Back

How Ransomhub Ransomware Uses EDRKillShifter to Disable EDR and Antivirus Protections

Sept. 24, 2024, 2:39 p.m.

Tags

ransomhub
edrkillshifter
2024-09-24

External References

https://www.trendmicro.com/

https://otx.alienvault.com/

Description

The RansomHub ransomware, attributed to a group tracked as Water Bakunawa, employs sophisticated anti-EDR techniques to evade security solutions. Its attack chain includes exploiting vulnerabilities like Zerologon, using EDRKillShifter to disable endpoint protection, and employing various evasion scripts. The ransomware targets multiple industries and critical infrastructure sectors, using spear-phishing for initial access. It utilizes tools like NetScan for network reconnaissance and AnyDesk for command and control. The attackers exfiltrate sensitive data using rclone before encrypting files and demanding ransom. The evolving tactics of RansomHub highlight the need for advanced, multi-layered security strategies to protect against modern ransomware threats.

Date

Published Created Modified
Sept. 24, 2024, 2:26 p.m. Sept. 24, 2024, 2:26 p.m. Sept. 24, 2024, 2:39 p.m.

Indicators

d9a8c4fc94655f47a127b45c71e426d0f2057b6faf78fb7b86ee2995f7def41d

bd70882f67da03836f372172f655456ce19f95878d70ec39fcc6c059f9ef4ca0

bfbbba7d18be1aa2e85390fa69a761302756ee9348b7343af6f42f3b5d0a939c

b2a2e8e0795b2f69d96a48a49985fb67d22d1c6e8b40dadd690c299b9af970d4

869758de8334c2b201a07cfbfc0a903105a113080dde0355857de46b3eaae08e

46ff164e066a3a88dad76cad25c6ea42c7da6890bcba3fa3ccd4c6e93a3272d0

30abbbeedeeb268435899a7697f7a72f37a38e60ae2430e09bc029c7a8aa7001

2d823c8b6076e932d696e8cb8a2c5c5df6d392526cba8e39b64c43635f683009

82.147.85.52

Attack Patterns

EDRKillShifter

RansomHub

Water Bakunawa

T1222.001

T1021.002

T1567.002

T1003.001

T1078.002

T1569.002

T1548.002

T1070.001

T1490

T1110

T1562.001

T1486

T1210

T1046

T1003

Additional Informations

IT

Agriculture

Communications

Healthcare

Transportation

Finance

Government

Manufacturing