RansomHub Ransomware Detection: Attackers Exploits Kaspersky’s TDSSKiller to Disable EDR Systems
Table of contents:
Right after the joint advisory by FBI, CISA, and partners warning of a significant shift in the RansomHub RaaS group activity, security researchers have spotted the novel trick by adversaries misusing Kaspersky’s legitimate TDSSKiller software to disable Endpoint Detection and Response (EDR) systems. Once they’ve bypassed defenses, attackers turn to the LaZagne tool, siphoning login details from application databases to move laterally in the networks of interest.
Detect RansomHub Ransomware Attacks Leveraging TDSSKiller
With the ransomware outbreak remaining as rampant as ever in 2024 and ransom demands increasing five-fold over the last year, ransomware attacks are proving to be an escalating threat to global organizations. With every new day bringing a novel method in attackers’ playbook, adversaries are looking for an effective way to detect potential intrusions on time. Cyber defenders might rely on SOC Prime Platform for collective cyber defense serving a complete product suite for advanced threat detection, AI-powered detection engineering, and automated threat hunting. Platform users might access the latest threat intel and curated detection rules for emerging threats released under 24-hour SLA.
To spot possible RansomHub attacks leveraging TDSSKiller, check out the Sigma rule below, which helps identify potential misuse of the utility to disable local security tools. To search for more related detections, use the “TDSSKiller” tag in Threat Detection Marketplace.
Possible TDSSKiller Utility Execution Attempt (via cmdline)
The detection is compatible with 27 SIEM, EDR, and Data Lake solutions and mapped to MITRE ATT&CK addressing Defense Evasion tactic, with Disable or Modify Tools (T1562.001) as a corresponding sub-technique.
Security practitioners searching for more detection content addressing RansomHub TTPs can click the Explore Detections button below to immediately drill down to a dedicated Sigma rules list.
The rules are compatible with 30+ SIEM, EDR, and Data Lake technologies and enriched with actionable metadata & tailored CTI.
RansomHub Ransomware Analysis
On August 29, 2024, the FBI and CISA, in conjunction with other authoring agencies, released the AA24-242A alert focused on the growing attacks against the state bodies and critical infrastructure organizations, including water and wastewater, IT, healthcare, financial services, and communications. The RansomHub group behind these attacks has already hit over 210 organizations since its emergence in February 2024. The most recent report by Malwarebytes reveals that the same group is now abusing Kaspersky’s TDSSKiller software to disable EDR systems.
The legitimate TDSSKiller tool is used to identify the presence of rootkits or bootkits on the system. Yet, RansomHub operators are actively misusing the software to to interact with kernel-level services using a command line script or batch file that attempts to disable security services. As long as TDSKiller is a legitimate utility, adversaries can fly under the radar without any risk of being stopped by any security solutions.
At the next stage, attackers employ LaZagne to extract login details stored in app databases, browsers, and email clients to boost their ability to move laterally inside the infected network.
To prevent attackers from disabling EDR solutions using tools like TDSSKiller, security experts recommend enabling tamper protection within the EDR system and monitoring for the ‘-dcsvc’ parameter, which highlights disabling or deleting services. Additionally, to minimize the risks of RansomHub attacks, agencies advise following the guidelines in the #StopRansomware Guide, enhancing cyber hygiene, and regularly testing and validating security controls. By utilizing SOC Prime’s complete product suite for AI-powered detection engineering, automated threat hunting, and advanced threat detection, organizations can strengthen their cybersecurity defenses against both current and emerging ransomware threats.