Thursday, May 1, 2025
HomeCyber AttackNew RansomHub Attack Killing Kaspersky’s TDSSKiller To Disable EDR

New RansomHub Attack Killing Kaspersky’s TDSSKiller To Disable EDR

Published on

SIEM as a Service

Follow Us on Google News

RansomHub has recently employed a novel attack method utilizing TDSSKiller and LaZagne, where TDSSKiller, traditionally used to disable EDR systems, was deployed to compromise network defenses. 

Subsequently, LaZagne was used to harvest credentials from compromised systems, which is unprecedented in RansomHub’s operations and was not documented in CISA’s recent advisory. 

The attack sequence began with reconnaissance activities, including admin group enumeration, to identify vulnerable entry points into the target network.

- Advertisement - Google News

RansomHub, a malicious software, employed TDSSKiller, a legitimate anti-rootkit tool developed by Kaspersky, to compromise system security. 

Decoding Compliance: What CISOs Need to Know – Join Free Webinar

After assessing the system’s vulnerabilities and privileges, it exploited TDSSKiller’s capabilities to disable crucial security services, such as Malwarebytes Anti-Malware Service, by executing a command-line script or batch file, which aimed to create a more favorable environment for the ransomware to operate without significant interference from security measures.

disabling EDR software

The attackers executed TDSSKiller with the -dcsvc flag to target the MBAMService and attempted to disable this service, likely to interfere with malware protection. 

The executable was run from a temporary directory with a randomly generated filename, suggesting an attempt to avoid detection, which is common for malware that tries to evade security measures and gain persistence on the system.

LockBit ransomware gang has been exploiting TDSSKiller’s “-dcsvc” parameter to delete Windows services, effectively removing their registry keys and associated executables, which hinders the ability of security software, such as Windows Defender Antimalware Client, to detect and mitigate the ransomware attack. 

By targeting specific services, the attackers can disrupt critical system functions and increase the likelihood of successful data encryption.

Process Graph

TDSSKiller.exe is a malicious executable file whose SHA-256 hash, MD5 hash, and file size are unique identifiers that can be used to detect and block it. 

The file is likely part of the TDSS rootkit, which is known for its advanced anti-detection techniques and ability to compromise computer systems, while it’s important to take immediate action to remove this file from the system and prevent further damage.

RansomHub, exploiting compromised security, attempted to deploy LaZagne, a credential-harvesting tool, to extract sensitive database credentials whose execution resulted in 60 file writes, likely storing harvested credentials, and 1 file deletion, potentially to cover up traces. 

Accessing database credentials could have granted RansomHub significant control over critical infrastructure and facilitated privilege escalation within the compromised network.

Process Graph

The provided information indicates the presence of a potentially malicious executable file named “LaZagne.exe.,” which has a SHA-256 hash of 467e49f1f795c1b08245ae621c59cdf06df630fc1631dc0059da9a032858a486, a file size of 9.66 MB, and an MD5 hash of 5075f994390f9738e8e69f4de09debe6. 

Given the file name and the associated hashes, it’s highly likely that this executable is designed to extract credentials from various sources, including web browsers, email clients, and password managers, making it a significant security threat.

Threat Down identified security software (TDSSKiller) flagged as a risk and a credential stealer (LaZagne) to improve ransomware defense and to tighten EDR posture: Limit vulnerable driver usage (like TDSSKiller, especially with suspicious flags) through BYOVD controls. 

Network segmentation can also isolate critical systems, preventing attackers with stolen credentials from reaching sensitive data by restricting lateral movement within the network.

Simulating Cyberattack Scenarios With All-in-One Cybersecurity Platform – Watch Free Webinar

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Application Security in 2025 – CISO’s Priority Guide

Application security in 2025 has become a defining concern for every Chief Information Security...

Preparing for Quantum Cybersecurity Risks – CISO Insights

Quantum cybersecurity risks represent a paradigm shift in cybersecurity, demanding immediate attention from Chief...

Securing Digital Transformation – CISO’s Resource Hub

In today’s hyper-connected world, securing digital transformation is a technological upgrade and a fundamental...

Building a Scalable Cybersecurity Framework – CISO Blueprint

Building a scalable cybersecurity framework is essential in today’s rapidly evolving digital landscape, enabling...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Netgear EX6200 Flaw Enables Remote Access and Data Theft

Security researchers have disclosed three critical vulnerabilities in the Netgear EX6200 Wi-Fi range extender...

Tesla Model 3 VCSEC Vulnerability Lets Hackers Run Arbitrary Code

A high security flaw in Tesla’s Model 3 vehicles, disclosed at the 2025 Pwn2Own...

Apache ActiveMQ Vulnerability Lets Remote Hackers Execute Arbitrary Code

A high vulnerability in Apache ActiveMQ’s .NET Message Service (NMS) library has been uncovered,...