ESET Research<p><a href="https://infosec.exchange/tags/ESETresearch" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ESETresearch</span></a> discovered previously unknown links between the <a href="https://infosec.exchange/tags/RansomHub" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>RansomHub</span></a>, <a href="https://infosec.exchange/tags/Medusa" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Medusa</span></a>, <a href="https://infosec.exchange/tags/BianLian" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>BianLian</span></a>, and <a href="https://infosec.exchange/tags/Play" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Play</span></a> ransomware gangs, and leveraged <a href="https://infosec.exchange/tags/EDRKillShifter" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>EDRKillShifter</span></a> to learn more about RansomHub’s affiliates. @SCrow357 <a href="https://www.welivesecurity.com/en/eset-research/shifting-sands-ransomhub-edrkillshifter/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">welivesecurity.com/en/eset-res</span><span class="invisible">earch/shifting-sands-ransomhub-edrkillshifter/</span></a> <br>RansomHub emerged in February 2024 and in just three months reached the top of the ransomware ladder, recruiting affiliates from disrupted <a href="https://infosec.exchange/tags/LockBit" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>LockBit</span></a> and <a href="https://infosec.exchange/tags/BlackCat" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>BlackCat</span></a>. Since then, it dominated the ransomware world, showing similar growth as LockBit once did. <br>Previously linked to North Korea-aligned group <a href="https://infosec.exchange/tags/Andariel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Andariel</span></a>, Play strictly denies operating as <a href="https://infosec.exchange/tags/RaaS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>RaaS</span></a>. We found its members utilized RansomHub’s EDR killer EDRKillShifter, multiple times during their intrusions, meaning some members likely became RansomHub affiliates. <br>BianLian focuses on extortion-only attacks and does not publicly recruit new affiliates. Its access to EDRKillShifter suggests a similar approach as Play – having trusted members, who are not limited to working only with them.<br>Medusa, same as RansomHub, is a typical RaaS gang, actively recruiting new affiliates. Since it is common knowledge that affiliates of such RaaS groups often work for multiple operators, this connection is to be expected. <br>Our blogpost also emphasizes the growing threat of EDR killers. We observed an increase in the number of such tools, while the set of abused drivers remains quite small. Gangs such as RansomHub and <a href="https://infosec.exchange/tags/Embargo" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Embargo</span></a> offer their killers as part of the affiliate program.<br>IoCs available on our GitHub: <a href="https://github.com/eset/malware-ioc/tree/master/ransomhub" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">github.com/eset/malware-ioc/tr</span><span class="invisible">ee/master/ransomhub</span></a></p>
Recent searches
No recent searches
Search options
Only available when logged in.
urbanists.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
We're a server for people who like bikes, transit, and walkable cities. Let's get to know each other!
Administered by:
Server stats:
525active users
urbanists.social: About · Profiles directory · Privacy policy
Mastodon: About · Get the app · Keyboard shortcuts · View source code · v4.3.8
#andariel
0 posts · 0 participants · 0 posts today
Graylog<p>The <a href="https://infosec.exchange/tags/Andariel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Andariel</span></a> threat group, a DPRK state-sponsored APT active for over a decade, has been leveraging RID hijacking and user account concealment techniques in its operations to stealthily maintain privileged access to compromised Windows systems. 😱 </p><p>Learn (hands-on!) how RID hijacking and hidden backdoor accounts work in Andariel’s attack chain, and how you can detect and analyze similar activity in your organization’s network. 🔍 👀 </p><p><a href="https://graylog.org/post/adversary-tradecraft-a-deep-dive-into-rid-hijacking-and-hidden-users/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">graylog.org/post/adversary-tra</span><span class="invisible">decraft-a-deep-dive-into-rid-hijacking-and-hidden-users/</span></a> <a href="https://infosec.exchange/tags/security" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>security</span></a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/GraylogLabs" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>GraylogLabs</span></a></p>
ExploreLive feeds
Mastodon is the best way to keep up with what's happening.
Follow anyone across the fediverse and see it all in chronological order. No algorithms, ads, or clickbait in sight.
Create accountLoginDrag & drop to upload