Ransomware’s history is littered with threat actors that rise and fall but every now and then a new name appears that grabs people’s attention for the wrong reasons.
RansomHub, a ransomware-as-a-service (RaaS) platform which seems to have successfully recruited affiliates from the downed BlackCat and Lockbit groups during 2024, is the latest example of this phenomenon.
In addition to providing a new home for orphaned affiliates, the platform has quickly acquired notoriety for two reasons.
The first is the number of attacks it has been connected to, probably into four figures by the time you read this. That’s impressive going for a group nobody had heard of until late 2024.
The second is the group’s tactic of attempting to disable endpoint detection and response (EDR) tools, the first line of protection for today’s PCs and servers, using sophisticated tools.
Trick up the sleeve
Trying to bypass AV clients is as old school as it gets for malware but it’s important to draw a distinction between the traditional antivirus clients most people think of and today’s EDR software.
EDR adds more sophisticated capabilities such as proactive (rather than reactive) detection. The principle behind this is that instead of simply detecting threats based on a pattern or signature it uses behavioral techniques to spot suspicious activity before a payload activates.
EDR is also supposed to monitor for any interference in application processes at a lower level, as well as any attempt to attack its own process. This makes it a much tougher opponent than old-world AV.
That doesn’t mean that ransomware platforms won’t try to bypass EDR if they can with the targeting of these systems noticed as long ago as 2021.
But far from being an occasional technique, the use of EDR killers seems to be getting more popular while the tools themselves continue to evolve. Presumably that’s because the technique works often enough to be worth trying.
The RansomHub platform has made such tools a selling point for affiliates, with Sophos warning of this threat in a blog in August 2024.
Cheekily, Malwarebytes has noticed the platform has recently taken to deploying Kaspersky’s much-abused anti-rootkit tool TDSSKiller to do the same job.
Of course, ransomware has long deployed mainstream security tools as part of cyberattacks. This tactic is not new or unique to ransomware.
Nevertheless, the targeting of EDR serves (along with a long list of vulnerabilities the platform exploits) as a reminder that ransomware is not simply a threat that preys on weaker, poorly defended networks.
It will have a crack at any network, regardless of its size or the security systems it uses, including EDR. The attackers know that it’s not the best security system or policy that dictates the success of network defense but the weakest.
