Ransomware, EDR, Threat Intelligence

Updated attack arsenal bolsters RansomHub stealth

Share
Credit: Adobe Stock Images

BleepingComputer reports that organizations recently targeted by the RansomHub ransomware operation had their systems' endpoint detection and response services deactivated through Kaspersky's TDSSKiller tool before being compromised with the credential-harvesting tool LaZagne for lateral movement.

After achieving reconnaissance and privilege escalation, RansomHub proceeded with the exploitation of TDSSKiller with a command line script or batch file that enabled kernel-level service interaction disabling the Malwarebytes Anti-Malware Service without being flagged, according to an analysis from Malwarebytes' ThreatDown Managed Detection and Response team. Such compromise was followed by the deployment of LaZagne to extract database-stored credentials and produce dozens of file writes, with a file deletion also conducted to conceal malicious activity, said researchers. RansomHub's usage of TDSSKiller, which some security tools have dubbed as 'riskware', should prompt the activation of EDR solutions' tamper protection functionality and surveillance of the '-dcsvc' flag that facilitates service immobilization or removal, researchers added.

Updated attack arsenal bolsters RansomHub stealth

After achieving reconnaissance and privilege escalation, RansomHub proceeded with the exploitation of TDSSKiller with a command line script or batch file that enabled kernel-level service interaction disabling the Malwarebytes Anti-Malware Service without being flagged.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.