Shifting the sands of RansomHub’s EDRKillShifter
2025-03-26 • ESET •
https://www.welivesecurity.com/en/eset-research/shifting-sands-ransomhub-edrkillshifter/
ESET profiles RansomHub as the dominant ransomware-as-a-service group that rose after law-enforcement disruption of LockBit and BlackCat. The research links RansomHub activity to tooling trails associated with Play, Medusa, and BianLian affiliates and documents EDRKillShifter, a custom EDR-killer component used by RansomHub affiliates. EDRKillShifter uses a builder-generated 64-character password that protects each encryptor and blocks researchers from retrieving targeted process names or the abused vulnerable driver without the affiliate-specific password. The excerpt does not make a DPRK connection, so it should be handled as ransomware ecosystem context rather than North Korea attribution.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | bf84712c5314df2aa851b8d4356ea51… | 2025-03-26 | 2025-03-26 |
| HASH | 77daf77d9d2a08cc22981c004689b87… | 2025-03-26 | 2025-03-26 |
| URL | https://ransomxifxwc5eteopdobyn… | 2025-03-26 | 2025-03-26 |
| URL | http://ubfofxonwdb32wpcmgmcpfos… | 2025-03-26 | 2025-03-26 |
| URL | http://ransomxifxwc5eteopdobyno… | 2025-03-26 | 2025-03-26 |
| DOMAIN | ransomxifxwc5eteopdobynonjctkxx… | 2025-03-26 | 2025-03-26 |
| DOMAIN | ubfofxonwdb32wpcmgmcpfos5tdskfi… | 2025-03-26 | 2025-03-26 |
| DOMAIN | ransomxifxwc5eteopdobynonjctkxx… | 2025-03-26 | 2025-03-26 |
| IPv4 | 45.32.210.151 | 2025-03-26 | 2025-03-26 |
| IPv4 | 92.243.64.200 | 2025-03-26 | 2025-03-26 |
| IPv4 | 45.32.206.169 | 2025-03-26 | 2025-03-26 |
| IPv4 | 1.2.0.1 | 2025-03-26 | 2025-03-26 |
| IPv4 | 149.154.158.222 | 2025-03-26 | 2025-03-26 |
| IPv4 | 130.185.75.198 | 2025-03-26 | 2025-03-26 |
| IPv4 | 2.6.0.1 | 2025-03-26 | 2025-03-26 |
| IPv4 | 79.124.58.130 | 2025-03-26 | 2025-03-26 |
| IPv4 | 1.6.0.1 | 2025-03-26 | 2025-03-26 |