A growing number of ransomware groups are adopting Shanya, a packer-as-a-service platform that enables them to deploy payloads capable of disabling EDR protections on compromised systems.
By leveraging packer technology, threat actors can conceal malicious code, making it far harder for traditional security tools to detect.
First observed in late 2024, the Shanya operation has expanded quickly, with associated malware identified across Tunisia, the UAE, Costa Rica, Nigeria, and Pakistan. Sold on underground forums under the “VX Crypt” brand and developed by an actor using the alias “Shanya”, this packer is now tied to several prominent ransomware activities, including Akira, Medusa, Qilin, and Crytox.
The Dark Order
Ransomware operators rely on disabling EDR tools early in their intrusion chain, and Shanya facilitates this through DLL side-loading. Attackers pair a trusted Windows binary like consent.exe with a Shanya-packed malicious DLL such as msimg32.dll, version.dll, rtworkq.dll, or wmsgapi.dll to execute their payload.
The malicious DLL first loads:
ThrottleStop.sys(rwdrv.sys) : A legitimately signed but vulnerable driver used to gain kernel-level privileges, and
hlpdrv.sys: An unsigned driver that disables security tools based on user-mode instructions.
This clearing of defenses directly prepares the system for ransomware execution. In observed cases, Akira ransomware is launched immediately after the drivers load and EDR processes are then shut down.
The “Packer-as-a-Service” Model
Instead of needing deep technical expertise, attackers can simply rent or subscribe to the tool. This model delivers:
Broader Access: Even low-skill cybercriminals can deploy sophisticated, obfuscated payloads.
Continuous Updates: The service is likely maintained and upgraded to bypass new EDR protections.
Operational Scale: Attackers can easily integrate Shanya into automated workflows to expand and accelerate their campaigns.
Mitigation Strategies
Defending against kernel-level EDR killers like Shanya requires more than basic signature-based detection. Organisations should adopt a layered approach:
Block Vulnerable Drivers: Enable the Microsoft Vulnerable Driver Blocklist (or your EDR’s equivalent).Specifically block known vulnerable versions of ThrottleStop.sys and monitor for the appearance of suspicious drivers such as hlpdrv.sys.
Monitorconsent.exe Activity: Configure SIEM/EDR rules to alert when consent.exe loads unexpected, unsigned, or non-system DLLs.
Enable Tamper Protection: Ensure all endpoint security products have tamper protection enabled to prevent unauthorized service termination.
Watch for Kernel Callback Manipulation: Monitor attempts to unregister or alter kernel callbacks.
Strengthen Endpoint Security: Use a full endpoint protection platform (EPP) with behavioral analysis, exploit prevention, and advanced anti-malware not just EDR.
Adopt Zero Trust: Verify every user and device attempting to access network resources to limit lateral movement after initial compromise.
Improve Network Segmentation: Isolate critical systems and limit malware propagation across the environment.
Leverage Threat Intelligence: Track emerging threats and evolve TTPs to stay ahead of ransomware operators using tools like Shanya.
You can never be overly cautious, it is far more dangerous to be caught unaware.
.png)
.png)