What is TDSSKiller Ransomware from RansomHub?

The world of cybersecurity is constantly evolving, with attackers finding new and innovative ways to bypass defenses and exploit vulnerabilities. One recent example of this is the ransomware gang RansomHub, who have demonstrated a clever tactic: leveraging a legitimate security tool to disable endpoint detection and response (EDR) services. This article will explore how RansomHub is abusing TDSSKiller, a tool designed by Kaspersky to combat rootkits and bootkits, to gain access to sensitive data and ultimately extort their victims.

Understanding the Threat: RansomHub's Sophisticated Approach

Ransomware, a type of malware that encrypts data and demands payment for its release, has become a significant threat to individuals and businesses alike. RansomHub is one such gang, known for its sophisticated methods and relentless pursuit of valuable information. The gang's recent actions highlight the ever-evolving nature of cyberattacks.

TDSSKiller: A Double-Edged Sword

TDSSKiller, developed by Kaspersky, is a legitimate tool used to identify and remove rootkits and bootkits, types of malware that operate at a low level, making them difficult to detect and eliminate. This tool is designed to help users restore their systems to a safe state. However, RansomHub has discovered a way to exploit TDSSKiller to their advantage.

Disabling EDR Services: The First Step to Success

EDR agents are advanced security solutions that monitor and control low-level system activities, such as file access, process creation, and network connections, providing real-time protection against threats like ransomware. RansomHub has realized that disabling these agents is a crucial first step in their attacks.

The Abuse of TDSSKiller: A Clever Tactic

RansomHub employs a command line script or batch file that utilizes TDSSKiller to disable EDR services, specifically the Malwarebytes Anti-Malware Service (MBAMService). By exploiting the legitimate tool's ability to interact with kernel-level services, they effectively circumvent the very defenses designed to protect against them.

The Power of Deception: Leveraging Legitimacy

RansomHub's strategy relies on the fact that TDSSKiller is a legitimate tool signed with a valid certificate. This allows them to bypass security solutions that typically flag suspicious or malicious software. By executing TDSSKiller from a temporary directory using a dynamically generated filename, they further disguise their activities.

Moving Laterally: Harvesting Credentials with LaZagne

Once EDR services are disabled, RansomHub deploys the LaZagne credential-harvesting tool. This tool extracts logins from various application databases, providing the attackers with valuable information that can be used for lateral movement within the network. By obtaining these credentials, they can gain access to sensitive information or even escalate their privileges within the system.

The Importance of Detection: Unmasking the Threat

While LaZagne itself is flagged by most security tools as malicious, its activity becomes invisible when TDSSKiller is used to disable defenses. This makes detection challenging. To combat this, cybersecurity professionals are urged to monitor for the execution of TDSSKiller itself, particularly the '-dcsvc' flag, which indicates the tool is being used to disable or delete services.

A Call to Action: Strengthening Defenses

The use of TDSSKiller by RansomHub highlights the need for proactive security measures. Organizations and individuals must be aware of this emerging threat and take steps to mitigate it.

Key Recommendations:

• Tamper Protection: Enable tamper protection features on EDR solutions to prevent attackers from disabling them with tools like TDSSKiller.

• Monitoring and Alerting: Implement robust monitoring systems to detect the execution of TDSSKiller and its associated flags.

• Security Awareness Training: Educate users about the potential dangers of legitimate tools being abused for malicious purposes.

• Regular Software Updates: Ensure all security software is up-to-date with the latest patches and signatures to identify and neutralize evolving threats.

Conclusion

The use of TDSSKiller by RansomHub is a prime example of the adaptive nature of cybercrime. Attackers are constantly seeking new ways to circumvent security measures and exploit vulnerabilities. By understanding the tactics employed by RansomHub and other ransomware gangs, cybersecurity professionals can develop more effective defenses and protect against future attacks. Continuous vigilance and a commitment to proactive security are essential to stay ahead of the ever-evolving threat landscape.