Remodeling Contractors | EDR Design Build

Do you want your area updated? EDR Design Build is ready to assist. Our speciality as leading remodeling contractors is creating stunning interiors that perfectly express your unique style and personality. Our crew has the expertise to turn your idea become a reality, whether you\'re remodeling your bathroom or kitchen.

The Technology Management Group (TMG) was built by experts and propelled by service. Founded in 1989 by certified cybersecurity, enterprise IT governance, and data privacy solutions engineering expert Chris Moschovitis in New York City, our pioneering tech firm was built on one simple idea. That mid-market companies can neither afford nor keep the expertise necessary to leverage information technologies to maximize their value, optimize operations, and keep their business-critical data safe and sound--especially without breaking the bank or creating more problems.

From the beginning of our history, we've prioritized not only value creation but value protection. And we've been doing cybersecurity since before cybersecurity was a thing! From those first clunky websites to an interconnected planet, artificial intelligence, machine learning and big data--we've been there, done that through it all and we're still here today shaping the future together with you.

Our goal has always been to enable you to enable your business to be smart, be objective and pick the right tech to outpace your competition and deliver the greatest value for your dollar. And we're honored to be known in the business as the people that will go to the end of the world for the clients, clients that are still with us all these decades later.

What is Endpoint Detection and Response (EDR)? 

EDR is a cybersecurity solution that continuously monitors and responds to potential threats on endpoints (devices like laptops, smartphones, and servers). It involves real-time tracking, threat detection, and automated response to mitigate risks. 

Why is EDR important for your business? 

1. Enhanced Security: Detects and responds to threats quickly, reducing the risk of data breaches. 

2. Real-Time Monitoring: Provides continuous oversight of all endpoints, ensuring threats are identified and dealt with promptly. 

3. Automated Response: Automates threat responses, minimizing the impact on your operations and reducing downtime. 

Investing in EDR helps protect your business from evolving cyber threats, ensuring your data and systems remain secure. Safeguard your business with advanced EDR solutions from Century Solutions Group. #CyberSecurity #EDR #CenturySolutionsGroup – www.centurygroup.net 

How can I prove fault in a truck accident?

Truck accidents in Omaha can lead to severe injuries and complex legal challenges. Proving fault is crucial for securing compensation, and understanding the process can be daunting, especially for those unfamiliar with legal proceedings. This article provides a comprehensive guide on establishing fault in truck accidents, emphasizing the importance of hiring a local truck accident lawyer in Omaha.

Understanding Fault in Truck Accidents

Determining fault in truck accidents involves identifying the party responsible for causing the collision. This process requires a thorough investigation of various factors, including driver behavior, vehicle maintenance records, and adherence to traffic laws. In Omaha, specific regulations govern trucking operations, making it essential to work with professionals familiar with local laws.

Steps to Prove Fault in a Truck Accident

Gather Evidence at the Scene

Photographs and Videos: Capture images of vehicle positions, road conditions, traffic signs, and any visible damages.

Witness Statements: Collect contact information and statements from witnesses present at the scene.

Police Reports: Obtain a copy of the official accident report filed by law enforcement.

Examine Driver Records

Logbooks: Review the truck driver's logbooks to ensure compliance with hours-of-service regulations.

Licensing and Training: Verify the driver's qualifications and training records.

Inspect Vehicle Maintenance Records

Maintenance Logs: Check for regular maintenance and any reported mechanical issues.

Inspection Reports: Review records of routine inspections and any necessary repairs.

Analyze Electronic Data

Event Data Recorder (EDR): Access data from the truck's EDR, which records information like speed, braking, and engine performance.

GPS Data: Utilize GPS information to track the truck's route and movements leading up to the accident.

Consult Experts

Accident Reconstruction Specialists: Engage professionals to recreate the accident scenario and determine contributing factors.

Medical Experts: Obtain medical evaluations to link injuries directly to the accident.

The Importance of Hiring a Local Truck Accident Lawyer in Omaha

Navigating the complexities of truck accident cases requires specialized legal expertise. Hiring a local truck accident lawyer in Omaha offers several advantages:

Knowledge of Local Regulations: Local attorneys are well-versed in Nebraska's trucking laws and regulations, ensuring compliance and effective case strategies.

Familiarity with Local Courts: An Omaha-based lawyer understands the local court system, including procedures and personnel, which can be beneficial during litigation.

Access to Local Resources: Local attorneys have established networks with experts and investigators in the area, facilitating a thorough investigation.

Key Considerations When Choosing a Truck Accident Lawyer in Omaha

Selecting the right attorney is crucial for a successful outcome. Consider the following factors:

Expertise in Truck Accident Cases: Ensure the lawyer specializes in truck accident claims and has a track record of successful outcomes.

Success Rates: Inquire about the attorney's history of settlements and verdicts in similar cases.

Local Knowledge: A lawyer familiar with Omaha's legal landscape can navigate the system more effectively.

Tips for Evaluating Omaha-Based Truck Accident Lawyers

Check Local Reviews: Research client testimonials and reviews to gauge the attorney's reputation and client satisfaction.

Assess Credentials: Verify the lawyer's education, certifications, and memberships in professional organizations.

Discuss Case Strategies: During consultations, ask about the proposed approach to your case and assess their communication style.

Benefits of Hiring an Omaha Truck Accident Attorney

Understanding of Regional Regulations: Local attorneys are adept at navigating Nebraska's specific trucking laws.

Established Networks: They have connections with local experts, which can be instrumental in building a strong case.

Personalized Attention: A local lawyer is more accessible for meetings and updates, ensuring personalized service.

Key Features to Look for in a Truck Accident Lawyer

Experience with Truck Accident Cases

Strong Negotiation Skills

Trial Experience

Transparent Fee Structure

Compassionate Approach

Conclusion

Proving fault in a truck accident in Omaha necessitates a comprehensive approach and the expertise of a seasoned attorney. By hiring a local truck accident lawyer in Omaha, you benefit from their knowledge of regional regulations, local court systems, and established networks, all of which are pivotal in securing a favorable outcome. Take the time to evaluate potential lawyers based on their expertise, success rates, and client reviews to ensure you choose the best representation for your case.

For a directory of reputable attorneys in Omaha, visit the Nebraska State Bar Association.

Hi, I want to ask you what are your thoughts on the "mentor/mother figure" tropes that surround Eda and how the show handled them, because to me it fell flat. Sure, Eda does count as a mother figure to Luz and King, and my disinterest in this found family, could be writen off as just that - me being disinterested in them.

I have a small gripe with how the show calls the tropes Eda has in the story itself by the characters naming them, that I get the feeling the writers are telling me how to view Eda and to love her character.

And this more fandom related, but am I the only one who doesn't get the whole "Eda is a Mama Bird" thing? Because outside of Luz and King, the only child she has this mentor/parental dynamic with would be Edred.

She doesn't have many moments with Willow and Gus, even back in season 1. I would say, Willow and Gus have more of that "parent/child" dynamic with Camila.

Eda and Amity do go on a dventure together for the Titans Blood, but nothing about their dynamic screamed "parent & child". The same goes for Hunter, but I will acknowledge that their lack of interactions is because of the cut on season 3.

I know my criticism mostly stems from me not clicking with Eda's character like many fans of the show do, so my view on Eda will differ from theirs.

First off, I totally get not clicking with Eda as a character, even if I liked her. I also know most of my liking of the character actually comes from Wendie Malick's performance, I think she did a splendid job, especially in the more emotional scenes (like the fight scenes in s1 with Lilith). I also knew her as Beatrice Horseman before I watched The Owl House, so seeing her play a good mother figure was very engaging to me. 

THAT BEING SAID, the moment when Luz and Eda’s relationship didn't feel as special to me was when the show was trying to portray Eda in a motherly way with any other kid. I don’t mean just the main team, I mean, if there was a child character, they’d find a way for Eda to mother them. I think this started in season 2 when the show already had a decent-sized fanbase and was making their own interpretations and headcanons for Eda. Mainly the one you mentioned, her being a “mama bird”. Multiple (even background) characters call her “Mama Eda”, which seemed like excessive fan service. Many things like that were done in excess or amped up because the show's fans were responding to it well and a lot of those amped-up/excessive moments felt out of character for Eda. She didn’t even want to take care of Luz in the beginning, that alone would be enough for me to believe she wouldn’t be willing to adopt everything that lives and breathes. 

Willow and Gus definitely have more of a "parent-child" dynamic with Camila, which I think was very nicely done, same with Hunter. I see him having more of a "mother-son" dynamic with Camilla than Eda. The season 3 being cut short is an argument I see a lot, however, if they managed to create this dynamic between Willow/Gus/Hunter and Camilla within the first episode of season 3, I don't see how them not doing that with Eda can be attributed to the shortening, precisely because they had either 2 or 1 season (Hunter I believe met Eda in season 2) to write this dynamic, unlike with Camilla who only became an interactable character with the main cast in season 3, while Eda was there from the beginning.

The "self-aware", breaking the fourth wall-esque humor you mentioned, is one of my biggest pet peeves with the show. Pointing out tropes in the most fandom way imaginable will never fail to make me cringe. Show, don't tell is one of the most basic, easiest ways to make a story interesting, and somehow, for the sake of "incorrect quotes" type of humor, they keep failing at it. A few quotes that instantly come to mind are the "cool aunt vibe" from Collector and "What are those stupid kids doing? Wait, those are MY stupid kids" said Eda herself. Most of the characters are written very quirky, almost falling into the MPDG territory. Often reducing them to one character trait for the sake of, as I said before cheap jokes.

I also have an issue with Luz and Eda’s narratives, in that the writers can’t seem to decide if Eda is the character Luz relates to or Camila is. Camila’s speech about understanding Luz in season 3 felt very haphazard because we’ve spent 2 seasons of Eda and Luz’s narratives paralleling each other in the points Camilla is bringing up. Being unaccepted, feeling isolated, having no one understand them, being seen as dangerous at times, messing up all the time, and not liking conventionality. These points are a big part of Luz and Eda’s characters and are parallels to each other. Camila’s speech would’ve been so impactful, if it was Eda instead, not only because of the fact their stories parallel each other (and this scene was exactly what their storyline was going towards) but also because of the fact that we know Luz looks up to Eda, seeing her as weirdly perfect, exonerating her at times even. Luz, not seeing Eda for who she really is, realizes they are much more alike after the speech, and that Eda understands her.

Thank you so much for the ask! I love talking about this! So if you want to hear my thoughts on anything else, just shoot me an ask! <3 I also just woke up so this might be a little over the place and I apologize for that.

Since the early 1990s, people have used doxing as a toxic way to strike digital revenge—stripping away someone’s anonymity by unmasking their identity online. But in recent years, the poisonous practice has taken on new life, with people being doxed and extorted for cryptocurrency and, in the most extreme cases, potentially facing physical violence.

For the past year, security researcher Jacob Larsen—who was a victim of doxing around a decade ago when someone tried to extort him for a gaming account—has been monitoring doxing groups, observing the techniques used to unmask people, and interviewing prominent members of the doxing community. Doxing actions have led to incomes of “well over six figures annually,” and methods include making fake law enforcement requests to get people’s data, according to Larsen’s interviews.

“The primary target of doxing, particularly when it involves a physical extortion component, is for finance,” says Larsen, who leads an offensive security team at cybersecurity company CyberCX but conducted the doxing research in a personal capacity with the support of the company.

Over several online chat sessions last August and September, Larsen interviewed two members of the doxing community: “Ego” and “Reiko.” While neither of their offline identities is publicly known, Ego is believed to have been a member of the five-person doxing group known as ViLe, and Reiko last year acted as an administrator of the biggest public doxing website, Doxbin, as well as being involved in other groups. (Two other ViLe members pleaded guilty to hacking and identity theft in June.) Larsen says both Ego and Reiko deleted their social media accounts since speaking with him, making it impossible for WIRED to speak with them independently.

People can be doxed for a full range of reasons—from harassment in online gaming, to inciting political violence. Doxing can “humiliate, harm, and reduce the informational autonomy” of targeted individuals, says Bree Anderson, a digital criminologist at Deakin University in Australia who has researched the subject with colleagues. There are direct “first-order” harms, such as risks to personal safety, and longer-term “second-order harms,” including anxiety around future disclosures of information, Anderson says.

Larsen’s research mostly focused on those doxing for profit. Doxbin is central to many doxing efforts, with the website hosting more than 176,000 public and private doxes, which can contain names, social media details, Social Security numbers, home addresses, places of work, and similar details belonging to people’s family members. Larsen says he believes most of the doxing on Doxbin is driven by extortion activities, although there can be other motivations and doxing for notoriety. Once information is uploaded, Doxbin will not remove it unless it breaks the website’s terms of service.

“It is your responsibility to uphold your privacy on the internet,” Reiko said in one of the conversations with Larsen, who has published the transcripts. Ego added: “It’s on the users to keep their online security tight, but let’s be real, no matter how careful you are, someone might still track you down.”

Impersonating Police, Violence as a Service

Being entirely anonymous online is almost impossible—and many people don’t try, often using their real names and personal details in online accounts and sharing information on social media. Doxing tactics to gather people’s details, some of which were detailed in charges against ViLe members, can include reusing common passwords to access accounts, accessing public and private databases, and social engineering to launch SIM swapping attacks. There are also more nefarious methods.

Emergency data requests (EDR) can also be abused, Larsen says. EDRs allow law enforcement officials to ask tech companies for people’s names and contact details without any court orders as they believe there may be danger or risks to people’s lives. These requests are made directly to tech platforms, often through specific online portals, and broadly need to come from official law enforcement or government email addresses.

“If a threat actor can intercept that process, it’s the fastest way for them to get highly accurate sensitive data on the victim,” Larsen explains. “They’re really stepping up and using that as their primary method for doxing victims.” This kind of request has previously been used to harass women and children, as well as weaponized against security researchers.

During his research, Larsen says he infiltrated various Telegram groups where people were selling access to systems to make EDRs and government emails needed to make requests. One individual, according to screenshots shared by Larsen, claimed to be selling access to TikTok’s law enforcement platform using a US Department of Justice email address, and claimed they had an FBI email address too. Another claimed they would make government emails addresses from Mozambique, the Philippines, Pakistan, and Brazil for $125 each.

Larsen says he reported the details to law enforcement agencies. The FBI declined to comment about false EDRs to WIRED, while a TikTok spokesperson pointed toward its public policies on emergency data requests and the ways it tries to ensure they are valid. The US Cybersecurity and Infrastructure Security Agency did not respond to a request for comment.

“Violence as a service” groups have appeared from SIM swapping communities in recent years as well, allowing people to pay for violent acts to be carried out. Digital extortion can lead to physical extortion, Larsen says, adding that Doxbin doesn’t allow threats or discussions of violence to be posted on its platform. “I’ve seen people get doxed and that ends up in them being bricked, getting their house shot up, getting a Molotov thrown through their windows, gang stalked, all in an attempt to extort them for money,” Ego said in a conversation with Larsen. Videos of attacks are sometimes posted online. “Things get pretty wicked online, much more than people realize,” Ego said.

These incidents can involve people trying to extort cryptocurrency from people with large stashes—although some violence services have been used by feuding online groups. “Unless these platforms get taken down, or more actors get punished, both in the US and abroad, it's just going to continue to rise,” Larsen says. “Particularly as cryptocurrency becomes more adopted by more people.”

Few Doxing Protections

Globally, few legal protections against doxing exist—although elements may fall under stalking, harassment, or data protection legislation. “Laws worldwide are simply not fit to provide protection,” says Amanda Manyame, digital rights adviser at Equality Now, a feminist human rights NGO. “Victims have no way to swiftly regain control of information that has been published with the intent to harass, intimidate, and/or harm them.”

“The prompt takedown of doxing-related content is very important for victims, and governments need to enact laws that mandate the removal of such content within 24 hours,” Manyame says, with Equality Now’s research stating that doxing can “disproportionately” impact women and girls.

Indicating the challenges of getting information removed, Doxbin publishes a transparency report—mimicking the practices of Big Tech platforms—listing the number of removal requests it receives. Around 160 requests from lawyers and local and national law enforcement bodies are listed from 27 countries, Larsen says, with the majority being denied as they don’t break Doxbin’s limited terms of service.

While legal routes to getting data removed are slim, there are steps people can take to limit some of the impacts linked to doxing and wider online privacy abuses. At an individual level, Larsen says, common cybersecurity measures can help, including not reusing passwords across apps and websites, locking down social media accounts and not posting photos and personal information, and turning on multifactor authentication for as many accounts as possible. For people wanting to go further, using usernames and emails not linked to the same email address or online handle is a potential first step.

It seems like a big part of the Crowdstrike situation is the use of a big, high attack surface, mutable OS as a HAL for information appliances (for instance a ticket kiosk). I think rather than sprinkling more and more aggressive EDR on a mega-OS, we should be trying to remove as much from the OS as possible and make the OS as immutable as possible.

Even more so it seems like there was a big push to Crowdstrike and high velocity EDR updates after WannaCry, a crypto locker. But it seems like a kiosk doesn't have much local state to lock up / destroy in the first place. It's most dangerous first as an entry point to the datastore, and second as system that needs high availability for the meat space service it enables. It seems like the same remediation policy for at datastore might not be so great for an endpoint.

As I said before, I think everybody should have an experience in working in customer service, if they don't have basic empathy already.

I understand that a customer leaving a certain amount of money wants to be treated like a king, but I wish they would understand that our staff members are overworked, underpaid, overstimulated, probabably haven't had an opportunity to sit on their ass the whole day, living on coffees, redbulls and prison food leftovers that our edr has to offer.

The Ice Demon!

He has your typical snow and ice related powers and has existed as long as the concept of trading currency for goods and services has existed lmao. A business demon who gets wrapped into saving the world from the eternal evil.

He flirts with Melinda/ (later) Emma mainly to make Edred mad because he hates him. He himself doesn't feel love for anyone so it's mainly an act. Though he is immortal his soul is always sealed back inside of Copernicus because they're afraid he'll bail between summonings.

Despite the fact that he claims he only wants to save the universe because he's living ( and thriving) in it, he does seem to care very much for Melinda. (Later Emma and Winston as well!)

Boosting Efficiency and Productivity in Dental Practices with IT Support

Dental IT support plays a crucial role in boosting efficiency and productivity within dental practices. Here's how:

Streamlining administrative tasks: Best support for dental IT can help automate and streamline administrative tasks such as appointment scheduling, billing, and inventory management. This saves time and allows dental staff to focus on providing quality patient care.

Electronic Dental Records (EDR): Implementing EDR systems with the help of Dental IT services can digitize and organize patient records. This eliminates the need for manual paperwork, reduces the risk of errors, and improves access to patient information, ultimately leading to faster and more accurate diagnoses and treatments.

Integration of imaging and diagnostic tools: Dental IT solutions can assist in integrating imaging and diagnostic tools, such as digital radiography and intraoral cameras, with dental software systems. This allows for seamless transfer of images and data, enhancing diagnostic accuracy and treatment planning.

Remote access and telemedicine capabilities: This support can enable remote access to patient records, which is especially beneficial for dentists working in multiple locations or during emergencies. Additionally, Dental IT service can facilitate telemedicine capabilities, allowing dentists to conduct virtual consultations, provide follow-up care, and ultimately expand their reach to more patients.

Efficient communication and collaboration: This can implement secure messaging platforms, email systems, and video conferencing solutions within the dental practice. This improves communication among the dental team, enhances collaboration on treatment plans, and enables efficient coordination of patient care.

Data analytics and reporting: It can help dentists leverage data analytics tools to generate reports and insights. These reports can highlight areas of improvement, track key performance indicators, and aid in making informed business decisions that optimize efficiency and productivity.

By having reliable Dental IT support, dental practices can leverage technology to streamline administrative tasks, improve access to patient data, enhance collaboration and communication, and utilize data analytics. These factors ultimately lead to increased efficiency and productivity within the practice, benefiting both the dental staff and patients.

Best Top Kitchen Remodeling | EDR Design Build

Looking to elevate your kitchen with the Best Top Kitchen Remodeling services? Look no further than EDR Design Build. As experienced General Contractors, we specialize in creating stunning and functional kitchen spaces that exceed your expectations. Trust us to bring your dream kitchen to life. Contact us today for a consultation.

Real-Time Cyber Threat Intelligence: How EDSPL Detects and Neutralizes Breaches Before They Happen

Introduction: Why Real-Time Cyber Threat Intelligence Is No Longer Optional

In today’s hyperconnected world, cybersecurity has shifted from a passive necessity to an active business differentiator. Every second, organizations face a barrage of threats—from phishing emails and malware to ransomware and zero-day exploits. The question is no longer if a business will be targeted, but when. That’s where Real-Time Cyber Threat Intelligence (RTCTI) becomes the ultimate game-changer.

For modern enterprises, simply having network security or firewalls is no longer enough. You need an intelligence-driven, always-on, proactive system that can detect, analyze, and stop threats before they even get close to your data.

At EDSPL, we don’t just respond to cyber threats—we anticipate them. We predict attacks before they unfold, using real-time threat intelligence to shield your enterprise against both known and emerging risks.

What Is Real-Time Cyber Threat Intelligence (RTCTI)?

Real-Time Cyber Threat Intelligence refers to the collection, processing, and analysis of cyber threat data as it happens, enabling immediate threat detection and faster response. RTCTI goes far beyond traditional threat feeds. It uses automation, machine learning, and deep analytics to identify patterns, uncover malicious intent, and neutralize attacks in progress.

The High Stakes: What Happens Without Real-Time Intelligence

Imagine a scenario where a phishing email slips through filters. Within minutes, credentials are stolen, malware is planted, and lateral movement begins within your network. If you're relying on weekly scans or daily logs, by the time you catch it—your data is already gone.

Now contrast that with EDSPL's real-time approach:

A suspicious login pattern is detected in milliseconds. Threat intelligence confirms correlation with known malicious IPs. Automated response isolates the endpoint, cuts off access, and alerts the SOC team. Breach attempt thwarted—before any data is touched.

This is the power of EDSPL’s Real-Time Cyber Threat Intelligence.

How EDSPL Powers RTCTI: A Behind-the-Scenes Look

1. Global Threat Intelligence Feeds

At EDSPL, we integrate real-time threat feeds from:

Industry-leading platforms (FireEye, IBM X-Force, AlienVault, etc.)

Open-source intelligence (OSINT)

Government and ISAC advisories

Proprietary honeypots and decoys deployed worldwide

These sources constantly update our threat intelligence database, ensuring we stay ahead of even the most advanced threat actors.

2. Security Operations Center (SOC) 24x7x365

Our in-house SOC is the nerve center of our RTCTI system. With round-the-clock vigilance, our analysts monitor anomalies, respond to alerts, and hunt threats proactively. Every activity, from system logs to endpoint behavior, is streamed live into our monitoring environment, enabling real-time decision-making.

Explore our full range of services

3. SIEM + SOAR Integration

We use top-tier Security Information and Event Management (SIEM) tools to correlate data across endpoints, cloud security, application security, and on-prem systems.

But we don’t stop there. Our Security Orchestration, Automation, and Response (SOAR) tools automate the playbooks. This ensures:

Faster incident triage

Reduced Mean Time to Detect (MTTD)

Reduced Mean Time to Respond (MTTR)

4. AI-Powered Anomaly Detection

Static rules and signatures aren’t enough. Our AI/ML models learn and adapt continuously, identifying deviations from “normal” behavior. Whether it's an employee logging in from an unusual location or a file being downloaded at an odd time, our system catches the smallest red flags.

5. Endpoint Detection & Response (EDR)

Our RTCTI stack includes next-gen EDR, which monitors every action on your devices in real time. From USB connections to command-line activity, EDR ensures no breach goes unnoticed.

Real-Life Use Case: How EDSPL Prevented a Ransomware Attack

In early 2025, a client’s internal user unknowingly downloaded a malicious attachment disguised as an invoice. The malware silently tried to encrypt files and escalate privileges. Within 4 seconds:

EDSPL's SIEM flagged anomalous activity.

Our SOAR platform triggered an auto-isolation of the device.

The malware was quarantined, and logs were sent for forensic analysis.

No data was lost. No operations were disrupted.

That’s what real-time threat intelligence looks like in action.

RTCTI Is Not Just for Enterprises—SMEs Need It Too

It’s a myth that only large corporations need advanced threat intelligence. In fact, small and mid-sized enterprises are often prime targets—because they have weaker defenses.

At EDSPL, we’ve designed scalable RTCTI packages to suit organizations of all sizes, backed by our expertise in mobility, compute, storage, and backup.

Key Benefits of EDSPL’s Real-Time Threat Intelligence

Proactive Threat Detection

Stop threats before they reach critical systems.

Rapid Incident Response

Our automation ensures no time is wasted during an attack.

Intelligent Insights

Go beyond alerts—understand the context behind every threat.

AI-Driven Accuracy

Eliminate false positives. Focus only on real threats.

Customizable for Your Industry

From finance and healthcare to retail and manufacturing—we tailor defenses to your risk landscape, including switching, routing, and data center switching infrastructure security.

Industries That Trust EDSPL for RTCTI

We serve organizations across sectors, including:

BFSI (Banking, Financial Services, Insurance)

Healthcare

E-commerce

EdTech

Manufacturing

Government and Public Sector

How EDSPL Stays Ahead of Cyber Criminals

Cyber criminals evolve every day—but so do we. Here’s how EDSPL maintains a competitive edge:StrategyHow It HelpsThreat Hunting TeamsActively search for hidden threats before they strike.Red Team SimulationsSimulate real attacks to test & improve defenses.Zero-Day Threat MitigationHeuristic detection + rapid signature updates.Dark Web MonitoringTrack stolen credentials and brand mentions.Incident Drill PlaybooksBe ready with tested, automated response plans.

Why EDSPL Is the Right RTCTI Partner for You

Choosing a cyber partner is about trust. With EDSPL, you get:

✅ Experienced Cybersecurity Professionals ✅ Real-Time Visibility Across All Layers ✅ Custom Playbooks and Reporting Dashboards ✅ Compliance-Ready Solutions ✅ Managed and maintenance services that ensure long-term protection

Conclusion: Stop Attacks Before They Even Begin

The threats are getting smarter, faster, and more dangerous. If you’re waiting to react to a breach, you’re already too late.

With Real-Time Cyber Threat Intelligence from EDSPL, you gain an unfair advantage. You move from being a passive target to a proactive defender.

Don’t wait for the breach—predict it, detect it, and neutralize it with EDSPL.

Want to Get Started?

Reach Us or Get In Touch to future-proof your cybersecurity infrastructure. Understand our background vision and commitment to enterprise security excellence.

Ready to secure your business? Contact our experts today and get a free consultation tailored to your organization’s needs.

📧 Email: [email protected] 🌐 Website: www.edspl.net

Follow us on social media for the latest updates and insights:

🔗 Facebook | LinkedIn

The Role of AI in Enhancing Cybersecurity Defenses

As cyber threats evolve in scale and sophistication, organizations are turning to artificial intelligence (AI) to fortify their defenses. In 2025, AI is not just a tool but a transformative force, redefining how the best cyber security companies and top cybersecurity firms protect digital assets. This blog explores how AI is shaping the future of cybersecurity, the challenges it brings, and why partnering with a leading cyber security company is more critical than ever.

AI: The Double-Edged Sword in Cybersecurity

AI’s impact on cybersecurity is profound—and complex. While it empowers defenders to detect and respond to threats faster than ever, it also equips adversaries with tools to launch more targeted and elusive attacks. According to the 2025 RSA Conference, AI is rapidly reshaping the cybersecurity landscape, bringing both unprecedented opportunities and significant challenges for organizations worldwide.

How Attackers Use AI

Accelerated Attacks: AI enables cybercriminals to launch attacks with “breakout times” under an hour, making rapid response essential.

Personalized Phishing & Deepfakes: Attackers use AI to create convincing phishing emails, fake websites, and deepfake videos that bypass traditional detection mechanisms.

Adaptive Malware: AI-powered malware can mimic legitimate activity, time attacks strategically, and evade endpoint detection and response (EDR) systems.

Model Poisoning: Hackers can manipulate the AI models used by organizations, raising concerns about the accuracy and reliability of security systems.

AI as a Cybersecurity Game-Changer

Despite the risks, AI is revolutionizing cyber defense. The top cybersecurity companies are integrating AI into their security stacks to stay ahead of increasingly sophisticated threats.

1. Advanced Threat Detection

AI systems can analyze vast amounts of data in real time, identifying anomalies and potential breaches before they escalate. For example, AI can detect unusual login patterns, reverse-engineer malware, and flag suspicious network activity—tasks that would overwhelm human analysts. Unsupervised learning allows AI to identify new and unknown threats without relying on labeled data, making it a powerful tool against emerging attack vectors.

2. Rapid Response and Automated Remediation

Agentic AI—where multiple specialized AI agents collaborate—enables real-time detection and automated remediation. These agents can isolate compromised endpoints, stop malware from spreading, and even restore clean systems from backups within minutes. This dramatically reduces the time from detection to response, a crucial advantage in today’s fast-moving threat landscape.

3. Security Operations Center (SOC) Automation

AI-driven automation is transforming Security Operations Centers. By automating routine monitoring, alert triage, and compliance checks, AI allows human analysts to focus on complex, high-priority threats. This targeted automation not only improves efficiency but also enhances overall risk management for organizations relying on cyber security services.

4. Predictive and Pre-Emptive Defense

AI’s predictive capabilities allow organizations to anticipate and mitigate threats before they occur. By analyzing historical data and current trends, AI can forecast potential vulnerabilities and recommend proactive measures. This shift from reactive to proactive defense is a hallmark of the best digital security strategies.

The Business Case for AI-Driven Cybersecurity

The adoption of AI in cybersecurity isn’t just about staying ahead of attackers—it’s also about efficiency and cost savings. Organizations that leverage AI and automation save an average of $2.2 million annually compared to those that don’t. As more than 90% of AI capabilities in cybersecurity are expected to come from third-party providers, partnering with top cybersecurity firms ensures access to cutting-edge solutions without the burden of in-house development.

Challenges and Considerations

While AI offers immense promise, it also introduces new challenges:

Talent and Skills Gap: Many organizations struggle to find professionals with the expertise to manage and interpret AI-driven tools.

Explainability and Trust: As AI systems become more complex, understanding their decision-making processes is crucial for risk governance.

Ethical and Privacy Concerns: The use of AI in monitoring and analyzing behavior must balance security with respect for privacy and regulatory compliance.

The Future: Collaborative Intelligence

Looking ahead, the future of cybersecurity lies in collaborative intelligence—AI agents working alongside human experts to create adaptive, resilient defenses. The best cyber security companies are already investing in innovations that combine AI-driven automation with human oversight, building collective defense mechanisms that can share insights across networks and organizations.

Conclusion

AI is fundamentally transforming the cybersecurity landscape. For businesses, partnering with a cyber security company or digital security firm that leverages AI is no longer optional—it’s essential. As cyber threats become more advanced and persistent, only organizations that embrace AI-powered defenses will be able to protect their assets, data, and reputation in the digital age.

If you’re seeking to strengthen your security posture, consider working with the best digital security companies or top cybersecurity agencies that are leading the charge in AI-driven protection. The future of cybersecurity is here—and it’s powered by artificial intelligence.

Data Loss Prevention Market Size Expected to Reach USD 10.05 Bn By 2030

North America dominated the global Data Loss Prevention (DLP) Market Size in 2022, holding a commanding market share of 39.67%, driven by strong cybersecurity frameworks, stringent regulatory compliance standards, and widespread enterprise digitization. The global DLP market, valued at USD 1.84 billion in 2022, is projected to reach USD 10.05 billion by 2030, growing at a CAGR of 24.1% during the forecast period (2023–2030).

DLP technologies in North America are being rapidly adopted by sectors like BFSI, healthcare, defense, and retail to counter rising threats of insider data leaks, ransomware, and regulatory non-compliance.

Key Market Highlights:      

2022 Global Market Size: USD 1.84 billion

2030 Global Market Size: USD 10.05 billion

CAGR (2023–2030): 24.1%

North America Market Share (2022): 39.67%

Market Outlook: Steady growth fueled by increasing data breaches and expanding regulatory mandates such as HIPAA, GLBA, and CCPA

Key Players in the North American DLP Market:

Symantec (Broadcom Inc.)

Forcepoint

Digital Guardian (Fortra)

McAfee Corp.

Microsoft Corporation

Cisco Systems Inc.

Trend Micro Inc.

Proofpoint Inc.

Check Point Software Technologies

Varonis Systems

Zscaler, Inc.

Request for Free Sample Reports: https://www.fortunebusinessinsights.com/enquiry/request-sample-pdf/data-loss-prevention-market-108686

Market Dynamics:

Growth Drivers:

Escalating volume and sensitivity of enterprise data across cloud platforms

Regulatory pressure from laws like GDPR, CCPA, HIPAA, and PCI DSS

Increasing insider threats and sophisticated ransomware attacks

Remote work culture accelerating endpoint data vulnerability

Adoption of cloud-based and hybrid DLP solutions by enterprises for better scalability and visibility

Key Opportunities:

Expansion of DLP to protect unstructured data across collaboration tools and endpoints

Integration with security information and event management (SIEM) systems

Growing need for AI/ML-powered policy automation and anomaly detection

Increased adoption in mid-sized businesses via SaaS-based DLP offerings

Opportunities in verticals like education, legal, and public sector that manage sensitive personal data

Technology & Application Scope:         

Deployment Models: On-premises, cloud-based, and hybrid

Application Areas: Network DLP, endpoint DLP, cloud DLP

Industries Served: Banking & Finance, Healthcare, Retail, IT & Telecom, Government, Education

Use Cases: Intellectual property protection, regulatory compliance, data visibility & classification, real-time policy enforcement

Segments Covered with:

By Component

By Type

By Industry

Speak to Analyst: https://www.fortunebusinessinsights.com/enquiry/speak-to-analyst/data-loss-prevention-market-108686

Recent Developments:

March 2024 – Microsoft launched enhanced DLP capabilities within Microsoft 365 Purview, enabling real-time risk mitigation and auto-classification for Teams, SharePoint, and OneDrive.

September 2023 – Forcepoint introduced a unified cloud-native DLP platform integrated with Zero Trust architecture, improving visibility across hybrid environments.

June 2023 – Cisco expanded its SecureX platform with AI-based anomaly detection and insider risk analytics, enhancing its enterprise-grade DLP suite.

Market Trends in North America:

Widespread transition to cloud-based DLP platforms with AI integration

Emphasis on protecting data-in-motion and data-at-rest across complex environments

Rising adoption of Managed Security Service Providers (MSSPs) for DLP as a service

Increased focus on behavioral analytics and contextual awareness in DLP systems

DLP convergence with endpoint detection and response (EDR) and identity management tools

Conclusion:

North America remains the epicenter of innovation and deployment in the Data Loss Prevention market, supported by a highly digitized economy, regulatory rigor, and advanced cybersecurity infrastructure. As threats grow more sophisticated and the cost of data breaches escalates, the region’s demand for comprehensive, intelligent, and automated DLP solutions is expected to surge.

Vendors who provide flexible, cloud-native, and AI-enhanced DLP offerings are best positioned to capture this accelerating market growth.

[ad_1] ESET researchers take a look back at the significant changes in the ransomware ecosystem in 2024 and focus on the newly emerged and currently dominating ransomware-as-a-service (RaaS) gang, RansomHub. We share previously unpublished insights into RansomHub’s affiliate structure and uncover clear connections between this newly emerged giant and well-established gangs Play, Medusa, and BianLian. We also emphasize the emerging threat of EDR killers, unmasking EDRKillShifter, a custom EDR killer developed and maintained by RansomHub. We have observed an increase in ransomware affiliates using code derived from publicly available proofs of concept, while the set of drivers being abused is largely fixed. Finally, based on our observations following the law-enforcement-led Operation Cronos and the demise of the infamous BlackCat gang, we offer our insights into how to assist in this intensive fight against ransomware. Key points of this blogpost: We discovered clear links between the RansomHub, Play, Medusa, and BianLian ransomware gangs. We achieved this by following the trail of tooling that RansomHub offers its affiliates. We document additional findings about EDRKillShifter, correlating our observations with RansomHub’s public activity. We offer insights into the emerging threat of EDR killers, their anatomy, and their role in the ransomware world. Overview The fight against ransomware reached two milestones in 2024: LockBit and BlackCat, formerly the top two gangs, dropped out of the picture. And for the first time since 2022, recorded ransomware payments dropped, in particular by a stunning 35% despite reverse expectations in the middle of the year. On the other hand, the recorded number of victims posted on dedicated leak sites (DLSs) increased by roughly 15%. A big part of this increase is due to RansomHub, a new RaaS gang that emerged around the time of Operation Cronos. In this blogpost, we look in depth at RansomHub and demonstrate how we leveraged to our advantage the way affiliates use RansomHub’s tooling, allowing us to draw connections between RansomHub and its rivals, including well-established ones like Play, Medusa, and BianLian. Throughout this blogpost, we refer to entities forming the ransomware-as-a-service model as follows: Operators, who develop the ransomware payload, maintain the DLS, and offer services to affiliates, usually for a monthly fee and a percentage of the ransom payment (typically 5–20%). Affiliates, who rent ransomware services from operators, and deploy the encryptors to victims’ networks and commonly also practice data exfiltration. The rise of RansomHub RansomHub announced its first victim on its DLS (see Figure 1) on February 10th, 2024, 10 days before the public announcement of Operation Cronos. While the gang’s rise was slow, it was also consistent, and when – in April 2024 – RansomHub achieved the most victim postings of all active ransomware groups (disregarding LockBit posting fakes), it was clear that this was a gang to keep a close eye on. Since then, RansomHub has dominated the ransomware scene. Figure 1. RansomHub’s DLS To further demonstrate how dangerous RansomHub is, let’s compare it to LockBit. Figure 2 shows the daily cumulative sum (on the y-axis) of new victims posted on the DLS of LockBit vs. RansomHub, starting from RansomHub’s appearance in February 2024. Figure 2. Progression of DLS posts by RansomHub and LockBit since RansomHub’s appearance. Souce: ecrime.ch As you can clearly see, while RansomHub started announcing victims more slowly, nearly nine months later the gang was able to accumulate more victims since it started than LockBit, and that trend continues to this day. Considering that both BlackCat and LockBit suffered huge blows right around the time RansomHub emerged, we can confidently assume that many skilled affiliates migrated to RansomHub; Notchy, the BlackCat affiliate who stole more than 4 TB of data from Change Healthcare, is just one publicly known example. Figure 3 shows the ransom note that RansomHub affiliates leave on their victims’ machines. We are the RansomHub. Your company Servers are locked and Data has been taken to our servers. This is serious. Good news: - your server system and data will be restored by our Decryption Tool, we support trial decryption to prove that your files can be decrypted; - for now, your data is secured and safely stored on our server; - nobody in the world is aware about the data leak from your company except you and RansomHub team; - we provide free trial decryption for files smaller than 1MB. If anyone claims they can decrypt our files, you can ask them to try to decrypt a file larger than 1MB. FAQs: Who we are? - Normal Browser Links: - Tor Browser Links: Want to go to authorities for protection? - Seeking their help will only make the situation worse,They will try to prevent you from negotiating with us, because the negotiations will make them look incompetent,After the incident report is handed over to the government department, you will be fined ,The government uses your fine to reward them.And you will not get anything, and except you and your company, the rest of the people will forget what happened!!!!! Think you can handle it without us by decrypting your servers and data using some IT Solution from third-party "specialists"? - they will only make significant damage to all of your data; every encrypted file will be corrupted forever. Only our Decryption Tool will make decryption guaranteed; Don't go to recovery companies, they are essentially just middlemen who will make money off you and cheat you. - We are well aware of cases where recovery companies tell you that the ransom price is 5 million dollars, but in fact they secretly negotiate with us for 1 million dollars, so they earn 4 million dollars from you. If you approached us directly without intermediaries you would pay 5 times less, that is 1 million dollars. Think your partner IT Recovery Company will do files restoration? - no they will not do restoration, only take 3-4 weeks for nothing; besides all of your data is on our servers and we can publish it at any time; as well as send the info about the data breach from your company servers to your key partners and clients, competitors, media and youtubers, etc. Those actions from our side towards your company will have irreversible negative consequences for your business reputation. You don't care in any case, because you just don't want to pay? - We will make you business stop forever by using all of our experience to make your partners, clients, employees and whoever cooperates with your company change their minds by having no choice but to stay away from your company. As a result, in midterm you will have to close your business. So lets get straight to the point. What do we offer in exchange on your payment: - decryption and restoration of all your systems and data within 24 hours with guarantee; - never inform anyone about the data breach out from your company; - after data decryption and system restoration, we will delete all of your data from our servers forever; - provide valuable advising on your company IT protection so no one can attack your again.``` Now, in order to start negotiations, you need to do the following: - install and run 'Tor Browser' from - use 'Tor Browser' open - enter your Client ID: [REDACTED] * do not leak your ID or you will be banned and will never be able to decrypt your files. There will be no bad news for your company after successful negotiations for both sides. But there will be plenty of those bad news if case of failed negotiations, so don't think about how to avoid it. Just focus on negotiations, payment and decryption to make all of your problems solved by our specialists within 1 day after payment received: servers and data restored, everything will work good as new. ************************************************ Figure 3. RansomHub ransom note Recruiting phase Just as any emerging RaaS gang, RansomHub needed to attract affiliates, and since there is strength in numbers, the operators weren’t very picky. The initial advertisement was posted on the Russian-speaking RAMP forum on February 2nd, 2024, eight days before the first victims were posted. There are a few things to note about the initial announcement: Affiliates can receive ransoms with their own wallet and then afterward pay the operator. Affiliates get to keep 90% of the ransom. The encryptor is obfuscated and supports Windows, Linux, and ESXi platforms. RansomHub offers various ways to enter its RaaS program: Recommendation by an existing affiliate. Proof of reputation. Evidence of past RaaS cooperation. Paying a deposit that is returned after first successful payment. Attacking Commonwealth of Independent States, Cuba, North Korea, and China is prohibited. Preferred communication is over qTox using the ID 4D598799696AD5399FABF7D40C4D1BE9F05D74CFB311047D7391AC0BF64BED47B56EEE66A528. Guarantees like receiving ransom payment directly to the affiliate’s wallet and keeping a generous 90% certainly sound promising, especially in the chaos following the BlackCat and LockBit disruptions. Additionally, the entry barrier is very low, allowing even low-skilled affiliates to try their luck. It is also worth mentioning that RansomHub’s encryptor is not written from scratch, but based on repurposed code from Knight, a once-rival ransomware gang that sold its source code in February 2024. The affiliates request the encryptor (often called a locker by RaaS operators) through the web panel offered by RansomHub (as is typical for RaaS gangs); the component responsible for generating the encryptor is typically referred to as a builder. Because information such as the unique victim ID is hardcoded in the encryptor, an affiliate needs to request a new one for every victim. RansomHub’s builder adds an additional layer of protection to its encryptors, a 64-character password, without which the encryptor does not work. This password is unique for each sample, generated by the builder, and known only to the affiliate who requested the encryptor. On June 21st, 2024, RansomHub operators changed the affiliate rules in reaction to an alleged breach by security researchers. In response, the operator no longer allowed vouching by existing members as sufficient and strictly required a US$ 5,000 deposit for aspiring affiliates. This was the last noteworthy message from the RansomHub operators. However, between the initial announcement and this rule change, one more important event happened, which we dive into in the next section. Expanding the arsenal – EDRKillShifter On May 8th, 2024, the RansomHub operators made a significant update – they introduced their own EDR killer, a special type of malware designed to terminate, blind, or crash the security product installed on a vicim’s system, typically by abusing a vulnerable driver. RansomHub’s EDR killer, named EDRKillShifter by Sophos, is a custom tool developed and maintained by the operator. EDRKillShifter is offered to RansomHub affiliates through the web panel, same as the encryptor; it too is protected by a 64-character password. Functionality-wise, it is a typical EDR killer targeting a large variety of security solutions that the RansomHub operators expect to find protecting the networks they aim to breach. A notable distinction lies in the code protection – the password protects shellcode that acts as a middle layer of the killer’s execution. Without the password, security researchers can neither retrieve the list of targeted process names nor the abused vulnerable driver. Sophos probably chose “shifter” in the name to reflect the fact that the abused driver is not always the same – at least two different vulnerable drivers (abused by other known EDR killers too) were observed. We dive more in depth into EDRKillShifter and other EDR killers in the EDR killers on the rise section. The decision to implement a killer and offer it to affiliates as part of the RaaS program is rare. Affiliates are typically on their own to find ways to evade security products – some reuse existing tools, while more technically oriented ones modify existing proofs of concept or utilize EDR killers available as a service on the dark web. Evidently, ransomware affiliates thought this was a good idea, because soon after the announcement, ESET researchers saw a steep increase in the use of EDRKillShifter, and not exclusively in RansomHub cases, as we demonstrate in the next section. Roughly a month after EDRKillShifter’s announcement, on June 3rd, 2024, RansomHub operators posted yet another update, stating that they improved EDRKillShifter. ESET telemetry shows that some affiliates deployed this updated version only four days later. Leveraging EDRKillShifter ESET researchers took advantage of the wide popularity that EDRKillShifter gained upon its launch to expand our research. We were able to leverage its usage to associate RansomHub affiliates with the multiple rival gangs that they also work for, as well as to retrieve clearer internal versioning of this EDR killer. Linking affiliates to rival gangs The difference between RansomHub’s encryptor and EDRKillShifter is that there is no reason for affiliates to build a new sample of EDRKillShifter for every intrusion (unless there is a major update) – which is exactly what allowed us to uncover one of RansomHub’s affiliates working for three rival gangs – Play, Medusa, and BianLian. These three gangs differ significantly: BianLian focuses mostly on extortion-only attacks, with no RaaS program offering on its DLS. Medusa does not offer a RaaS program on its DLS either, but advertises its RaaS program on the RAMP underground forum. Play strictly denies ever running a RaaS program on its DLS. Discovering a link between RansomHub and Medusa is not that surprising, as it is common knowledge that ransomware affiliates often work for multiple operators simultaneously. However, we did not expect well-established gangs operating under the closed RaaS model (meaning that they do not actively look for new recruits and their partnerships are based on long-term mutual trust) to form alliances with RansomHub so quickly. Other well-established gangs, in addition to BianLian and Play, also operate under the closed RaaS model – the recent BlackBasta leak offered unique insight into the inner workings of such groups. One way to explain Play and BianLian having access to EDRKillShifter is that they hired the same RansomHub affiliate, which is unlikely given the closed nature of both gangs. Another, more plausible explanation is that trusted members of Play and BianLian are collaborating with rivals, even newly emerged ones like RansomHub, and then repurposing the tooling they receive from those rivals in their own attacks. This is especially interesting, since such closed gangs typically employ a rather consistent set of core tools during their intrusions. Before diving into the specifics of the discovered overlaps, let’s briefly introduce the modus operandi of the Play gang. Play’s modus operandi The Play gang posted the first victims to its DLS on November 26th, 2022; the gang has shown steady growth since then. In April 2024, Play made it to the top three most active ransomware gangs on the scene and consistently remained in the top 10 for the whole year. The gang posts 25 new victims each month, on average, focusing on SMBs, hinting that the gang has at least several experienced, loyal affiliates. Recently, Play has been linked to the North Korea-aligned group Andariel. As expected from a closed RaaS gang, most cases involving the Play encryptor show similarities. Typically, in such intrusions: the encryptors are stored in %PUBLIC%\Music\.exe, SystemBC is utilized for payload delivery and serves as a proxy, Grixba, a custom network scanner, is often used, and additional tooling is often downloaded directly from an IP address. The remainder of the attack typically employs a wide arsenal of tools, as well as living-off-the-land techniques. The puzzle Let’s look in depth at the links we discovered. We emphasize first the most important ones in Figure 4 and then dive into the details of each of the intrusions. We believe with high confidence that all these attacks were performed by the same threat actor, working as an affiliate of the four ransomware gangs shown in Figure 4. We are not tracking this threat actor under a dedicated name at this point, but for convenience, we’ll refer to this threat actor as QuadSwitcher. Figure 4. Schematic overview of the links between Medusa, RansomHub, BianLian, and Play As you can see in Figure 4, there are a total of five intrusions from four different ransomware gangs interlinked by: two EDRKillShifter samples (SHA-1: BF84712C5314DF2AA851B8D4356EA51A9AD50257 and 77DAF77D9D2A08CC22981C004689B870F74544B5), the payload delivery server 45.32.206[.]169 hosting EDRKillShifter and WKTools (a utility to explore and modify the Windows kernel, used in many Play intrusions), and SystemBC with C&C server 45.32.210[.]151. The following sections go into the individual intrusions in more detail. RansomHub In July 2024, QuadSwitcher deployed the RansomHub encryptor along with EDRKillShifter (SHA-1: BF84712C5314DF2AA851B8D4356EA51A9AD50257) to a manufacturing company in Western Europe and an automotive company in Central Europe. In August, QuadSwitcher compromised a governmental institution in North America using PuTTY, and shortly after Rclone. They proceeded by installing AnyDesk and protecting it with a password via a PowerShell script, anydes.ps1 (part of the Conti leaks). Attempting to evade the security solution, the threat actor deployed EDRKillShifter (SHA-1: BF84712C5314DF2AA851B8D4356EA51A9AD50257) and TDSSKiller. BianLian At the end of July 2024, QuadSwitcher compromised a company in the legal sector in North America. During that intrusion, the threat actor dumped the Active Directory by executing powershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\temp1' q q", deployed AnyDesk via the same installation script from the Conti leaks, and used Advanced IP Scanner to scan the network. Six days later, the attacker installed the ScreenConnect and Ammyy Admin remote monitoring and management (RMM) tools and deployed EDRKillShifter (SHA-1: BF84712C5314DF2AA851B8D4356EA51A9AD50257). After almost a month of no activity, the attacker returned and downloaded two payloads from http://45.32.206[.]169/: WKTools.exe, the WKTools, utility often used by Play Killer.exe, an instance of EDRKillShifter (SHA-1: 77DAF77D9D2A08CC22981C004689B870F74544B5) Additionally, QuadSwitcher deployed SystemBC using 45.32.210[.]151 as its C&C server, and a signature BianLian backdoor with C&C server 92.243.64[.]200:6991 from http://149.154.158[.]222:33031/win64_1.exe. The victim was later announced on BianLian’s DLS. Play In early August 2024, QuadSwitcher compromised a manufacturing company in North America. They deployed SystemBC with C&C 45.32.210[.]151, EDRKillShifter (SHA-1: 77DAF77D9D2A08CC22981C004689B870F74544B5), and WKTools, downloaded from http://45.32.206[.]169/WKTools.exe. Ultimately, the threat actor deployed the Play encryptor. Medusa At the end of August 2024, QuadSwitcher compromised a technology company in Western Europe, downloading PuTTY from http://130.185.75[.]198:8000/plink.exe using certutil.exe, followed by using Process Explorer and EDRKillShifter (SHA-1: BF84712C5314DF2AA851B8D4356EA51A9AD50257). The threat actor also downloaded MeshAgent from http://79.124.58[.]130/dl/git.exe, also via certutil.exe. The victim was later announced on Medusa’s DLS. The puzzle – conclusion Besides the links summarized in Figure 4, there are TTPs that most resemble typical Play intrusions. In three of the cases, additional malware and tools were downloaded from a root folder of a server accessed via an IP address using HTTP and QuadSwitcher also used SystemBC, commodity malware heavily used by the Play gang. These links lead us to believe QuadSwitcher is related to Play the closest. Additionally, QuadSwitcher has access to at least two EDRKillShifter samples, compiled two months apart, signaling the threat actor had extended access to RansomHub’s tooling. Reconstructing EDRKillShifter development timeline In September 2024, ESET researchers documented a case where CosmicBeetle, an immature ransomware threat actor using its own signature encryptor, ScRansom, and the leaked LockBit 3.0 builder, became an affiliate of RansomHub. Note that CosmicBeetle is not a gang, but an individual distributing and developing various ransomware. Following the publication of our findings, we observed CosmicBeetle further utilize EDRKillShifter during: a RansomHub attack against a hospitality company in South America in August 2024, a fake LockBit attack against an automotive company in Central Europe in August 2024, a fake LockBit attack against a manufacturing company in East Asia in September 2024, and an attack with no encryptor deployed against an unknown company in the Middle East in January 2025. Other immature ransomware affiliates were spotted using EDRKillShifter before deploying their custom encryptors (often created simply by using the leaked LockBit 3.0 builder) as well. This shows one weakness of RansomHub – in its greed to grow as quickly as possible, it wasn’t very picky about its affiliates. As a result, it was, by its own admission, breached by security researchers in June 2024. Additionally, immature affiliates tend to leave significantly more trails, which enabled us to learn more about both them and RansomHub. In the blogpost about CosmicBeetle, we mentioned EDRKillShifter being deployed from an unusual path C:\Users\Administrator\Music\1.0.8.zip. In the following months, multiple other immature affiliates left similar trails that enabled us to partially reconstruct EDRKillShifter’s versioning, demonstrated in Table 1. The VERSIONINFO column refers to EDRKillShifter’s version as listed in its VERSIONINFO resource, while the Deployment path refers to the version mentioned in the path discovered by ESET telemetry. Table 1. EDRKillShifter versioning Compilation date VERSIONINFO Deployment path 2024-05-01 1.2.0.1 N/A 2024-06-06 1.2.0.1 1.0.7 / 1.0.8 2024-06-07 1.6.0.1 2.0.1 2024-07-10 2.6.0.1 2.0.4 2024-07-24 2.6.0.1 2.0.5 Following July 2024, there was only a single very generic update from the RansomHub operator posted on RAMP, correlating with our not seeing new versions of EDRKillShifter in the wild. Reconstructing the development timeline of EDRKillShifter also allowed us to spot these development practices: The InternalName property of the version info resource being either Config.exe or Loader.exe. The OriginalName property of the version info resource always being Loader.exe. The deployment filename varying, most commonly being Killer.exe, Magic.exe, or Loader.exe. The name of the argument accepting the 64-character-long password being named either pass or key. EDR killers on the rise EDRKillShifter quickly gained popularity among ransomware affiliates, and as we just demonstrated, they don’t use it exclusively in RansomHub intrusions. However, it is not the only EDR killer out there; in fact, ESET researchers have observed an increase in the variety of EDR killers used by ransomware affiliates. An EDR killer is malware designed to run in a compromised network, to blind, corrupt, crash, or terminate security solutions protecting the endpoints. The obvious goal is to allow smooth execution of the ransomware encryptor. While more immature ransomware affiliates settle with scripts that simply try to terminate a list of processes, more sophisticated ones go beyond that and use the technique known as Bring Your Own Vulnerable Driver (BYOVD). EDR killers are an effective and increasingly popular addition to ransomware affiliates’ arsenals. During an intrusion, the goal of the affiliate is to obtain admin or domain admin privileges. Ransomware operators tend not to do major updates of their encryptors too often due to the risk of introducing a flaw that could cause issues, ultimately damaging their reputation. As a result, security vendors detect the encryptors quite well, which the affiliates react to by using EDR killers to “get rid of” the security solution just before executing the encryptor. Anatomy of an EDR killer Advanced EDR killers consist of two parts – a user mode component responsible for orchestration (which we will refer to as the killer code) and a legitimate, but vulnerable, driver. The execution is typically very straightforward – the killer code installs the vulnerable driver, typically embedded in its data or resources, iterates over a list of process names, and issues a command to the vulnerable driver, resulting in triggering the vulnerability and killing the process from kernel mode. Figure 5. Anatomy of an EDR killer abusing a vulnerable driver Few drivers, many killers Sophos documented in their blogpost how different builds of EDRKillShifter abuse different vulnerable drivers. One of the abused drivers, rentdrv2.sys, is also a part of BadRentdrv2, a publicly available EDR killer. The second one, TFSysMon from ThreatFire System Monitor, is also a part of TFSysMon-Killer, another publicly available PoC. The latter is part of a bigger collection of four EDR killer PoCs written in Rust, which we have observed threat actors reimplement in C++ without changing a single line of code. While the Living Off The Land Drivers project provides over 1700 vulnerable drivers, making them a lucrative target for cybercriminals, only a handful of these drivers are abused by EDR killers – if there is tested code abusing a vulnerability in one of these drivers, it is much easier to reuse it without having to design the code from scratch. Additionally, it allows the EDR killer developers to focus on the killer code and its stealthiness. Gray zone of EDR killers Legitimate tools are abused by ransomware affiliates to work as EDR killers, too. Such tools, like the GMER rootkit detector and PC Hunter, by their nature require access to kernel mode and need to closely inspect the internals of the operating system. Unfortunately, they also offer a powerful functionality that can be abused when in the hands of malicious threat actors. Adding EDR killers to RaaS offerings RaaS programs often don’t provide affiliates only with encryptors – additional tools and playbooks may be part of the package. For instance, LockBit offered Stealbit, a custom data exfiltration tool, to its affiliates, and the Conti leaks and Dispossessor leak disclosed that playbooks, scripts, and know-how are also part of the ransomware gangs’ arsenal. Adding an EDR killer to a RaaS offering seems logical, and RansomHub is not the only gang doing that. In October 2024, ESET researchers documented that the emerging ransomware gang Embargo implemented its own EDR killer as well, called MS4Killer, by modifying a publicly available PoC. At the time of writing: while the group listed only 14 victims on its DLS, it had already invested time and resources into developing its own EDR killer. It remains to be seen whether EDR killers find their place in more gangs’ offerings. However, this blogpost has also demonstrated that researchers may leverage their usage to cluster affiliates and discover new relationships between rival gangs. Defeating EDR killers Defending against EDR killers is challenging. Threat actors need admin privileges to deploy an EDR killer, so ideally, their presence should be detected and mitigated before they reach that point. While preventing the killer code from executing is the best approach, code obfuscation can make this unreliable. However, focusing on vulnerable drivers provides additional defense options. ESET considers drivers exploited by EDR killers potentially unsafe. Therefore, users, especially in corporate environments, should ensure that the detection of potentially unsafe applications is enabled. This can prevent the installation of vulnerable drivers. Although not common, sophisticated threat actors may exploit a vulnerable driver already present on a compromised machine instead of relying on BYOVD. To counter this, having proper patch management in place is an effective and essential defense strategy. Conclusion The ransomware ecosystem suffered significant blows in 2024. Despite the overall number of recorded attacks increasing, it should not overshadow the positive effect of successfully disrupting or eliminating two ransomware gangs that had been dominating the scene for years. We can speculate about how much the result of law enforcement actions decreased ransomware payments, or how the growing awareness and initiatives like the Counter Ransomware Initiative are helping ransomware victims understand that paying the ransom may not be the best way forward. What is clear, unfortunately, is that a new sophisticated ransomware group, RansomHub, emerged, used the right tactics to attract affiliates (many of whom we believe transitioned from BlackCat and LockBit) in a short period, and was quickly able to climb to the top of the ladder. In the foreseeable future, RansomHub will surely try to remain among the most active RaaS gangs. Law-enforcement-led disruptions of RaaS operators have proved effective, sowing distrust in the RaaS ecosystem. Unfortunately, 2024 showed that affiliates are able to regroup fairly quickly. After all, they have strong financial incentives to deploy encryptors to and exfiltrate sensitive data from their targets. Although more difficult to accomplish than disruptions, eliminating the most active affiliates from the picture is also effective because it can prevent new RaaS operators from gaining strength as quickly as RansomHub did. We believe that focusing on the affiliates, especially by tracking down their links between various gangs – as demonstrated in this blogpost between RansomHub, Play, Medusa, and BianLian – will ultimately lead to identification of the affiliates and their removal from the game. For any inquiries about our research published on WeLiveSecurity, please contact us at [email protected].  ESET Research offers private APT intelligence reports and data feeds. For any inquiries about this service, visit the ESET Threat Intelligence page. IoCs A comprehensive list of indicators of compromise and samples can be found in our GitHub repository. Files SHA-1 Filename Detection Description 97E13515263002809505DC913B04B49AEB78B067 amd64.exe WinGo/Kryptik.CV RansomHub encryptor. BF84712C5314DF2AA851B8D4356EA51A9AD50257 Loader.exe Win64/Agent.DVP EDRKillShifter. 87D0F168F049BEFE455D5B702852FFB7852E7DF6 amd64.exe WinGo/Kryptik.CV RansomHub encryptor. 2E89CF3267C8724002C3C89BE90874A22812EFC6 Magic.exe Win64/Agent.DVP EDRKillShifter. 3B035DA6C69F9B05868FFE55D7A267D098C6F290 TDSSKiller.exe Win32/RiskWare.TDSSKiller.A TDSSKiller. 5ECAFF68D36EC10337428267D05CD3CB632C0444 svchost.exe WinGo/HackTool.Agent.EY Rclone. DCF711141D6033DF4C9149930B0E1078C3B6D156 anydes.ps1 PowerShell/Agent.AEK Script that deploys and password protects AnyDesk. E38082AE727AEAEF4F241A1920150FDF6F149106 netscan.exe Win64/NetTool.SoftPerfectNetscan.A SoftPerfect Network Scanner. 046583DEB4B418A6F1D8DED8BED9886B7088F338 conhost.dll Win64/Coroxy.J SystemBC. 3B4AEDAFA9930C19EA889723861BF95253B0ED80 win64_1.exe Win64/Agent.RA BianLian backdoor. 460D7CB14FCED78C701E7668C168CF07BCE94BA1 WKTools.exe Win32/WKTools.A WKTools. 5AF059C44D6AC8EF92AA458C5ED77F68510F92CD pfw.exe Win64/Agent.RA BianLian backdoor. 67D17CA90880B448D5C3B40F69CEC04D3649F170 1721894530.sys Win64/RentDrv.A Vulnerable driver used by EDRKillShifter. 77DAF77D9D2A08CC22981C004689B870F74544B5 Killer.exe Win64/Agent.DVP EDRKillShifter. 180D770C4A55C62C09AAD1FC3412132D87AF5CF6 1.dll Win64/Coroxy.K SystemBC. DD6FA8A7C1B3E009F5F17176252DE5ACABD0FB86 d.exe Win32/Filecoder.PLAY.B Play encryptor. FDA5AAC0C0DB36D173B88EC9DED8D5EF1727B3E2 GT_NET.exe MSIL/Spy.Grixba.A Grixba. Network IP Domain Hosting provider First seen Details 45.32.206[.]169 N/A Vultr Holdings, LLC 2024‑07‑25 Server hosting WKTools and EDRKillShifter. 45.32.210[.]151 N/A The Constant Company, LLC 2024‑08‑09 SystemBC C&C server. 79.124.58[.]130 N/A TAMATYA-MNT 2024‑08‑22 Server hosting MeshAgent. 92.243.64[.]200 N/A EDIS GmbH - Noc Engineer 2024‑07‑25 BianLian backdoor C&C server. 130.185.75[.]198 N/A Pars Parva System LTD 2024‑08‑20 Server hosting PuTTY. 149.154.158[.]222 N/A EDIS GmbH - Noc Engineer 2024‑07‑25 Server hosting BianLian backdoor. MITRE ATT&CK techniques This table was built using version 16 of the MITRE ATT&CK framework. Tactic ID Name Description Resource Development T1583 Acquire Infrastructure QuadSwitcher acquired infrastructure to host their tooling. T1587.001 Develop Capabilities: Malware The RansomHub, Play, Medusa, and BianLian gangs develop their own encryptors and related tooling. T1588.001 Obtain Capabilities: Malware The Play gang uses SystemBC, a commodity malware for sale. T1588.002 Obtain Capabilities: Tool Various third-party tools are regularly used by the gangs’ affiliates. T1608.001 Stage Capabilities: Upload Malware The Play gang uploaded its own tooling to a dedicated server to be used during intrusions. T1608.002 Stage Capabilities: Upload Tool The Play gang uploaded the third-party tools it uses to a dedicated server to be used during intrusions. Execution T1059.001 Command-Line Interface: PowerShell QuadSwitcher deployed AnyDesk using a PowerShell script. T1059.003 Command-Line Interface: Windows Command Shell Windows Command Shell is regularly used by QuadSwitcher to issue commands. Defense Evasion T1078 Valid Accounts QuadSwitcher abuses extracted credentials of valid accounts to move in the network stealthily. T1078.002 Valid Accounts: Domain Accounts QuadSwitcher ultimately gained domain admin privileges in some of the intrusions. T1480 Execution Guardrails RansomHub’s encryptor requires a password to run. T1562.001 Impair Defenses: Disable or Modify Tools EDRKillShifter’s aim is to disable security solutions. T1562.009 Impair Defenses: Safe Mode Boot RansomHub’s encryptor allows rebooting to safe mode to encrypt files. T1218 System Binary Proxy Execution QuadSwitcher abused certutil.exe to download payloads. Credential Access T1110 Brute Force QuadSwitcher attempted to brute force credentials during the intrusions. Discovery T1087 Account Discovery In order to elevate privileges, QuadSwitcher discovered additional accounts. T1057 Process Discovery EDRKillShifter looks for specific processes related to security solutions. Lateral Movement T1021.001 Remote Services: Remote Desktop Protocol RDP was often used for lateral movement in the compromised networks. T1021.002 Remote Services: SMB/Windows Admin Shares RansomHub supports remote encryption of files. Collection T1005 Data from Local System The BianLian gang focuses on data exfiltration, collecting data from local drives. T1039 Data from Network Shared Drive The BianLian gang focuses on data exfiltration, collecting data from network drives. Command and Control T1071 Application Layer Protocol In Play intrusions, payloads are retrieved via HTTP. T1132.002 Data Encoding: Non-Standard Encoding SystemBC employs a custom network protocol. T1219 Remote Access Software Multiple RMM tools were used, including AnyDesk and MeshAgent. Exfiltration T1537 Transfer Data to Cloud Account BianLian affiliates used Rclone to exfiltrate data to a cloud account they control to avoid typical file transfers/downloads and network-based exfiltration detection. Impact T1485 Data Destruction Some data like backups may be permanently destroyed by ransomware gangs. T1486 Data Encrypted for Impact The ultimate result of ransomware gangs’ actions is encryption of victims’ data. T1657 Financial Theft The ransomware gangs pressure victims to pay ransom in exchange for regaining access to their data. [ad_2] Source link

RansomHub affiliates linked to rival RaaS providers

ESET researchers also examine the growing threat posed by tools that ransomware affiliates deploy in an attempt to disrupt EDR security solutions 27 Mar 2025 ESET research has released a deep-dive analysis of changes in the ransomware ecosystem in 2024, focusing especially on RansomHub, a new but highly prolific ransomware-as-a-service (RaaS) gang. Among other things, the report features…

View On WordPress