BleepingComputer reports that organizations recently targeted by the RansomHub ransomware operation had their systems' endpoint detection and response services deactivated through Kaspersky's TDSSKiller tool before being compromised with the credential-harvesting tool LaZagne for lateral movement.
After achieving reconnaissance and privilege escalation, RansomHub proceeded with the exploitation of TDSSKiller with a command line script or batch file that enabled kernel-level service interaction disabling the Malwarebytes Anti-Malware Service without being flagged, according to an analysis from Malwarebytes' ThreatDown Managed Detection and Response team. Such compromise was followed by the deployment of LaZagne to extract database-stored credentials and produce dozens of file writes, with a file deletion also conducted to conceal malicious activity, said researchers. RansomHub's usage of TDSSKiller, which some security tools have dubbed as 'riskware', should prompt the activation of EDR solutions' tamper protection functionality and surveillance of the '-dcsvc' flag that facilitates service immobilization or removal, researchers added.