RansomHub ransomware has emerged as a formidable adversary. With its cunning tactics and stealthy maneuvers, it poses significant risks to individuals and organizations alike. Recent reports highlight alarming trends in how this malware operates, particularly by leveraging Kaspersky’s TDSSKiller tool to undermine EDR (Endpoint Detection and Response) software. As cybersecurity experts scramble to keep pace with these developments, understanding RansomHub’s methods is more critical than ever.
What is RansomHub Ransomware And How Does It Work?
RansomHub ransomware is a sophisticated strain designed to encrypt files on infected systems, rendering them inaccessible. Once deployed, it targets critical documents and data, leaving victims in a precarious position.
The attack typically begins with phishing emails or malicious downloads that trick users into executing the payload. Once activated, RansomHub swiftly scans for valuable files across the network.
After identifying its targets, this malware encrypts them using advanced algorithms. The victim then receives a ransom note demanding payment in cryptocurrency for decryption keys.
What sets RansomHub apart is its ability to evade detection by disabling security measures. This capability allows it to operate under the radar while wreaking havoc on compromised systems. With each iteration of ransomware evolving rapidly, understanding how these attacks unfold is vital for everyone engaging online.
Kaspersky’s TDSSKiller and LaZagne To Disable EDR Software
Kaspersky’s TDSSKiller is a powerful tool originally designed to combat rootkits. However, its capabilities have been exploited by cybercriminals in recent attacks.
TDSSKiller is a free security tool developed by Kaspersky to detect and remove rootkits—stealthy malware that can hide the presence of malicious files or activities on a system. It is particularly effective against rootkits from the TDSS (aka Alureon) family, which are known for evading detection and compromising system integrity.
The RansomHub ransomware has taken advantage of this software to disable Endpoint Detection and Response (EDR) solutions. By doing so, it creates an opening for further malicious activities. To disable endpoint detection and response (EDR) services on target systems, the RansomHub ransomware gang uses TDSSKiller, a legitimate tool from Kaspersky. To move laterally on the network, RansomHub deployed the LaZagne credential-harvesting tool to extract logins from various application databases.
LaZagne is used by attackers to extract sensitive information like passwords and credentials from various applications on a compromised system. It targets locally stored credentials for browsers, email clients, and network connections. While it was originally designed for penetration testing, cybercriminals often misuse it in malware campaigns.
Malwarebytes highlighted this concerning trend as attackers evolve their tactics. The blend of legitimate tools with illegal intentions poses a significant threat landscape.
In order to detect rootkits and bootkits, two kinds of malware that are particularly difficult to detect and can evade standard security tools, Kaspersky created TDSSKiller. Understanding how such tools can be misused is crucial for cybersecurity strategies today. Organizations need to stay vigilant against these emerging threats that leverage existing technologies against them.
Malwarebytes reports that RansomHub exploited TDSSKiller by using a batch file or command line script to disable the Malwarebytes Anti-Malware Service (MBAMService) running on the system. Using the legitimate tool was conducted after a reconnaissance and privilege-escalation phase, and its execution was initiated using a dynamically generated filename “(‘[89BCFDFB-BBAF-4631-9E8C-P98AB539AC].exe’).
As a legitimate tool with a valid certificate, TDSSKiller prevents security solutions from flagging or stopping RansomHub’s attack. RansomHub used the LaZagne tool in an attempt to extract credentials stored in databases using LaZagne. Malwarebytes detected 60 file writes that were likely credentials. Deleted files could be the result of an attacker trying to hide their activity. In most security tools, LaZagne is flagged as malicious. However, it can become invisible if TDSSKiller is used to deactivate the defenses. Several security tools, including Malwarebytes’ ThreatDown, label TDSSKiller as ‘RiskWare’, which might also raise red flags for users.
IOCs
Here are the TDSSKiller and LaZagne IoCs shared by MalwareBytes:
TDSSKiller IOCs
- File Name: TDSSKiller.exe
- SHA-256: 2d823c8b6076e932d696e8cb8a2c5c5df6d392526cba8e39b64c43635f683009
- File Size: 4.82 MB
- MD5: ff1eff0e0f1f2eabe1199ae71194e560
LaZagne IOCs
- File Name: LaZagne.exe
- SHA-256: 467e49f1f795c1b08245ae621c59cdf06df630fc1631dc0059da9a032858a486
- File Size: 9.66 MB
- MD5: 5075f994390f9738e8e69f4de09debe6
For cybersecurity news and updates, follow us on Cybersecurity – The SOC Labs.
Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The SOC Labs assumes no liability for the accuracy or consequences of using this information.