Shanya And How Packers-As-A-Service Are Fueling Ransomware Attacks

Over the past year, security researchers have spotlighted a growing menace in the ransomware ecosystem: a packer-as-a-service known as Shanya. The rise of Shanya shows how modern attackers outsource core workflow parts. They now rely on services for obfuscation and endpoint detection and response (EDR) disabling. This enables ransomware operators to deploy payloads more stealthily and reliably.

But Shanya is not alone. Other packer-as-a-service and "loader" platforms, such as HeartCrypt, have played similar roles in the past and continue to do so. Comparing Shanya's emergence with that of others reveals a broader trend. There is now an ecosystem of modular, developer-to-attacker services that lower the technical bar for sophisticated malware deployment.

Shanya first appeared toward the end of 2024, when underground forum postings advertised a new "VX Crypt" service offering. The sellers claimed Shanya delivered a custom wrapper (or "stub") to pack malware. Each customer received a relatively unique stub, with a unique encryption algorithm.

Promised features included non-standard module loading into memory and bypassing of .NET AMSI protections. They also offered UAC bypass, runtime protection for native and 32-bit payloads, anti-virtual machine and sandbox evasion, and sideloading possibilities.

Early samples of the Shanya crypter were less than impressive from a technical perspective; one even carried the name "shanya_crypter.exe", but more recent samples became highly obfuscated. In those, static artifacts were erased, and in-memory execution became the norm.

Researchers at Sophos have dissected Shanya-packed executables and documented several advanced techniques. First, Shanya allocates a configuration table in memory and hides its pointer in a field of the process environment block (PEB), specifically in the GdiHandleBuffer. Future stages invoke a function called getPEB(), to read from the fixed offset and silently and reliably retrieve the configuration table.

Second, instead of relying on static import tables, Shanya uses "API hashing": it dynamically enumerates exports of loaded modules, hashes function names, and identifies the correct functions at runtime. The custom hashing algorithm itself varies per sample.

Third, Shanya includes anti-analysis and anti-sandbox checks. For instance, it invokes "RtlDeleteFunctionTable" with invalid parameters. If the call is hooked — as is common in many sandbox/EDR analysis environments — the invocation may cause a crash, preventing the payload from executing under analysis tools.

Once those evasive preliminaries succeed, Shanya performs an even more insidious trick: it memory-maps a legitimate Windows DLL (commonly shell32.dll), duplicates it, but then overwrites its header and .text section with the decrypted and decompressed malicious payload. The clean-looking DLL is then loaded via undocumented Windows APIs (LdrLoadDll), allowing the malware to run without ever touching the disk — significantly reducing the chance of detection by conventional antivirus or EDR solutions.

Altogether, this combination of covert in-memory execution, dynamic API resolution, and anti-analysis evasion makes Shanya a powerful tool for attackers seeking to drop and run malicious payloads undetected.

Ransomware Gang Adoption of Shanya

According to reports from both BleepingComputer and Sophos, several high-profile ransomware groups have adopted Shanya for their operations. Confirmed beneficiaries include Medusa, Qilin, Crynox, and Akira.

The use of Shanya is not limited to one region. According to telemetry, artifacts have been observed worldwide, including in Tunisia, the United Arab Emirates, Costa Rica, Nigeria, and Pakistan.

In practice, attackers rarely deploy the core ransomware payload directly. Instead, they deliver a Shanya-packed "EDR killer": a component designed to hunt for and disable security products before the main ransomware payload runs. Typically, the delivery vector involves DLL side-loading of a legitimate Windows executable, and Shanya-packed malicious code masquerades as a legitimate DLL to be loaded.

Once executed, the EDR killer drops two drivers. One is a legitimately signed driver, ThrottleStop.sys, also known as rwdrv.sys. This driver comes from a legitimate vendor, TechPowerUp, and contains a vulnerability that is exploitable for arbitrary kernel memory write. The other is an unsigned kernel driver, hlpdrv.sys.

The signed driver enables privilege escalation. The unsigned driver receives "kill" commands from user-mode code to terminate processes or services linked to security products.

The user-mode orchestrator enumerates running processes and installed services, matches them against a large hardcoded list of security tools, and for each match, instructs the kernel driver to kill and/or delete them. The result is an environment stripped of EDR/AV protection, the ideal situation for subsequent ransomware deployment.

The use of Shanya for EDR killing has been observed often preceding the deployment of ransomware, such as Akira. In other observed cases, Shanya was used to deliver other malware, such as the backdoor known as CastleRAT. One campaign, for example, used a phishing lure themed around a popular travel-booking site.

Once a victim executed a seemingly innocuous file, a PowerShell script fetched and unzipped a malicious archive containing the side-loading components; consent.exe would run, then load the malicious DLL, installing CastleRAT undetected.

The popularity of Shanya reflects a broader shift in malware deployment methods. Instead of creating bespoke obfuscation, loading, and disabling code, attackers now often outsource these steps. This is a complicated and error-prone process.

Many groups rely on specialized "packer-as-a-service" providers. Attackers upload a payload, such as a DLL, binary, or driver, to receive a Shanya-wrapped version. It is tuned for stealth, sandbox evasion, and side-loading, and ready to deploy with minimal effort.

Because each Shanya payload utilizes a unique stub and encryption scheme, and because the malware resides only in memory during execution (i.e., diskless), signature-based detection becomes significantly less effective. The dynamic loader, API hashing, PEB tricks, and anti-analysis measures combine to defeat static scanning, sandbox detection, and many heuristic tools.

For ransomware operators, the benefits of greater reliability of deployment, better chance of bypassing security controls, and less engineering effort per campaign are hard to ignore. For defenders, the implications are risky. The modularization of "packers" and "EDR killers" makes advanced attacks accessible to less-skilled actors, enabling ransomware groups to rapidly scale their operations. Many security researchers now warn that such packer-as-a-service offerings will remain a persistent problem for the foreseeable future.