The Water Bakunawa ransomware group, known as RansomHub, has been identified as the perpetrator of targeted spear-phishing attacks exploiting the Zerologon vulnerability. This malicious group has been able to gain unauthorized access to various networks across multiple industries and critical infrastructure sectors, subsequently demanding ransom payments for the release of data.
The recent addition of EDRKillShifter by RansomHub has elevated the threat level to endpoint security. This tool is specifically designed to evade detection and disrupt security processes, posing a significant challenge to traditional security measures. By dynamically disabling EDR solutions and ensuring persistence, EDRKillShifter has emerged as a formidable adversary in the realm of cybersecurity.
Typically, ransomware groups like RansomHub gain initial access to systems through various means such as exploiting vulnerabilities, phishing, or password spraying. In a specific incident, it was discovered that a compromised user account served as the primary entry point, with multiple spear-phishing attempts detected.
The abuse of the Zerologon vulnerability was also noted as a potential access vector by the Vision One telemetry dataset. This revelation indicated the manipulation of elevation control mechanisms, hinting at the presence of malicious activities within the affected networks.
To further exacerbate the situation, RansomHub’s evasion tactics involved the use of four batch scripts with malicious intent. 232.bat, for instance, employed password spraying and disabled Windows Defender, while Tdsskiller.bat modified the registry, terminated processes, and disabled Trend Micro’s antivirus service. Killdeff.bat, on the other hand, was an obfuscated PowerShell script that manipulated Windows Defender settings and attempted privilege escalation. Meanwhile, LogDel.bat altered file attributes, modified RDP settings, and cleared Windows Event Logs to impede forensic analysis, thereby compromising system security.
The deployment of the EDRKillShifter tool by RansomHub introduced a multi-stage attack strategy. Beginning with credential theft through Taskmgr.exe to dump LSASS memory, the attackers then conducted covert network reconnaissance using NetScan. Lateral movement was achieved using SMB/Windows Admin Shares, with AnyDesk serving as the Command and Control (C&C) infrastructure and rclone used for exfiltrating sensitive files.
A crucial aspect of RansomHub’s attack involved the use of a binary deployed by EDRKillShifter to encrypt files and delete VSS snapshots. This ransomware variant utilizes a unique file extension based on the ransom note’s filename to identify encrypted files, establishing a distinct digital signature.
Given the sophisticated nature of this ransomware group, organizations are advised to strengthen their endpoint protection, implement driver- and kernel-level protections, enforce credential security, enable behavioral monitoring, harden endpoint configurations, and remain vigilant with the latest threat intelligence.
In conclusion, the Water Bakunawa ransomware group’s utilization of EDRKillShifter highlights the evolving landscape of cyber threats, underscoring the importance of proactive cybersecurity measures to combat such malicious actors effectively.