Threat Actors Increasingly Utilize Ransomware as a Service Boosted by EDR Killers - CyberSecurityNews

HomeCyber Security News Threat Actors Increasingly Utilize Ransomware as a Service Boosted by EDR Killers By Tushar Subhra Dutta April 28, 2025 The cybersecurity landscape is witnessing a significant shift as threat actors increasingly leverage Ransomware as a Service (RaaS) platforms enhanced by sophisticated Endpoint Detection and Response (EDR) killers. Despite successful law enforcement operations against established ransomware gangs like LockBit, new players have swiftly emerged to fill the void, employing aggressive business strategies and advanced tools designed to bypass security protections. February 2024 marked the emergence of RansomHub, a ransomware group that rapidly ascended to dominance within the cybercriminal ecosystem. The group’s meteoric rise can be attributed to its attractive affiliate program, offering partners the opportunity to retain 90% of collected ransoms and guaranteeing direct payments to affiliate wallets. This business model has successfully attracted both skilled and novice cybercriminals to their platform. ESET researchers identified a concerning development by May 2024, when RansomHub introduced its proprietary EDR killer, dubbed “EDRKillShifter” by Sophos analysts. Unlike traditional approaches that repurpose existing proof-of-concepts, RansomHub developed and maintains this custom tool specifically designed to terminate, blind, or crash installed security solutions by exploiting vulnerable drivers. The financial impact of these evolving threats cannot be overstated. Between 2022 and 2024, ransomware and extortion breaches accounted for nearly two-thirds of financially motivated attacks. Organizations experiencing successful breaches face revenue losses averaging 9% of annual earnings, stock value declines of 2.5%, and significant difficulty attracting or retaining customers, according to the latest cybersecurity reports. Technical Analysis of EDRKillShifter’s Operation The EDRKillShifter tool represents a sophisticated evolution in EDR evasion techniques. It operates through a Bring-Your-Own-Vulnerable-Driver (BYOVD) attack pattern, loading legitimate but vulnerable drivers into system memory. Once loaded, the tool exploits known vulnerabilities in these signed drivers to gain kernel-level access, effectively bypassing standard security controls. ESET researchers discovered instances where a single threat actor possessed multiple EDRKillShifter variants linked to various ransomware groups including BianLian, RansomHub, Medusa, and Play, indicating skilled affiliates simultaneously working across multiple ransomware operations. This cross-pollination of advanced tools across different ransomware ecosystems represents a significant escalation in the collaborative capabilities of the ransomware underworld. The identification of these relationships between seemingly separate ransomware operations demonstrates how the boundaries between competing criminal enterprises have become increasingly porous, creating a more formidable collective threat to organizational security worldwide. Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy Tags cyber security news ransomware Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News AI-Powered Public Surveillance and Biometric Data Collection Expand Government Monitoring Cisco SD-WAN vManage Vulnerability Exploited in Zero-Day Attacks China-Linked Showboat Malware Uses Linux Persistence to Target Telecom Companies Ghostwriter Hackers Abuse Gmail Admin-Themed Emails to Steal Credentials and 2FA Codes GentleKiller Ransomware Abuses Vulnerable Drivers to Disable 400+ EDR Security Processes Latest News Cyber Security CyberSentinel AI with 33 Security Tools, Including Nmap, SQLMap, ZAP, and uses Claude, GPT Cyber Security AutoJack – A Single Web Page Can Hijack Your AI Agent to Execute Malicious Code Cyber Security News CISA Adds LiteSpeed cPanel Plugin Vulnerability to KEV List Following Active Exploitation Chrome Chrome Extensions’ Critical Flaws Let Attackers Easily Compromise Millions of Browsers Press Release Gcore Helps Ucom Safeguard Public Live Broadcast Infrastructure During Armenia’s Parliamentary Elections