Multiple prominent ransomware gangs are utilizing a packer-as-a-service platform called Shanya to conceal and deploy malware designed to disable endpoint detection and response (EDR) solutions. This service, which emerged in late 2024, obfuscates malicious payloads using unique encryption and compression to evade antivirus detection. Telemetry data shows its use spreading across several countries, with ransomware groups like Akira, Medusa, Qilin, and Crytox among its confirmed clients.
The Shanya service works by accepting a customer's malicious payload and returning a uniquely packed executable. The final payload is encrypted and hidden within a manipulated copy of a legitimate Windows DLL file, such asĀ shell32.dll. It is decrypted entirely in memory, never writing the malicious code to disk, which further helps avoid detection. The packer also includes anti-analysis techniques that cause crashes in debugging environments.
Ransomware operators use these packed payloads, often delivered via DLL side-loading with a legitimate Windows executable, to deploy EDR-killing tools. These tools typically involve a combination of a legitimate but vulnerable signed driver for privilege escalation and a malicious unsigned driver to disable security processes. The user-mode component scans for a hardcoded list of security products and services, issuing commands to terminate them. Beyond ransomware, the Shanya packer has also been observed in campaigns distributing other malware like CastleRAT.
Read more...