Cybercriminals increasingly utilize Ransomware as a Service boosted by EDR Killers. ESET meets the challenge with its prevention-first approach.

2024 marked a significant milestone in the fight against ransomware, bringing some good news and some bad news.

Let’s start with the good: the US Department of Justice and Europol cracked down on the infamous LockBit ransomware gang, inflicting a serious blow to the ransomware underworld.

The bad news? ESET researchers discovered new players quickly stepping in to replace those notorious but dissolving ransomware groups by using aggressive “business strategies” and tools to shut down endpoint protections.

Facing these new threats, businesses need to be prepared with prevention-oriented and multi-layered protection capable of staying one step ahead of cybercriminals.

Out of all the new players in the world of ransomware, perhaps RansomHub is the most notable, particularly due to its growth and tactics. The group posted its first victim in February 2024; by the end of that same year the group had taken a dominant position on the ransomware scene.

As any emerging Ransomware as a Service (RaaS) operator, to start, RansomHub needed to attract affiliates. To gather its “customers” quickly, the group allowed its affiliates to keep 90% of the collected ransoms, guaranteed the receipt of payments directly to the affiliate’s wallet, and offered multiple ways to enter its RaaS program, allowing even low-skilled affiliates to try their luck.

In the meantime, the group posted several updates, and by May 2024, had taken another significant step – RansomHub introduced its own Endpoint Detection and Response (EDR) killer, a type of malware designed to terminate, blind, or crash the installed security solution, typically by abusing a vulnerable driver.

RansomHub’s EDR killer, dubbed EDRKillShifter by Sophos, is a custom tool developed and maintained by the operator. This unique approach goes against the traditional strategy of reusing or slightly modifying existing proof of concepts available online or utilizing EDR killers available as a service on the dark web.

Meanwhile, ESET researchers discovered a single threat actor in possession of two EDRKillShifter samples, linked to multiple ransomware groups (BianLian, RansomHub, Medusa, and Play). This demonstrates another trend in the world of ransomware – skilled affiliates working for multiple operators in parallel, which enhances the operators’ malicious capabilities even further.

In 2023, organizations all around the world detected 317.59 million ransomware attempts. Manufacturing and the food/beverage industry were targeted the most.

Between 2022 and 2024, the combination of ransomware and other extortion breaches accounted for almost two-thirds (fluctuating between 59% and 66%) of financially motivated attacks, according to the Verizon 2024 Data Breach Investigations Report. The reason is simple – it works, and financially motivated threat actors have no reason to change tactics giving them the most return on investment.

Prevention vs. Response

However, even worse than the financial cost of a ransom payment is the disruption in business continuity and the sense of unease caused by malicious actors’ unfettered access, but that is not the whole story:

(-) After a successful cyberattack, revenue losses due to system downtime and missed opportunities reach on average 9% of the company’s annual revenue, and stock price value drops 2.5% on average.

(-) Subsequent forensic investigation can range from $10K to $100K based on the business size.

(-) Of the organizations that have experienced a cyberattack in 2024, 47% report greater difficulty in attracting new customers and 43% report losing customers.

As shown by IBM’s 2024 Cost of a Data Breach Report, it took 284 days to identify and contain ransomware attacks. That’s quite a lot of time to deal with a compromise. In the face of prolonged disruption, therefore, it makes sense to list some ways to prevent ransomware attacks, such as:

(+) Employee training and AI, which are the most significant factors in reducing the costs of data breaches.

(+) With AI and automation deployed extensively, organizations averaged $2.2 million less in costs of data breaches in 2024.

(+) In a scenario where a business experiences two cyberattacks over a 10-year period, the direct costs in the reactive scenario are $17 million, compared to $8 million in the proactive scenario.

To support such net-positive and cost-effective security measures, it also makes sense to discuss just how practical some security solutions can be in preventing ransomware and EDR killers from causing costly business disruptions.

ESET experts have put a lot of thought into combatting ransomware. By following a proactive and prevention-first approach, ESET regularly improves its solutions based on the latest trends and discoveries.

Let’s start with the basics. To achieve powerful multilayered protection, ESET PROTECT combines endpoint security with full disk encryption and cloud sandbox analysis of detected samples. ESET also developed a tool finetuned to catch ransomware – ESET Ransomware Shield, which detects and blocks processes that resemble the behaviors of ransomware. And this is “only” the first line of defense. Taking detection further, PROTECT integrates with Intel® Threat Detection Technology

(Intel® TDT) at the CPU level to improve detection of new ransomware variants.

Advanced users can also try their hand at using ESET Inspect, the XDR-enabling module of the ESET PROTECT Platform, which can easily pinpoint malicious behavior thanks to its AI-powered engine. As you can see on the image below, the detections are very easy to understand and can help in identifying sophisticated attempts at a compromise such as bring-your-own-vulnerable-driver (BYOVD) attacks, which can later introduce EDR killers on the impacted systems.

EDR Killers’ abuse of legitimate drivers to bypass cybersecurity solutions is a technique that is well-known to ESET experts. Therefore, ESET PROTECT allows security admins to create strong policies for Potentially Unsafe Applications (PUSA), preventing cybercriminals from abusing vulnerable drivers to breach EDR.

Admins should also look to enable or tune detections for malicious code targeting specific drivers – something providers of the most effective EDRs have already provided detections for. Locking down the components of your EDR on each endpoint is also a must; the users of that endpoint should not be able to tamper with security controls if they don’t have the necessary privileges. From this perspective, ESET has now received a prestigious anti-tampering award from AV-Comparatives for the second time, noting ESET PROTECT Elite’s 100% effectiveness in stopping tampering attacks.

Due to the increasing complexity of these solutions, a smart thing is to have all-in-one protection with all features available on a single security platform, which can deliver a comprehensive range of capabilities unified into a single pane of glass. This is exactly in line with ESET’s prevention-first approach, which promotes reducing the complexity of cyber defense. Alternatively, pursuing a highly rated managed detection and response service like ESET MDR can deliver a significant security impact without requiring costly internal security investments.

Despite successful law enforcement operations against ransomware gangs, this field of cybercrime is so profitable that businesses around the world can hardly expect this threat to simply vanish. On the contrary, we can see the rise of new groups, tactics, and tools that pose new challenges.

To defend their hard-won business, companies need to be proactive, train their employees, set up reliable multilayered defenses utilizing the latest technology, and pursue a preventive security approach. As the latest data show, putting extra effort into cybersecurity is definitely worth it.