According to recent investigations, “coopetition” is called for when one RaaS group, however new, has a novel new weapon to offer

Threat researchers investigating the new Ransomware-as-a-Service (RaaS) group RansomHub have uncovered clear connections with other well-established threat actors such as Play, Medusa, and BianLian.

RansomHub prohibits its affiliate members from attacking nations from the post-Soviet Commonwealth of Independent States, Cuba, North Korea, or China. The group lures affiliates in with the promise that they will receive the whole ransom payment to their wallet, and the operators trust the affiliates to share 10% with them, something quite unique. 

Furthermore, RansomHub uses a self-developed customer Endpoint Detection and Response (EDR) “killer” called EDRKillShifter, which is being used by more affiliates. EDR killers are a specialized type of malware designed to terminate, blind, or crash the security product installed on a victim’s system — typically by abusing a vulnerable driver that is installed in the victims’ systems. Defending against EDR killers is challenging so ideally, and IT teams that do not detect and intercept the point where the vulnerable driver is installed will be at a loss when the final stages of attack are in progress.

According to Jakub Souček, Researcher, ESET, the firm that has been investigating RansomHub: “The decision to implement a killer and offer it to affiliates as part of the RaaS program is rare. Affiliates are typically on their own to find ways to evade security products — some reuse existing tools, while more technically oriented ones modify existing proofs of concept or utilize EDR killers available as a service on the Dark Web.”

This is how ESET researchers used the clue to link RansomHub with its other affiliates. While it is common knowledge that RaaS affiliates often work for multiple operators simultaneously, the links that RansomHub has established are with industry rivals that also operate a closed network. Conversely, those rivals may made exceptions to their policy due to the appeal of the former’s EDR killer malware which can be leveraged quickly and repurposed for their own needs.