New RansomHub TTPs Include TDSSKiller and LaZagne for Disabling EDR

RansomHub has introduced a new, sophisticated attack strategy that involves using tools to bypass security defenses and steal credentials, expanding its tactics, techniques, and procedures (TTPs).  

‍

This new method, recently uncovered by researchers, involves combining two well-known tools: Kaspersky's TDSSKiller, a legitimate rootkit removal tool, and LaZagne, a credential-harvesting utility, Information Security Buzz reports.

‍

While TDSSKiller and LaZagne have long been exploited by cybercriminals, this marks the first instance of RansomHub incorporating them into its operations.  

‍

The attack begins with reconnaissance and privilege enumeration, where RansomHub targets high-privilege accounts like “Enterprise Admins.”  

‍

After identifying key accounts, they deploy TDSSKiller to disable endpoint detection and response (EDR) systems, neutralizing security defenses by using the "-dcsvc" flag, similar to the techniques employed by the LockBit ransomware group.

‍

Once security services are disabled, RansomHub deploys LaZagne to harvest credentials from various applications, including browsers, databases, and email clients.  

‍

This focus on credential theft, especially from databases, allows the group to escalate privileges and move laterally within the victim's network, posing a significant risk to critical systems and sensitive data.

‍

To defend against these evolving threats, researchers recommend several strategies. Organizations should implement strict controls to restrict the use of vulnerable drivers like TDSSKiller, especially when suspicious command-line flags are used.  

‍

Network segmentation is also crucial, as isolating critical systems can limit lateral movement even if credentials are compromised.

‍

Takeaway: Ransomware attacks are highly successful for several reasons, with a key factor being the advanced security evasion techniques employed by ransomware operators to bypass or completely neutralize traditional endpoint protection solutions.

‍

Recent estimates indicate that the majority of organizations faced a ransomware attack within the past year. Ransomware has evolved from being seen as a purely technical threat to now being recognized as one of the largest single risks to businesses worldwide.

‍

While modern endpoint protection (EPP) solutions are designed to defend against a range of threats, they often fall short in the face of sophisticated ransomware attacks. The continual surge of high-profile attacks highlights the limitations of existing defenses, as they fail to fully protect against the constantly evolving tactics used by ransomware groups.

‍

A key technique attackers use is “universal unhooking,” where they manipulate the execution flow to deploy a rootkit, effectively concealing their activities.  

‍

This technique blinds endpoint protection tools, preventing them from detecting the malicious processes or network activity associated with the ransomware attack.

‍

Most (if not all) of the top 20 ransomware groups have been observed leveraging multiple bypass and evasion techniques to evade detection by security tools.  

‍

Threat actors are increasingly writing hard-coded bypasses for antivirus (AV), next-gen antivirus (NGAV), endpoint detection and response (EDR), and extended detection and response (XDR) systems directly into their malware, allowing them to slip past security without triggering alarms.

‍

It's important to note that every major ransomware attack that makes headlines typically bypasses well-established security stacks, which often include advanced tools like endpoint protection, antivirus, and data loss prevention (DLP) solutions.

‍

Understanding the limitations of endpoint security and learning from past failures are crucial steps toward improving an organization's defense-in-depth strategy and resilience.  

‍

Given the near certainty of being targeted by ransomware or other cyberattacks, businesses must continuously adapt their security posture to minimize the impact of future breaches.

‍

As attackers increasingly automate their attack processes to exploit known vulnerabilities for initial access and refine their bypass and evasion techniques for stealthier payload delivery, security teams must gain a deeper understanding of their organization's risk exposure.  

‍

It's critical to identify weak points and take proactive measures to prepare for the inevitable threats that will arise.

‍

‍

Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.