TDSSKiller is a portable, free utility used to detect and remove advanced rootkits and bootkits that hide from standard antivirus software. It scans memory, system services and boot sectors, allowing users to cure, quarantine or delete malicious items.

However, recent threat intelligence indicates that multiple ransomware operators are abusing TDSSKiller tools to disable security products before deploying ransomware or performing data exfiltration.

Threat Overview

Observed Abuse

Attackers have been leveraging the TDSSKiller to terminate security product services and processes prior to launching payloads. Various threat actors have been confirmed to use TDSSKiller in their ransomware campaigns, including 

• Gentlemen
• Lockbit

Threat research teams at Broadcom have observed multiple pre-ransomware activities involving TDSSKiller, where it was used to neutralize defences, thereby enabling:

• Ransomware deployment
• Data exfiltration
• Secondary malware deployment

Current Status

• TDSSKiller dropper and driver both currently have a good reputation, which allows it to execute due to reputation-based trust.
• Despite its benign reputation, TDSSKiller is actively used by attackers to disable security product layers.

Blocking Implementation

1. 1. TDSSKiller will be blocked statically using the VID/sig/signature: Hacktool.TDSSKiller.
   2. Reputation-based changes and SDS blocking will extend protection to CB (Carbon Black)

 If the tool is to be used, provide instructions to exclude the TDSSKiller detections using:

• Hash-based exclusion, or
• VID (Hacktool.TDSSKiller ) exclusion