216.73.217.139

New RansomHub attack uses TDSKiller and LaZagne, disables EDR

· Published 11/09/2024 20:33 · Modified 11/09/2024 20:54

Export JSON

Essential information

Published
11/09/2024 20:33
Modified
11/09/2024 20:54
Tags
2024-09-11 byovd credential harvesting edr lazagne network segmentation ransomhub ransomware tdsskiller
Related entities
2 observables, 1 intrusion sets (apt), 12 techniques (mitre), 1 malware

Description

A recent analysis by the ThreatDown MDR team has uncovered a novel attack method employed by the gang. The attackers are utilizing two tools: , a legitimate Kaspersky rootkit removal utility, to disable endpoint detection and response () systems, and , a tool. This marks the first instance of incorporating these tools into their arsenal. The attack begins with network reconnaissance and admin group enumeration, followed by the deployment of to disable security services like Malwarebytes Anti-Malware Service. Subsequently, is used to extract stored credentials from various applications, facilitating lateral movement within the compromised network. The campaign is currently active, prompting the implementation of new detection rules and recommendations for enhanced security measures.

External references