How Ransomhub Ransomware Uses EDRKillShifter to Disable EDR and Antivirus Protections

NetmanageIT OpenCTI - opencti.netmanageit.com

How Ransomhub Ransomware Uses EDRKillShifter to Disable EDR and Antivirus Protections



SUMMARY :

The RansomHub ransomware, attributed to a group tracked as Water Bakunawa, employs sophisticated anti-EDR techniques to evade security solutions. Its attack chain includes exploiting vulnerabilities like Zerologon, using EDRKillShifter to disable endpoint protection, and employing various evasion scripts. The ransomware targets multiple industries and critical infrastructure sectors, using spear-phishing for initial access. It utilizes tools like NetScan for network reconnaissance and AnyDesk for command and control. The attackers exfiltrate sensitive data using rclone before encrypting files and demanding ransom. The evolving tactics of RansomHub highlight the need for advanced, multi-layered security strategies to protect against modern ransomware threats.

OPENCTI LABELS :

ransomhub,edrkillshifter


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


How Ransomhub Ransomware Uses EDRKillShifter to Disable EDR and Antivirus Protections