The use of EDRKillShifter by RansomHub in their attack demonstrates a rising trend in ransomware tactics, where hackers are increasingly turning to advanced tools to circumvent security measures. This emphasizes the importance of adopting a multi-layered defense approach that combines cutting-edge technology with proactive threat intelligence. As ransomware syndicates adopt similar methods to evade EDR, it becomes imperative to enhance resilience and adjust security protocols to safeguard digital assets effectively.
To counter the evolving threat posed by RansomHub, organizations should implement a comprehensive security blueprint:
Fortify endpoint security systems. Ensure that your EDR solutions are armed with the latest threat intelligence to detect new and evolving ransomware strategies. Utilize behavioral analysis and heuristic scanning to uncover abnormal activities or suspicious behaviors that might hint at ransomware attempts. Restrict endpoint access through continuous verification to restrict lateral movement. Endpoint isolation and rollback capabilities can also aid in mitigating potential attacks.
For instance, Trend Micro’s Apex One offers a multi-faceted shield with advanced threat detection and response features, leveraging behavioral analysis and machine learning to detect and counter threats. Trend Micro’s XDR provides extensive threat visibility and expert analytics across email, endpoints, servers, cloud workloads, and networks.
Deploy driver- and kernel-level safeguards. These security protocols prevent unauthorized access and manipulation of system drivers, a tactic exploited by RansomHub. Various tools and technologies exist to fend off malicious or unapproved driver executions. Ensure that only trusted code operates within the kernel space and regularly monitor kernel-level activities to pinpoint suspicious behavior and ascertain that security tools are shielded against tampering.
Trend Micro’s Deep Security includes an integrity-monitoring component that permits only signed and validated drivers while barring unauthorized or malicious drivers from loading. Deep Security also integrates a virtual patching feature for immediate protection against recently discovered vulnerabilities in drivers before official patches are implemented.
Strengthen credential and authentication security. Implement multifactor authentication (MFA) across all entry points, regularly refresh passwords, and monitor for any indicators of credential abuse. Restrict access based on defined roles to minimize exposure and ensure that authentication systems are consistently audited for vulnerabilities to mitigate unauthorized access.
For example, Trend Micro’s Password Manager enforces the use of robust, intricate passwords and periodic password updates across all systems to diminish the risk of unauthorized system access requiring elevated privileges.
Activate behavioral monitoring and anomaly detection. These security measures continually scrutinize patterns of normal behavior to flag deviations that could point towards ransomware or other illicit activities. Early detection of anomalies, such as unauthorized file encryption or lateral network movement, permits prompt responses before significant harm materializes. Integrating real-time monitoring with automated alerting and analysis drastically boosts your ability to detect threats like RansomHub at their nascent stages.
For instance, Apex One features behavior monitoring capabilities to detect and thwart malicious undertakings like unauthorized file alterations or irregular memory allocations. Trend Micro’s Managed XDR services augments threat and anomaly detection with adept analysis and round-the-clock surveillance across email, endpoints, servers, cloud workloads, and networks.
Enhance the security configurations of endpoints. Enforce stringent access controls, deactivate unnecessary services, and ensure that all systems receive regular patching and updates. Standardize security configurations across devices and conduct routine audits of endpoint settings to identify and rectify vulnerabilities or weaknesses before exploitation occurs.
Deep Security boasts an application control feature allowing only verified and authorized applications while blocking unauthorized executables. The Trend Micro Apex Central solution enforces the principle of least privilege by ensuring that applications and users are endowed with only the essential permissions for their respective functions.
Trend Micro Vision One Threat Intelligence
To stay abreast of evolving threats, Trend Micro clients can access a plethora of Intelligence Reports and Threat Insights through Trend Micro Vision One. Threat Insights empowers clients to stay alert against cyber threats before they transpire, enhancing preparedness against emerging threats. It furnishes comprehensive details on threat actors, their malevolent deeds, and their operational tactics. Leveraging this intelligence enables customers to proactively fortify their environments, mitigate risks, and craft effective responses to threats.
Trend Micro Vision One Intelligence Reports App [IOC Sweeping]
RansomHub Attacks Escalate: Novel Anti-EDR Ploys Unveiled and Connection to AMADEY Infrastructure
Trend Micro Vision One Threat Insights App
Threat Actor/s: Water Bakunawa
Emerging Threats: RansomHub Ramps Up: New Anti-EDR Tactics Unveiled and AMADEY Infrastructure Connection
Tracking Queries
Trend Micro Vision One Search App
Trend Micro Vision One Customers can leverage the Search App for aligning or hunting down the malicious indicators mentioned in this blog post within their environment.
EDRKILLSHIFT Detection
malName:(“*EDRKILLSHIFT*”) AND eventName:MALWARE_DETECTION
Additional hunting queries are accessible for Vision One customers with Threat Insights Entitlement enabled.
Indicators of Compromise (IoCs):
About Author
