【CyCraft Monthly Intelligence】When Defense Systems Become the Target: An Analysis of RansomHub Ransomware's Anti-Detection Techniques

‍

Threat and Impact

RansomHubransomware, operated by the threat actor group Water Bakunawa, has drawnworldwide attention in the cybersecurity community despite being active forjust over a year, owing to its sophisticated tactics. RansomHub primarilytargets the disabling of EDR and antivirus software. In June 2024, it leveragedvulnerabilities such as Zerologon(CVE-2020-1472) to successfully attack multiple industries and criticalinfrastructure sectors, including water and wastewater treatment, informationtechnology, commercial and government agencies, medical, agriculture, financialservices, manufacturing, transportation, and communications.

‍

Analyst Perspective

The RansomHub attack chain underscores the importance ofproactive threat intelligence gathering, robust security measures, andcontinuous monitoring in protecting digital assets. As organizations likeRansomHub continue to evolve with increasingly sophisticated anti-EDR tactics,enterprises must adapt their existing security strategies to effectivelyaddress the risks especially in this ever-changing cybersecurity landscape.

‍

Incident Description

According to the Federal Bureau of Investigation (FBI),over 210 organizations have fallen victim since February 2024. The RansomHubattack chain employs advanced anti-EDR techniques, such as EDRKillShifter whichis specifically designed to disrupt security processes, evade detection, andensure persistent in compromised systems. Through batch scripts and tools likeEDRKillShifter, RansomHub can disable or terminate EDR protection processes,dump credentials from LSASS memory to escalate attacks, conduct stealthynetwork reconnaissance, exfiltrate sensitive data using tools like rclone, andultimately deploy ransomware to encrypt files as well as extort ransompayments.

The rise of RansomHub not only poses tangible economic andsecurity threats but also indicates that ransomware attacks have becomeincreasingly prevalent. The sophisticated tools and tactics used to bypasscurrent security defenses highlight the necessity of multi-layered defensestrategies and attack surface management.

‍

Technical Details

Beyond employing advanced anti-EDR techniques to evadedetection and persist in compromised systems, RansomHub's most notable featureis the EDRKillShifter tool, which can incapacitate traditional EDR defenses andsignificantly increase attack success rates.

Initial Access

RansomHub gains initial access through various methods,including exploiting the Zerologon vulnerability (CVE-2020-1472) andcompromising user accounts.

Defense Evasion

In one incident, RansomHub utilized batch scripts such as 232.bat, tdsskiller.bat, killdeff.bat, and LogDel.bat to evade detection. These scripts disable security features, modify Windows registry settings, and clearevent logs to hinder forensic investigations.

EDRKillShifter

EDRKillShifter is a critical tool in the RansomHub attackchain. It's an executable loader that leverages vulnerable drivers to terminateEDR and antivirus software. After decrypting the embedded resource data.bin andloading it into memory for execution, EDRKillShifter can bypass securitymeasures and persist in the system.

Credential Dumping

RansomHub leverages Task Manager to dump credentials fromLSASS memory, enabling attack escalation. The ransomware not only stealssensitive credentials and causes further damage but also makes recovery effortsmore complex.

Lateral Movement

Attackers employ transfer techniques of lateral movementtools, SMB/Windows Admin Shares, and tools like NetScan to precisely andefficiently move across systems. Since this lateral movement is difficult todetect, it paves the way for subsequent targeted attacks.

Command and Control (C2)

RansomHub utilizes AnyDesk as its C2 infrastructure,abusing this legitimate remote access tool to execute commands, exfiltratedata, and conduct lateral movement activities.

Data Exfiltration

Attackers use the command-line tool rclone to stealsensitive files from compromised networks, aligning with MITRE ATT&CK'sT1041 Exfiltration Over C2 Channel, transferring data to remote servers forransom demands.

Conclusion

Once the ransomware and EDRKillShifter are successfullyexecuted, system files will be encrypted and VSS snapshots deleted withoutconfirmation, severely compromising system recovery capabilities. Therefore, athorough understanding of the RansomHub attack chain and the technical detailsof tools like EDRKillShifter can help security professionals effectivelyanticipate and defend against similar threats.

‍

Mitigation

To effectively mitigate RansomHub and EDRKillShifter aliketools, we recommend enterprises implement a multi-layered security strategythat addresses both short-term and long-term threats:

1. Strengthen Endpoint Protection

·       Enable behavioral analysis andheuristic scanning: Activate these features todetect anomaly or behaviors associated with ransomware attacks, helpingidentify and isolate infected systems.

·       Regular updates and patching: Ensure all endpoint devices are regularly updated and patched toaddress known vulnerabilities, particularly those related to drivers andkernel-level components.

2. Restrict Endpoint Access Privileges

·       Continuous verification: Implement continuous verification mechanisms to limit lateralmovement, and leverage endpoint isolation and restoration capabilities tocontrol malware propagation.

·       Endpoint isolation: Employ isolation techniques to prevent infected endpoints fromcommunicating with other systems, reducing the scope of damage.

·       Enable restoration capabilities: Activate restoration features to restore systems to previousstates when compromised, minimizing impact.

3. Protect Drivers and Kernel Level

·       Driver management: Strictly control which drivers are allowed to execute on systems,using tools that monitor and restrict unauthorized or suspicious driverexecution.

·       Kernel-level monitoring: Monitoring kernel level to detect and intercept suspiciousactivities proactively.

4. Enhance Credential and Authentication Security

·       Multi-factor authentication (MFA): Enable MFA at all access points to add an additional securitylayer, making it harder for attackers to gain unauthorized access.

·       Regular password updates: Enforce regular password updates and use strong passwords toreduce the risk of unauthorized access.

·       Role-based access control: Limit access privileges based on roles to reduce exposure, andregularly audit authentication systems for vulnerabilities.

5. Enable Behavioral Monitoring and Anomaly Detection

·       Real-time monitoring: Continuously monitor system activities to identify ransomware orother malicious activities.

·       Autonomous alerts and analysis: Configure autonomous alert and analysis mechanisms, such asreal-time monitoring of network traffic and system logs, to enable rapidresponse to potential threats.

·       Anomaly detection: Leverage machine learning and artificial intelligence to detectand identify anomalies associated with ransomware activities.

Conclusion

Attacks targeting EDR and other defense systems areescalating. Based on our technical analysis, we emphasize strict accesscontrols and continuous monitoring. By implementing mitigation strategiesoutlined above, enterprises can build robust security defenses andsignificantly reduce the risk of falling victim to RansomHub and similarransomware campaigns.

‍

Reference

1. How Ransomhub Ransomware Uses EDRKillShifter toDisable EDR and Antivirus Protections
2. Threat Actor Groups Tracked by Palo AltoNetworks Unit 42
3. #StopRansomware: RansomHub Ransomware
4. RansomHub Ransomware Operators Deploy NewMalware To Disable EDR Security Software In BYOVD Attacks
5. RansomHub Ransomware Using Multiple TechniquesTo Disable EDR And Antivirus

‍

IoCs (Indicator of Compromise)

Files

URL

• Context: IP Address where the Anti-EDR was downloaded
• URL: hxxp://82.147.85[.]52/Loader.exe