• ESET Research releases its analysis of the current ransomware ecosystem with focus on ransomware-as-a-service gang RansomHub.
• ESET discovered links between the RansomHub, Play, Medusa, and BianLian ransomware gangs by following the trail of tooling that RansomHub offers its affiliates.
• ESET analysis documents findings about EDRKillShifter and offers insights into the emerging threat of EDR killers.

PRAGUE, BRATISLAVA — March 26, 2025 — ESET researchers have released a deep-dive analysis about significant changes in the ransomware ecosystem, with focus on the newly emerged and currently dominating ransomware-as-a-service gang RansomHub. The report shares previously unpublished insights into RansomHub’s affiliate structure and uncovers clear connections between this newly emerged giant and well-established gangs Play, Medusa, and BianLian. Furthermore, ESET highlights the emerging threat of Endpoint Detection and Response (EDR) killers, unmasking EDRKillShifter, a custom EDR killer developed and maintained by RansomHub. ESET has observed an increase in ransomware affiliates using EDR killer code derived from publicly available proofs of concept, while the set of drivers being abused is largely unchanged.

“The fight against ransomware reached two milestones in 2024: LockBit and BlackCat, formerly the top two gangs, dropped out of the picture. And for the first time since 2022, recorded ransomware payments dropped significantly by a stunning 35%. On the other hand, the recorded number of victims announced (to be outed publicly) on dedicated leak sites increased by roughly 15%. A big part of this increase is due to RansomHub, a new ransomware-as-a-service (RaaS) gang that emerged around the time of law-enforcement Operation Cronos, which disrupted LockBit activities,” says ESET researcher Jakub Souček, who investigated RansomHub.

Just as any emerging RaaS gang, RansomHub needed to attract affiliates — who rent ransomware services from operators — and since there is strength in numbers, the operators weren’t very picky. The initial advertisement was posted on the Russian-speaking RAMP forum in early February 2024, eight days before the first victims were posted. RansomHub prohibits attacking nations from the post-Soviet Commonwealth of Independent States, Cuba, North Korea, or China. Interestingly, it lures affiliates in with the promise that they will receive the whole ransom payment to their wallet, and the operators trust the affiliates to share 10% with them, something quite unique.

In May, RansomHub operators made a significant update: They introduced their own EDR killer — a special type of malware designed to terminate, blind, or crash the security product installed on a victim’s system — typically by abusing a vulnerable driver.

RansomHub’s EDR killer, named EDRKillShifter, is a custom tool developed and maintained by the gang. EDRKillShifter is offered to RansomHub affiliates. Functionality-wise, it is a typical EDR killer targeting a large variety of security solutions that the RansomHub operators expect to find protecting the networks they aim to breach.

“The decision to implement a killer and offer it to affiliates as part of the RaaS program is rare. Affiliates are typically on their own to find ways to evade security products — some reuse existing tools, while more technically oriented ones modify existing proofs of concept or utilize EDR killers available as a service on the dark web. ESET researchers saw a steep increase in the use of EDRKillShifter, and not exclusively in RansomHub cases,” explains Souček.

Advanced EDR killers consist of two parts — a user mode component responsible for orchestration (the killer code) and a legitimate, but vulnerable, driver. The execution is typically very straightforward — the killer code installs the vulnerable driver, typically embedded in its data or resources, iterates over a list of process names of security software, and issues a command to the vulnerable driver, resulting in triggering the vulnerability and killing the process from kernel mode. “Defending against EDR killers is challenging. Threat actors need admin privileges to deploy an EDR killer, so ideally, their presence should be detected and mitigated before they reach that point,” adds Souček.

ESET discovered that RansomHub’s affiliates are working for three rival gangs — Play, Medusa, and BianLian. Discovering a link between RansomHub and Medusa is not that surprising, as it is common knowledge that ransomware affiliates often work for multiple operators simultaneously. On the other hand, one way to explain Play and BianLian having access to EDRKillShifter is that they hired the same RansomHub affiliate, which is unlikely given the closed nature of both gangs. Another, more plausible explanation is that trusted members of Play and BianLian are collaborating with rivals, even newly emerged ones like RansomHub, and then repurposing the tooling they receive from those rivals in their own attacks. Play has been linked to the North Korea-aligned group Andariel.

For a more detailed analysis of RansomHub and EDRKillShifter, check out the latest ESET Research blogpost “Shifting the sands of RansomHub’s EDRKillShifter” on WeLiveSecurity.com. Make sure to follow ESET Research on Twitter (today known as X), BlueSky, and Mastodon for the latest news from ESET Research.

Schematic overview of the links between Medusa, RansomHub, BianLian, and Play

LAS VEGAS, Nev. — March 26, 2025 — ESET, a global leader in cybersecurity, is growing its Corporate Solutions business in North America with the appointment of Charles (Chuck) Everette as Field Chief Information Security Officer (CISO). Following the recent appointment of ESET’s global Chief Corporate Solutions Officer Martin Talian, today’s news marks a significant milestone as the division looks to rapidly gain further traction in North America.

ESET’s Corporate Solutions division was launched globally in 2022 to deliver custom solutions and high-value threat intelligence for Fortune 500 companies and large enterprises to proactively defend against advanced threats. Featured at ESET World 2025 taking place this week, the Corporate Solutions team in North America and globally delivers highly configurable, scalable, and innovative solutions for customers operating critical infrastructure, providing financial services as well as government and defense organizations. This includes highly configurable, scalable, and innovative solutions designed for organizations delivering mission critical services. Specialized solutions offered by Corporate Solutions include but are not limited to:

• Air-gapped instances for local sandboxing and threat analysis
• Managed cybersecurity services covering end-to-end perimeter
• Advanced scanning solutions for complex and high-volume environments
• Long-life support aligned with customer’s product lifecycles
• Integrated solutions for both homes and businesses
• High-value cybersecurity advisory services

ESET Corporate Solutions excels in the design, delivery, and operation of these solutions and services, offering various levels of customization.

“Large Fortune 500 companies and North America enterprises have incredibly complex cybersecurity requirements, and Chuck brings the rare combination of visionary leadership, relationships, and hands-on expertise to drive momentum for Corporate Solutions locally,” said Martin Talian. “His deep technical knowledge and ability to communicate complex ideas to diverse audiences make him an invaluable asset to our organization and a trusted voice in the industry. We are thrilled to welcome him to the ESET team and to see this business reach its full potential in North America.”
Everette is an accomplished cybersecurity veteran with more than two decades of global IT security leadership. After starting his career as a hands-on practitioner in manufacturing and finance, he rose through the ranks to become a Deputy CISO of Fidelity National Information Services, where he oversaw 80% of the United States’ financial traffic and built a 60-person Security Operations Center (SOC) from the ground up. Everette has acted as a trusted advisor to Fortune 500 companies, municipalities, and venture capital firms evaluating cybersecurity investments. He has also worked extensively with federal agencies, including Homeland Security, and has been involved in addressing many of the most significant data breaches over the past 15 years.

“As a CISO and security practitioner myself, it’s important to me that I work with vendors known for technology excellence – and that’s what led me to ESET,” said Everette. “ESET is recognized across the industry for the strength of its products, in-house innovation, and unwavering commitment to its customers. I’m not coming in as a salesperson but as a peer who can relate to other CISOs because I’ve been in their shoes. I’m excited to help grow ESET’s presence in the North American market.”

A respected voice in the cybersecurity industry, Everette has spoken at prestigious conferences such as RSA and Black Hat, and has authored articles for Forbes and Dark Reading. His deep network of industry professionals and unwavering commitment to advancing cybersecurity make him a pivotal figure in the field.

To learn more about ESET Corporate Solutions, visit https://www.eset.com/us/business/corporate-solutions/.

Keynote and featured speakers at the show include:

• Richard Marko, Chief Executive Officer at ESET
• Michal Valko, Chief Models Office, Member of the Founding Team, Member of the Technical Staff, Stealth AI Startup
• Roman Unuchek, Reverse Engineer, Android Malware Research Team, Google
• Tyler Welt, Global Lead for Security Partner Enabling, Client Computing Group, Intel Corporation
• Juraj Malcho, Chief Technology Officer, ESET
•  Kirsten Bay, Co-founder & Chief Executive Officer, Cysurance
• Richard Stiennon, Chief Research Analyst, IT-Harvest
• Dalibor Kacmar, National Technology Officer, Microsoft
• Elliott Peterson, Special Agent, DCIS (DOD)
• Dave Ahn, Chief Architect, Vice President, Centripetal
• Henrique Barnard, Strategic Vendor Manager, Dutch Central Government
• Bas Dekker, Sr. Legal Counsel, Strategic Vendor Management, Dutch Central Government
• William Booth, General Manager & Director of ATT&CK Evaluations, MITRE
• Joseph Blankenship, Vice President, Research Director, Security & Risk, Forrester
• Padraic Harrington, Sr. Analyst, Security and Risk, Forrester
• Craig Robinson, Research Vice President, Security Services, IDC
• Chris Kissell, Research Vice President, Security & Trust Product, IDC
• Peter Stelzhammer, Co-Founder AV-Comparatives

“We are excited to bring ESET World to North America, ensuring that we create meaningful connections with ESET’s customers, partners and technology thought leaders,” said Richard Marko, Chief Executive Officer at ESET. “Cyber threats know no borders, and ESET World 2025 will unite the industry to talk about the future of cybersecurity, including new groundbreaking research from ESET Labs. ESET World’s theme, ‘Prevention-First for a Secure Future,’ will include topics such as harnessing AI, the gamification of large language learning models, zero-trust strategies, cyber resilience, and how companies can harness threat intelligence. ”

Featured entertainment at ESET World 2025 will include Cirque du Soleil Mad Apple on Tuesday, March 25th at the New York-New York Hotel and Casino and entertainment at the House of Blues on Wednesday March 26th.

“Collaboration is necessary in cybersecurity, and we are excited to bring the industry together in Las Vegas this week,” said Ryan Grant, Vice President of Sales and Marketing at ESET North America. “The event highlights ESET’s commitment to cutting-edge research, AI-driven security solutions, and the future of digital protection. Our attendees at ESET World will get to hear from researchers who are tracking the rise and fall of new ransomware groups, sharing new insights into the threat landscape and also releasing new data on attacks against the U.S. financial services industry.”

For more information and to register for free virtual attendance, visit http://www.esetworld.com/. #ESETWorld2025

Gamblers and dealers beware; whether in Vegas or Monte Carlo, it’s not strictly your wallet that’s at risk of running on empty.

What do gamblers, casinos, and the FBI have in common? If your answer is money, then try again. The digital age has arrived at brick-and-mortar casinos around the world, bringing with it its own flavor, including malice of a different kind than traditional card counters or chip dumping.

It’s true that casinos are highly regulated and well-protected against fraud of many kinds (often resembling or surpassing the security at hospitals and airports), but these days, it’s cybercriminals who have their eyes set on the grand prize. Casinos bank more than just their guests’ stakes. It’s the sensitive data they keep, such as financial records, personal details, and more, that make up the jackpot nowadays.

With ESET World 2025 taking place in the city of “lost wages” from March 24, 2025, perhaps it’s a good opportunity to raise cyber awareness in an area that might not be so obvious, as, increasingly, it is the data of the city’s guests, rather than the vaults, feed tables, and slot machines, that criminals are interested in.

The city of Las Vegas has many nicknames. Also known as the “gambling capital of the world,” the city is known for its lustrous casinos, luxurious hotels, and, of course, games. Within every casino, virtually hundreds of thousands of US dollars get exchanged daily. In 2023, this accounted for a collective $66.5 billion in casino revenue.

Not even George Clooney’s Ocean’s Eleven character, Danny Ocean, would scoff at such an amount, but even he would be shocked at the idea that there is more to a casino than the contents of its vaults.

Beyond the billions is the valuable data of a casino’s clientele, from people searching for lodging to event organizers, or regular, everyday casino-goers. From an even broader perspective, data on business partners (supply chains that provide the machines and security systems), employees, and even the top managers themselves, would be of great interest.

Why is all of this so interesting to threat actors? Let’s start with the sensitive data, like personal information. Anyone who’s ever checked in at a hotel knows the sort of details they have to provide to be given their rooms, such as:

1. Some form of an ID (state IDs, drivers’ licenses, passports, etc.)
2. Their name, address, preferences, email
3. Payment details

On top of that could be other specifics, such as further personal data (companions, dietary restrictions, accessibility requirements) or more. This much granular data can be very valuable on the black market, with stolen personal data from documents such as IDs or passports costing from hundreds to thousands of dollars per document.

Thus, threat actors roll the dice. In 2023, it came to light that the prominent casino chain MGM Resorts was targeted by a cyberattack, with hackers exfiltrating data such as names, contact information, gender, date of birth, IDs, and even Social Security numbers. The attack reportedly cost the chain around $100 million … certainly not chump change.

So, who’s responsible for the cybersecurity of the casino’s guests? From one point of view, it is the establishment itself, since, as it is providing a service, it needs to cover any liabilities. This is supported by regulations and guidelines recommending tight security, especially for sensitive data. Just off the top, PCI DSS would cover payment data, while the NIST Cybersecurity Framework would help a casino/hotel of any size to enact appropriate cyber measures.

For casinos in Las Vegas, the Nevada Gaming Commission (NGC) has a clear set of cybersecurity regulations for gaming operators to follow.

Perhaps this also places a bit too much of a burden on these places of entertainment. And, while guests don’t want such thoughts on their minds while hitting the jackpot, the reality is that personal awareness plays a big role when all the chips are down. Otherwise, man-in-the-middle attacks, in which cybercriminals create functional, but fake, Wi-Fi access points (aka “evil twin” networks), can gather sensitive data from victims’ devices.

Don’t bet the farm!

There are threats aplenty in the world of casinos. Scams with fake ads copying a well-known casino’s brand can present promising online gambling opportunities with great welcome bonuses. In fact, some of these scams use unauthorized photos of employees and properties to appear legitimate. What’s more, by pretending to be casino staff, bad actors could try to social engineer their way toward sensitive data, or even gain access to a casino’s systems.

What both casino operators and guests have in common is an understanding that stacking the deck in their favor is important. To double down on their security, they should consider:

• Prevention-first security: Simple antiviruses aren’t enough to protect the myriad devices casinos, hotels, or their guests have. Also, as various IoT vulnerabilities and supply-chain breaches enter the mix, these businesses and consumers must be on a proactive lookout. Businesses should consider investing in a platform such as ESET PROTECT Elite, which can provide all-encompassing protection with vulnerability management and advanced threat defense.
• Active threat hunting: For those casinos that lack the right IT staff, it would be wise to invest in a managed security service, such as ESET PROTECT MDR Ultimate, which, on top of product security, also adds highly tailored 24/7 protection with experts acting as your wild card against would-be malice, ensuring business continuity.
• Security audits: This is especially useful for protecting against supply-chain threats. A security audit could highlight weaknesses in casino systems, enabling the defenders to patch them up on time.
• Zero-trust: Access management methods such as zero-trust can ensure proper controls to mitigate the chances of unverified access. For employees, having a solution capable of Secure Authentication is one way to achieve this.
• Integrate: Casinos with existing security solutions should consider diversifying their existing security stacks with additional solutions such as Threat Intelligence. Consider that the more details that are available to an operation, the better and faster their decisions could be, saving a business millions in minutes.
• Mobile Security: Visitors to Vegas are very likely to be on the move. Hopping on and off various networks, trying out new apps, and signing up to promotions for discounts all get safer with a security solution like ESET Mobile Security, which offers protection from viruses, ransomware, and other malware. Prevention First helps you stay safe, evade phishing scams, shop safely, browse, and download files.

Incidentally, advice like this will be discussed at ESET World 2025, at the Aria Resort & Casino in Las Vegas, where experts from all around the globe, from businesses, to analysts, to government actors, will present a path to achieving a secure future. Vegas will be the place to see where progress is protected, and to connect with CISOs, renowned threat hunters, and cybersecurity experts advising CISA, NATO, and Interpol.

There’s no reason not to implement powerful security measures to deter malicious actors from swooping in on one’s turf. This means that casinos, resorts, hotels, and even their guests, should realize that it’s not just everyone’s money they’re after – there are far more compelling reasons to be targeted.