Ransomware Groups Increasingly Adopting EDR Killer Tools

ESET uncovers a link between RansomHub, Play, Medusa, and BianLian ransomware gangs as more groups adopt tools to disable EDR software.

Tools designed to disable endpoint detection and response (EDR) solutions are making their way to the arsenal of more and more ransomware gangs, ESET concluded during an investigation into a link between several well-known groups.

Following the demise of the LockBit and BlackCat ransomware groups in 2024, new threat actors rose to fame, including RansomHub, a ransomware-as-a-service (RaaS) organization that emerged in February 2024.

As ransomware affiliates migrated from different groups to it, such as the BlackCat affiliate allegedly behind the Change Healthcare hack, RansomHub became and remained the dominating threat on the landscape.

In May 2024, the group added to its arsenal EDRKillShifter, a custom EDR killer tool targeting numerous security solutions that relies on a password to protect the shellcode acting as a middle layer during its ...