How Ransomhub Ransomware Uses EDRKillShifter to Disable EDR and Antivirus
On September 20, 2024, Trend Micro released a comprehensive threat report detailing how the Water Bakunawa threat group has employed advanced techniques in the RansomHub ransomware campaign.
Introduction
On September 20, 2024, Trend Micro released a comprehensive threat report detailing how the Water Bakunawa threat group has employed advanced techniques in the RansomHub ransomware campaign. Notably, the group uses a sophisticated evasion tool named EDRKillShifter to disable Endpoint Detection and Response (EDR) systems, antivirus solutions, and remain undetected while exploiting vulnerabilities like Zerologon (CVE-2020-1472).
Report Overview
Water Bakunawa, a cybercrime group tracked by Trend Micro, has been tied to several high-profile ransomware attacks. Their notorious RansomHub campaign targets critical infrastructure, including sectors like healthcare, government services, manufacturing, and financial institutions. These attacks have not only been financially damaging but also disruptive to public services.
The Zerologon vulnerability (CVE-2020-1472) is one of the key entry points for RansomHub, allowing attackers to gain control of networks without authentication. This vulnerability is especially dangerous for organizations that haven't patched their systems, enabling attackers to spread ransomware across entire networks quickly.
One of the most concerning developments is the deployment of EDRKillShifter, a "bring your own vulnerable driver" (BYOVD) tool. This tool leverages vulnerable drivers to disable security solutions, granting the attackers free reign within compromised systems.
- EDRKillShifter exploits legitimate drivers to gain system-level privileges, terminate EDR services, and disable antivirus programs. It adapts to security updates, ensuring that even as detection capabilities evolve, the attackers remain one step ahead.
- Batch Files for Evasion: RansomHub uses four key batch scripts—232.bat, tdsskiller.bat, killdeff.bat, and LogDel.bat—to disable Windows Defender, alter registry settings, and clear Windows Event Logs. These scripts facilitate persistent attacks while ensuring the malware remains undetected by security tools.
Once the attackers gain access, they move quickly through the network, using tools like NetScan for reconnaissance and AnyDesk for remote command and control. Figure 17 shows how RansomHub utilizes NetScan to map out networks, enabling precise lateral movements and targeting high-value data.
- Credential Access: By dumping Local Security Authority Subsystem Service (LSASS) memory, RansomHub can escalate its privileges, further compromising the integrity of the affected network.
- Exfiltration: Using the tool "rclone," the attackers exfiltrate sensitive data to remote servers, threatening to leak it unless ransom demands are met.
Insights and Analysis
The advanced techniques used by RansomHub highlight the need for robust security measures that go beyond traditional EDR and antivirus solutions. Trend Micro’s Vision One platform played a crucial role in detecting and analyzing these sophisticated attacks, providing insights into the Tactics, Techniques, and Procedures (TTPs) employed.
To defend against evolving ransomware threats like RansomHub, organizations should consider the following:
- Strengthen Endpoint Protection: Ensure EDR solutions have updated threat intelligence to detect new techniques. Behavioral analysis and heuristic scanning can identify unusual activities that signal ransomware.
- Implement Driver Protections: Prevent unauthorized drivers from executing by enforcing strict kernel-level protections.
- Enforce Multi-Factor Authentication (MFA): Secure all access points by enabling MFA and regularly updating credentials.
RansomHub’s use of EDRKillShifter demonstrates a significant shift in ransomware operations, where evasion techniques are becoming more advanced and harder to detect. The group's ability to stay ahead of security tools underscores the need for continuous adaptation and investment in proactive security measures.
As ransomware attacks like these increase in frequency and sophistication, organizations must bolster their defenses with cutting-edge technologies and threat intelligence platforms like Trend Micro Vision One. Proactive measures, such as those outlined above, will be critical in mitigating the impact of future attacks.
Indicators of Compromise (IoCs)
| Indicator | Type | Description |
|---|---|---|
| No specific Indicators of Compromise (IOCs) were provided in the source material. | - | - |
MITRE ATT&CK Techniques
| Tactic | Technique | ID | Description |
|---|---|---|---|
| Initial Access | Valid Accounts: Domain Accounts | T1078.002 | Use of valid domain accounts to gain access. |
| Initial Access | Exploitation of Remote Services | T1210 | Exploitation of vulnerabilities like Zerologon (CVE-2020-1472). |
| Execution | Service Execution | T1569.002 | Execution of commands through a system service. |
| Privilege Escalation | Abuse Elevation Control Mechanism: UAC Bypass | T1548.002 | Bypassing User Account Control (UAC) to elevate privileges. |
| Defense Evasion | Impair Defenses: Disable or Modify Tools | T1562.001 | Disabling or modifying EDR and antivirus tools. |
| Defense Evasion | Indicator Removal: Clear Windows Event Logs | T1070.001 | Clearing event logs to hide malicious activities. |
| Credential Access | Brute Force | T1110 | Attempting to gain access via brute-force attacks (e.g., password spraying). |
| Credential Access | OS Credential Dumping: LSASS Memory | T1003.001 | Dumping credentials from LSASS to access sensitive information. |
| Discovery | Network Service Discovery | T1046 | Mapping network services using tools like NetScan. |
| Lateral Movement | Remote Services: SMB/Windows Admin Shares | T1021.002 | Using SMB or Admin Shares to move laterally within a network. |
| Impact | Data Encrypted for Impact | T1486 | Encrypting data for ransom demands. |
| Impact | Inhibit System Recovery | T1490 | Disabling system recovery by deleting Volume Shadow Copies. |
References
Comments ()