful custom-built tool named EDRKillShifter, designed specifically to disable endpoint detection and response (EDR) software on compromised systems.
A Shared Tool Across Rival Gangs
Originally identified in August 2024 as a tool developed and used by RansomHub actors, EDRKillShifter is now turning up in attacks attributed to other ransomware families, raising concerns about collaboration between threat actors once thought to operate in isolation.
According to researchers Jakub Souček and Jan Holman at ESET, this tool uses a method known as Bring Your Own Vulnerable Driver (BYOVD), which exploits legitimate but vulnerable drivers to terminate endpoint security protections, allowing ransomware to run undetected.
“Ransomware operators tend not to update their encryptors frequently due to the risk of flaws that could damage their reputation,” ESET said. “Instead, affiliates use tools like EDR killers to neutralize security before executing the ransomware payload.“
Now Open: Pan-India Registration for Fraud Investigators!
Trusted Alliances and Tool Sharing
What’s particularly noteworthy is the apparent tool-sharing between closed ransomware-as-a-service (RaaS) groups like Play and BianLian, which traditionally maintain exclusive, long-term affiliate relationships. The use of RansomHub’s EDRKillShifter in attacks linked to these groups suggests a rare level of cross-group cooperation or possible common affiliations.
ESET’s analysis suggests that these incidents may trace back to a single threat actor codenamed “QuadSwitcher”, believed to have close ties with the Play group. The consistency in tactics, techniques, and procedures (TTPs) across various incidents lends credence to this theory. Additionally, another affiliate known as CosmicBeetle has reportedly used EDRKillShifter in multiple attacks tied to both RansomHub and fake LockBit operations, further indicating the tool’s spread within the underground ransomware community.
The Growing Use of EDR Killers
This trend comes amid an uptick in the use of BYOVD techniques by ransomware gangs seeking to disable security software before launching attacks. In previous cases, other groups have employed similar tools, such as:
-
Embargo ransomware, which used a tool named MS4Killer
-
Medusa, now linked to a malicious driver codenamed ABYSSWORKER
Empanelment for Speakers, Trainers, and Cyber Security Experts Opens at Future Crime Research Foundation
These developments reflect a strategic evolution among ransomware actors: rather than altering core encryptors (which could introduce bugs), they’re focusing on neutralizing security defenses to ensure smooth ransomware deployment.
ESET’s Warning and Recommendations
ESET emphasizes that ransomware actors need administrator or domain admin privileges to deploy such EDR-killing tools, making early detection of intrusions critical.
“Users, especially in corporate environments, should ensure that the detection of potentially unsafe applications is enabled,” ESET advised. “This can help prevent the installation of vulnerable drivers and block attackers before they escalate privileges.“
As ransomware operators continue to evolve and share powerful tools like EDRKillShifter, the cybersecurity community faces increasing pressure to enhance early detection and proactive defense strategies.