RansomHub is well-known for its affiliate scheme and for employing methods to turn off or disable endpoint detection and response (EDR) to avoid discovery and extend its existence on hacked devices or networks.
Experts discovered that Ransomhub integrated the EDRKillShifter into its attack chain, a novel evasion method.
The purpose of EDRKillShifter is to take advantage of vulnerable drivers and undermine the efficacy of EDR solutions by using methods to avoid detection and interfere with security monitoring procedures.
Trend Micro identified this group as Water Bakunawa, which is responsible for the RansomHub ransomware and uses various anti-EDR tactics to play a high-stakes game of hide and seek with security solutions.
This RansomHub has been linked to ransomware attacks on industries and vital infrastructure sectors like water and wastewater, IT, commercial and government services and facilities, healthcare, agriculture, financial services, manufacturing, transportation, and communications.
Meet the CISOs, Join the Virtual Panel to Learn compliance – Join Free
The Infection Chain Of The RansomHub Utilizing EDRKillShifter
Experts say, EDRKillShifter disrupts security procedures dynamically in real-time and advances over standard EDR solutions by modifying its techniques as detection capabilities improve.
EDRKillShifter’s EDR-disabling features are seamlessly integrated into the attack chain, ensuring that all phases of an attack utilize them and boosting overall efficacy.
These developments turn EDRKillShifter into a potent weapon against traditional endpoint security systems, requiring enterprises to implement more resilient and flexible security measures.
“The EDRKillShifter tool functions as a “loader” executable, serving as a delivery mechanism for a legitimate driver that is susceptible to abuse to terminate applications related to antivirus solutions”, researchers said.
The RansomHub ransomware exploits the Zerologon vulnerability (CVE-2020-1472). Researchers said that if left unpatched, it might allow attackers to take over a whole network without requiring authentication.
In a particular instance, RansomHub used for batch script files—named “232.bat,” “tdsskiller.bat,” “killdeff.bat,” and “LogDel.bat”—as a form of evasion.
232.bat turns off Windows Defender’s real-time monitoring capability and uses a brute-force attack method called password spraying.
A batch script called tdsskiller.bat is used to disable antivirus software. Killdeff.bat uses advanced methods to hide notifications and enable or disable Windows Defender’s functionality, including obfuscated inline expressions, environment-variable readings, and conditional logic.
LogDel.bat is modifying system files and settings in an unusual way, possibly modifying Remote Desktop Protocol (RDP) settings to allow unauthorized remote access.
Using Task Manager, Ransomhub uses the Local Security Authority Subsystem Service (LSASS) memory to dump credentials, escalating the attack.
By using this method, the ransomware is able to obtain private login information, leading to more extensive and destructive hacks.
The attackers surreptitiously transferred harmful tools between systems by using the Lateral Tool Transfer method. AnyDesk, a remote access tool, served as its command-and-control (C&C) system.
Recommendations
- Strengthen endpoint protection systems.
- Implement driver- and kernel-level protections.
- Enforce credential and authentication security.
- Enable behavioral monitoring and anomaly detection.
- Harden the endpoints’ security configurations.
Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14-day free trial