Ransomware Gangs Now Use Shanya EXE Packer to Evade EDR

Cybersecurity researchers have identified a significant shift in ransomware tactics, with several prominent threat groups now leveraging a commercial packer service called Shanya to evade endpoint detection and response (EDR) systems. This service, which operates on a pay-for-use model, allows attackers to obscure their malicious code, making it far more difficult for traditional security tools to identify and block ransomware payloads before they can execute. The adoption of this tool underscores a growing trend of cybercriminals outsourcing sophisticated technical functions to improve their operational success.

The Shanya platform functions as a packer-as-a-service. Attackers submit their ransomware or other malicious payloads, and the service returns a wrapped, encrypted, and compressed version. A key selling point is the creation of unique output for each customer, featuring non-standard module loading and a distinct encryption algorithm. This customization helps ensure that each packed file appears different to security scanners, bypassing signature-based detection methods that rely on known patterns.

Since emerging in late 2024, Shanya’s use has expanded geographically. Malware samples protected by this packer have been detected in countries including Tunisia, the United Arab Emirates, Costa Rica, Nigeria, and Pakistan. Among the ransomware gangs confirmed to be using the service are Medusa, Qilin, Crytox, and Akira, with the latter being its most frequent customer.

The technical process involves embedding the encrypted payload into a memory-mapped copy of a legitimate Windows DLL file, typically `shell32.dll`. While the file’s path and structure appear normal, its header and critical sections are overwritten with the decrypted malicious code. Crucially, this decryption and injection process happens entirely in memory, meaning the malicious payload never exists in a readable form on the victim’s disk, further complicating forensic analysis.

A primary function of these Shanya-packed payloads is to disable EDR software. The execution often begins with DLL side-loading, pairing a legitimate Windows executable like `consent.exe` with a malicious, packed DLL. Sophos researchers discovered that the packer itself contains anti-analysis checks, such as calling a system function in an invalid context to trigger crashes under debuggers, which disrupts automated security sandboxes.

Once activated, the payload deploys an “EDR killer” component. This drops two drivers onto the system: a legitimately signed driver from TechPowerUp (`ThrottleStop.sys`) that contains a vulnerability allowing arbitrary kernel memory writes, and an unsigned malicious driver (`hlpdrv.sys`). The signed driver is exploited for privilege escalation, while the malicious driver receives commands to terminate security processes.

The user-mode component scans the system, comparing running processes and installed services against a vast, hardcoded list of security product names. For every match found, it sends a command to the kernel driver to terminate that process or service, effectively blinding the EDR before the ransomware begins encrypting files.

Beyond ransomware, the Shanya service has also been observed in other campaigns, such as those distributing the CastleRAT malware via ClickFix malvertising. This indicates its utility for a broad range of threat actors seeking to deliver payloads stealthily. The reliance on such commercial packer services highlights the professionalization of the cybercrime ecosystem, where gangs can easily access advanced obfuscation tools to enhance their attacks. Security teams are advised to monitor for the provided indicators of compromise and prioritize behavioral detection strategies that can identify malicious activity even when the initial payload is expertly hidden.

(Source: Bleeping Computer)