How Ransomhub Ransomware Uses EDRKillShifter to Disable EDR and Antivirus Protections

RansomHub’s attack chain highlights a growing trend in ransomware operations, where attackers increasingly rely on advanced tools like EDRKillShifter to bypass security defenses. This underscores the need for a multilayered defense strategy that combines forward-looking technology with proactive threat intelligence. As ransomware groups adopt similar anti-EDR tactics, enhancing resilience and adapting security strategies will be crucial to safeguarding digital assets.

To defend against the evolving threat of RansomHub, organizations should adopt a comprehensive security strategy:

Strengthen endpoint protection systems. Ensure that your EDR solutions are equipped with the latest threat intelligence to detect new and evolving ransomware techniques. Behavioral analysis and heuristic scanning help detect unusual activity or anomalous behaviors that may signal attempts to execute ransomware. Restrict access to endpoints based on continuous verification to limit lateral movement. Endpoint isolation and rollback capabilities can also help mitigate potential attacks.

Trend Micro’s Apex One, for example, provides multilayered protection with advanced threat detection and response capabilities, using behavioral analysis and machine learning to detect and mitigate threats. Trend Micro’s XDR provides comprehensive threat visibility and expert analytics across email, endpoints, servers, cloud workloads, and networks.

Implement driver- and kernel-level protections. These security mechanisms help prevent unauthorized access and manipulation of system drivers, a tactic employed by RansomHub. There are also tools and technologies that can safeguard against the execution of malicious or unsigned drivers. Ensure that only trusted code runs within the kernel space, and regularly monitor kernel-level activities to detect suspicious behavior and see if security tools themselves are protected from tampering.

Trend Micro’s Deep Security has an integrity-monitoring feature that ensures that only signed and verified drivers are allowed, preventing unauthorized or malicious drivers from being loaded. Deep Security also has a virtual patching capability that provides immediate protection against newly discovered vulnerabilities in drivers before official patches are applied.

Enforce credential and authentication security. Enable multifactor authentication (MFA) across all access points, regularly update passwords, and monitor for any signs of credential misuse. Limit access based on roles to reduce exposure and ensure that authentication systems are regularly audited for vulnerabilities to prevent unauthorized access.

The Trend Micro Password Manager for instance, enforces the use of strong, complex passwords and regular password rotations across all systems to reduce the risk of unauthorized access to systems requiring elevated privileges.

Enable behavioral monitoring and anomaly detection. These security mechanisms continuously analyze patterns of normal behavior to flag deviations that could indicate ransomware or other malicious activities. Detecting anomalies early, such as unauthorized file encryption or lateral movement within the network, allows for a swift response before major damage occurs. Combining real-time monitoring with automated alerts and analysis significantly enhances your ability to detect threats like RansomHub in their early stages.

Apex One, for example, has behavior monitoring capabilities to detect and block malicious activities such as unauthorized file modifications or memory allocation anomalies. Trend Micro’s Managed XDR services augments threat and anomaly detection with expert analysis and 24/7 monitoring across email, endpoints, servers, cloud workloads, and networks.

Harden the endpoints’ security configurations. Apply strict access controls, disable unnecessary services, and ensure that all systems are regularly patched and updated. Standardize security settings across devices and regularly audit endpoint configurations to identify and address weaknesses or vulnerabilities before they can be exploited.

Deep Security has an application control feature that allows only verified and authorized applications while blocking unauthorized executables. The Trend Micro Apex Central solution enforces the principle of least privilege by ensuring that applications and users have only the permissions necessary for their respective functions.

Trend Micro Vision One Threat Intelligence

To stay ahead of evolving threats, Trend Micro customers can access a range of Intelligence Reports and Threat Insights within Trend Micro Vision One. Threat Insights helps customers stay ahead of cyber threats before they happen and better prepared for emerging threats. It offers comprehensive information on threat actors, their malicious activities, and the techniques they use. By leveraging this intelligence, customers can take proactive steps to protect their environments, mitigate risks, and respond effectively to threats.

Trend Micro Vision One Intelligence Reports App [IOC Sweeping]

RansomHub Attacks Surge: New Anti-EDR Tactics Unveiled and AMADEY Infrastracture Connection

Trend Micro Vision One Threat Insights App

               Threat Actor/s: Water Bakunawa

               Emerging Threats: RansomHub Ramps Up: New Anti-EDR Tactics Unveiled and AMADEY Infrastructure Connection

Hunting Queries

Trend Micro Vision One Search App

Trend Micro Vision Once Customers can use the Search App to match or hunt the malicious indicators mentioned in this blog post with data in their environment.   

EDRKILLSHIFT Detection

malName:(“*EDRKILLSHIFT*”) AND eventName:MALWARE_DETECTION

More hunting queries are available for Vision One customers with Threat Insights Entitlement enabled.

Indicators of Compromise (IoCs):

Read More HERE