How Ransomhub Ransomware Uses EDRKillShifter to Disable EDR and Antivirus Protections
Sept. 24, 2024, 2:39 p.m.
Tags
External References
Description
The RansomHub ransomware, attributed to a group tracked as Water Bakunawa, employs sophisticated anti-EDR techniques to evade security solutions. Its attack chain includes exploiting vulnerabilities like Zerologon, using EDRKillShifter to disable endpoint protection, and employing various evasion scripts. The ransomware targets multiple industries and critical infrastructure sectors, using spear-phishing for initial access. It utilizes tools like NetScan for network reconnaissance and AnyDesk for command and control. The attackers exfiltrate sensitive data using rclone before encrypting files and demanding ransom. The evolving tactics of RansomHub highlight the need for advanced, multi-layered security strategies to protect against modern ransomware threats.
Date
Published: Sept. 24, 2024, 2:26 p.m.
Created: Sept. 24, 2024, 2:26 p.m.
Modified: Sept. 24, 2024, 2:39 p.m.
Indicators
d9a8c4fc94655f47a127b45c71e426d0f2057b6faf78fb7b86ee2995f7def41d
bd70882f67da03836f372172f655456ce19f95878d70ec39fcc6c059f9ef4ca0
bfbbba7d18be1aa2e85390fa69a761302756ee9348b7343af6f42f3b5d0a939c
b2a2e8e0795b2f69d96a48a49985fb67d22d1c6e8b40dadd690c299b9af970d4
869758de8334c2b201a07cfbfc0a903105a113080dde0355857de46b3eaae08e
46ff164e066a3a88dad76cad25c6ea42c7da6890bcba3fa3ccd4c6e93a3272d0
30abbbeedeeb268435899a7697f7a72f37a38e60ae2430e09bc029c7a8aa7001
2d823c8b6076e932d696e8cb8a2c5c5df6d392526cba8e39b64c43635f683009
82.147.85.52
Attack Patterns
EDRKillShifter
RansomHub
Water Bakunawa
T1222.001
T1021.002
T1567.002
T1003.001
T1078.002
T1569.002
T1548.002
T1070.001
T1490
T1110
T1562.001
T1486
T1210
T1046
T1003
Additional Informations
IT
Agriculture
Communications
Healthcare
Transportation
Finance
Government
Manufacturing