The ransomware gang RansomHub is taking over the criminal legacy of LockBit & Co. There are new connections between previously rival groups and new attack tools are in circulation, according to experts from ESET.
In a recent analysis of the ransomware landscape, ESET experts demonstrate that existing APT groups are repositioning themselves and are also taking on the legacy of LockBit and others. The analysis focuses on the RansomHub group, which has rapidly become the dominant force among so-called ransomware-as-a-service (RaaS) providers. RansomHub appears to have emerged after international law enforcement measures largely brought the activities of former market leaders LockBit and BlackCat to a standstill.
"2024 marked two turning points – the decline of the two largest ransomware groups and a decline in ransom payments of around 35 percent," said ESET researcher Jakub Souček, who led the investigation. "At the same time, however, the number of publicly reported victims increased by 15 percent. A large portion of this can be attributed to RansomHub."
EDR Killer: Tailor-made tool against security software in use
A dangerous, particularly perfidious tool plays a central role in RansombHub: EDRKillShifter. This is a so-called EDR (Endpoint Detection & Response) killer that specifically disables security solutions on compromised computers. To do so, the malware abuses a faulty driver in the target device's system. Companies that use ESET solutions are protected from such EDR killers.
Subscribe to our newsletter now
Read the best news from B2B CYBER SECURITY once a monthThe tool was developed by RansomHub itself, which is a rarity in the RaaS offerings sector. It is provided to the group's partners to specifically circumvent security measures. According to ESET, EDRKillShifter is now also being used in attacks by other ransomware groups such as Play, Medusa, and BianLian.
The connection between these groups is a controversial finding. "It is known that some affiliates – partners working on behalf of the operators – are active for multiple gangs simultaneously. The fact that they use internally developed tools across groups shows that even in the world of ransomware, there is no complete isolation," Souček continues.
Ransomware as a business – with unusual business models
Like any emerging RaaS gang, RansomHub had to recruit partners to lease the group's services. RansomHub recruited its first partners in early 2024 via the Russian-language RAMP forum, just eight days before the first victims were reported. What's striking is that partners are allowed to keep the entire ransom amount—only a voluntary ten percent share is expected to go to the developers. This trust model is considered unusual in the cybercrime scene.
What's also unusual is that individual RansomHub actors are simultaneously working for three rival gangs: Play, Medusa, and BianLian. A plausible explanation for this is that trusted members of Play and BianLian are also collaborating with other groups like RansomHub, using tools they receive there for their own attacks.
RansomHub prohibits attacks on targets in Russia, North Korea, China, and Cuba—a pattern that suggests political considerations or geographical origins. ESET sees RansomHub not as a mere successor to LockBit, but as a new key player reshaping the power structure in the ransomware market—with proprietary tool development, aggressive partner policies, and increasing visibility.
More at ESET.com
About ESET ESET is a European company with headquarters in Bratislava (Slovakia). ESET has been developing award-winning security software since 1987 that has already helped over 100 million users enjoy secure technology. The broad portfolio of security products covers all common platforms and offers companies and consumers worldwide the perfect balance between performance and proactive protection. The company has a global sales network in over 180 countries and branches in Jena, San Diego, Singapore and Buenos Aires. For more information, visit www.eset.de or follow us on LinkedIn, Facebook and Twitter.