Shanya crypter emerges as new threat in ransomware toolkits

Sophos reports that a new packer-as-a-service, dubbed Shanya, is gaining traction among ransomware groups, potentially replacing tools like HeartCrypt. This evolving threat landscape highlights continuous innovation within the cybercrime underworld.

The Shanya crypter, also known as VX Crypt, was first observed on underground forums near the end of 2024. Its features are designed to evade security detections, making it attractive for deploying various malware families, including EDR killers and backdoors like CastleRAT. The crypter employs techniques like API hashing and anti-analysis checks, including manipulating the Process Environment Block (PEB) and attempting to detect debugger hooks. It achieves stealth by loading a second instance of a system DLL and overwriting its memory space with the decrypted payload. Notable use cases include an EDR killer that disables security products by terminating their processes and services, often preceding ransomware attacks like Akira and Medusa. It has also been used in campaigns targeting hotels with CastleRAT.

The rise of Shanya underscores the persistent threat of packer-as-a-service offerings and EDR killers, particularly their potent combination with ransomware operations. The ongoing demand and financial incentives suggest these tools will continue to evolve, posing a long-term challenge for cybersecurity defenses. Organizations must remain vigilant against these sophisticated evasion techniques.

Source: Sophos