EDR Evasion: RansomHub Utilizes TDSSKiller in Novel Attack Strategy

The ThreatDown Managed Detection and Response (MDR) team has discovered that the RansomHub ransomware group is employing the legitimate tool TDSSKiller to disable Endpoint Detection and Response (EDR) measures on targeted devices. In addition to TDSSKiller, the cybercriminals are also using LaZagne to harvest data. While these programs have long been familiar within the cybercriminal landscape, this marks the first instance of their deployment by RansomHub.

TDSSKiller, initially developed by Kaspersky Lab to remove rootkits, was repurposed to disable EDR systems. After conducting reconnaissance and identifying accounts with elevated privileges, RansomHub attempted to disable the MBAMService protection.

The tool was executed from a temporary directory with a dynamically generated file name, making detection more challenging. As TDSSKiller is a legitimate program with a valid certificate, many security systems fail to recognize the attackers’ actions as a threat.

Once security systems were disabled, RansomHub deployed LaZagne to harvest credentials from compromised systems. The program extracts passwords from various applications, including browsers, email clients, and databases, enabling the attackers to escalate privileges and move laterally across the network. In this case, the cybercriminals aimed to gain access to a database, allowing them control over critical systems.

During the attack, LaZagne created over 60 files, most of which contained login credentials and passwords. To cover their tracks, the attackers also deleted several files after the operation was completed.

Detecting LaZagne is relatively straightforward, as most antivirus programs flag it as malicious software. However, if TDSSKiller has been used to disable security systems, LaZagne’s activity becomes invisible to most monitoring tools.

ThreatDown advises organizations to adopt additional precautions to defend against such attacks. Specifically, it recommends restricting the use of vulnerable drivers like TDSSKiller and monitoring for suspicious commands executed within systems. Network segmentation and isolating critical systems are also vital measures to minimize risks in the event of credential compromise.