New RansomHub Attack Uses TDSKiller to Disable EDR and Steal Credentials 

Published on September 11, 2024
Written by:
Lore Apostol
Lore Apostol
Infosec Writer & Editor

The RansomHub ransomware group has been exploiting Kaspersky's TDSSKiller, traditionally used for identifying rootkits and bootkits, to disable endpoint detection and response (EDR) software and compromise target systems more efficiently, according to the latest report from the ThreatDown Managed Detection and Response (MDR) team.

RansomHub leverages TDSSKiller, a legitimate tool, to disable EDR services by interacting with kernel-level operations. The tool is typically executed from a temporary directory with a dynamically generated executable name, minimizing detection risks.

Following the deactivation of security defenses, RansomHub deploys the LaZagne malware to extract sensitive login data from various applications, including browsers, email clients, and databases.

LaZagne Malware
Image Source: ThreatDown

Originally developed by Kaspersky to tackle difficult-to-detect malware, TDSSKiller operates with a valid certificate, which allows it to bypass security solutions without raising alarms.

Disabling EDR solutions, which operate at the kernel level to monitor low-level system activities, leaves systems vulnerable to additional attacks. By obtaining login information, RansomHub can move laterally across networks, increasing their access and potential damage.

TDDSKiller App
Image Source: ThreatDown

RansomHub is a ransomware-as-a-service (RaaS) active since February. Known to overlap with other ransomware groups, such as ALPHV (BlackCat) and Knight Ransomware, the group reportedly targeted over 210 victims in various sectors, including healthcare, government services, and critical infrastructure.

The RansomHub ransomware gang recently hit Planned Parenthood of Montana and the Halliburton oilfield services giant. Change Healthcare's data breach was posted on RansomHub’s leak website after the cybercriminal group that claimed it, ALPHV, was shut down.

The recent Patelco Credit Union breach was also attributed to the RansomHub ransomware group, which leaked 726,000 customers’ data on the group's extortion portal on August 15 after the ransom payment negotiations allegedly failed.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: