The modern Ransomware-as-a-Service (RaaS) ecosystem has evolved beyond simple file encryption into a complex landscape of psychological operations, identity deception, and aggressive defense evasion. This presentation provides a comparative technical analysis of three emerging threats—Chaos, Kraken, and DeadLock—to demonstrate how threat actors are prioritizing misattribution and anti-forensics to outmaneuver defenders.
First, I will talk about the "Identity Deception" trend and examine the new Chaos ransomware, which deliberately adopts the name of an older, unrelated malware builder to confuse attribution efforts, masking its true links to the BlackSuit (Royal) cartel. Parallel to this, I will demonstrate the Kraken RaaS analysis and TTPs, a group that has risen from the ashes of the HelloKitty cartel, leveraging its predecessor's brand while introducing unique cross-platform capabilities and performance benchmarking.
Second, I will pivot to the "Defense Evasion" trend, utilizing exclusive insights into the DeadLock ransomware. Unlike groups focusing solely on branding, DeadLock illustrates the resurgence of "Bring Your Own Vulnerable Driver" (BYOVD) attacks. I will detail how the DeadLock operators use a loader named "EDRGay" to exploit a specific vulnerability (CVE-2024-51324) in the Baidu Antivirus driver disguised with the file name DriverGay.sys to terminate EDR and antivirus processes at the kernel level , clearing the path for a custom stream cipher encryption that utilizes time-based keys.
In this presentation, I will also discuss the attacker’s commands at each stage of the attack chains that enable them to achieve their objectives in the Chaos, Karken, and DeadLock attacks. Finally, I will conclude the talk with a recommendation for defenders to focus on robust intelligence and strengthening endpoint security.