The infamous RansomHub ransomware group has been found abusing a legitimate Kaspersky tool to disable endpoint detection and response (EDR) tools and then deploy stage two malware on infected systems undetected.
Cybersecurity researchers Malwarebytes, who recently detected the activity, noted that once RansomHub compromises an endpoint and finds a way in, it must first disable all EDR tools before deploying the infostealers or encryptors. In this scenario, the tool they used is called TDSSKiller, Kspersky’s specialized tool designed to detect and remove rootkits, particularly those from the TDSS family (aka TDL4).
Rootkits are malicious programs that hide their presence on infected systems, making them difficult to detect by standard antivirus programs. TDSSKiller can identify and remove these deeply embedded threats, helping to restore system security and functionality. The tool is lightweight, easy to use, and can be run alongside other antivirus solutions for added protection.
LaZagne Implementation
Once EDR has been removed, the group deploys LaZagne, an information-stealing program capable of obtaining login credentials for various network services. This malware extracts all the stolen credentials into a single file, which, once uploaded, the group deletes to cover their tracks. Once they have gained access, they can deploy the encryption program without fear of being detected by antivirus programs.
RansomHub is a relatively young ransomware group, which emerged from the now-defunct ALPHV/BlackCat. The group was an affiliate of ALPHV and was responsible for the attack on Change Healthcare, which resulted in the healthcare organization paying $22 million in ransom. ALPHV’s operators kept all the money and shut down their infrastructure, leaving RansomHub without its share of the loot. Since then, the group has been active, compromising dozens of organizations around the world.
Through Computer beeping
