New RansomHub TTPs Include TDSSKiller and LaZagne for Disabling EDR

Date:

September 11, 2024

World map

RansomHub has introduced a new, sophisticated attack strategy that involves using tools to bypass security defenses and steal credentials, expanding its tactics, techniques, and procedures (TTPs).  

This new method, recently uncovered by researchers, involves combining two well-known tools: Kaspersky's TDSSKiller, a legitimate rootkit removal tool, and LaZagne, a credential-harvesting utility, Information Security Buzz reports.

While TDSSKiller and LaZagne have long been exploited by cybercriminals, this marks the first instance of RansomHub incorporating them into its operations.  

The attack begins with reconnaissance and privilege enumeration, where RansomHub targets high-privilege accounts like “Enterprise Admins.”  

After identifying key accounts, they deploy TDSSKiller to disable endpoint detection and response (EDR) systems, neutralizing security defenses by using the "-dcsvc" flag, similar to the techniques employed by the LockBit ransomware group.

Once security services are disabled, RansomHub deploys LaZagne to harvest credentials from various applications, including browsers, databases, and email clients.  

This focus on credential theft, especially from databases, allows the group to escalate privileges and move laterally within the victim's network, posing a significant risk to critical systems and sensitive data.

To defend against these evolving threats, researchers recommend several strategies. Organizations should implement strict controls to restrict the use of vulnerable drivers like TDSSKiller, especially when suspicious command-line flags are used.  

Network segmentation is also crucial, as isolating critical systems can limit lateral movement even if credentials are compromised.

Takeaway: Ransomware attacks are highly successful for several reasons, with a key factor being the advanced security evasion techniques employed by ransomware operators to bypass or completely neutralize traditional endpoint protection solutions.

Recent estimates indicate that the majority of organizations faced a ransomware attack within the past year. Ransomware has evolved from being seen as a purely technical threat to now being recognized as one of the largest single risks to businesses worldwide.

While modern endpoint protection (EPP) solutions are designed to defend against a range of threats, they often fall short in the face of sophisticated ransomware attacks. The continual surge of high-profile attacks highlights the limitations of existing defenses, as they fail to fully protect against the constantly evolving tactics used by ransomware groups.

A key technique attackers use is “universal unhooking,” where they manipulate the execution flow to deploy a rootkit, effectively concealing their activities.  

This technique blinds endpoint protection tools, preventing them from detecting the malicious processes or network activity associated with the ransomware attack.

Most (if not all) of the top 20 ransomware groups have been observed leveraging multiple bypass and evasion techniques to evade detection by security tools.  

Threat actors are increasingly writing hard-coded bypasses for antivirus (AV), next-gen antivirus (NGAV), endpoint detection and response (EDR), and extended detection and response (XDR) systems directly into their malware, allowing them to slip past security without triggering alarms.

It's important to note that every major ransomware attack that makes headlines typically bypasses well-established security stacks, which often include advanced tools like endpoint protection, antivirus, and data loss prevention (DLP) solutions.

Understanding the limitations of endpoint security and learning from past failures are crucial steps toward improving an organization's defense-in-depth strategy and resilience.  

Given the near certainty of being targeted by ransomware or other cyberattacks, businesses must continuously adapt their security posture to minimize the impact of future breaches.

As attackers increasingly automate their attack processes to exploit known vulnerabilities for initial access and refine their bypass and evasion techniques for stealthier payload delivery, security teams must gain a deeper understanding of their organization's risk exposure.  

It's critical to identify weak points and take proactive measures to prepare for the inevitable threats that will arise.

Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.