RansomHub Adopts New Tactics in Latest Attack, Bypasses EDR and Harvests Credentials
Recently, the ThreatDown Managed Detection and Response (MDR) team has uncovered a novel attack method employed by the RansomHub ransomware group. The attackers have been observed utilizing two well-known tools, TDSSKiller and LaZagne, in a strategic sequence to disable security systems and steal valuable credentials.
The attack commences with RansomHub employing TDSSKiller, a legitimate tool from Kaspersky designed to remove rootkits. However, cybercriminals are exploiting its capability to disable Endpoint Detection and Response (EDR) solutions, essentially blinding security teams to their activities. This marks the first instance of RansomHub using TDSSKiller, demonstrating their adaptability and willingness to incorporate new techniques into their arsenal.
Once security defenses are compromised, RansomHub deploys LaZagne, a notorious credential harvesting tool. LaZagne scours the infected system, extracting login information from various sources, including browsers, email clients, and databases. This stolen data empowers the attackers to move laterally within the network, escalating their privileges and expanding their reach.
The combined use of TDSSKiller and LaZagne presents a significant challenge to defenders. By neutralizing EDR systems and acquiring credentials, RansomHub gains a considerable advantage in carrying out their ransomware operations. Organizations are strongly advised to:
- Strengthen EDR Protections: Ensure your EDR solution has robust anti-tampering mechanisms and is regularly updated to detect and prevent such attacks.
- Implement Multi-Factor Authentication: Employ MFA wherever possible to mitigate the impact of credential theft.
- Monitor for Suspicious Activity: Maintain vigilance for unusual behavior, such as the execution of TDSSKiller or LaZagne, and investigate promptly.
