RansomHub Ransacks Systems: How Cybercriminals Abuse Kaspersky’s TDSSKiller to Disable Defenses

RansomHub gang exploits Kaspersky’s TDSSKiller to disable endpoint detection and response services, paving the way for LaZagne credential harvesting. It’s like using a Swiss Army knife to break into a vault—unexpected and surprisingly effective.

3P
Published: September 10, 2024 6:34 pmAdded: September 10, 2024 at 12:01 pmAssembled by: The Editor

Hot Take:

Who knew a superhero tool could turn supervillain? Looks like TDSSKiller is having a mid-life crisis and switching sides! RansomHub, the ransomware gang, is like that kid in high school who figured out how to hack the vending machine.

Key Points:

  • RansomHub is using Kaspersky’s TDSSKiller to disable endpoint detection and response (EDR) services.
  • After disabling defenses, RansomHub deploys LaZagne to harvest credentials.
  • TDSSKiller was designed to detect rootkits and bootkits but is being abused to interact with kernel-level services.
  • The legitimate tool was executed from a temporary directory with a dynamically generated filename.
  • Detecting LaZagne is easy, but preventing TDSSKiller from disabling security is crucial.

Membership Required

 You must be a member to access this content.

View Membership Levels
Already a member? Log in here