What’s Fueling the Ransomware Epidemic?

Less than two months into 2024, we have seen an explosion of dual-use tools exploited in ransomware attacks. Dual-use tools are legitimate software tools created to perform specific business and IT functions, but, instead, are installed and employed by attackers to help commit ransomware attacks. While most active ransomware groups have exploited some dual-use tools in the past, the sheer number of tools being used now has grown exponentially. 

This rapid expansion of dual-use tools in ransomware attacks underscores the role that legitimate software abuse plays in fueling the ransomware epidemic. As we revealed in our recent report, “2024 Ransomware Threat Landscape,” attackers are increasingly using legitimate software, also known as “Living Off the Land (LOTL)” software throughout ransomware attacks to purposely minimize their dependence on malware. In fact, the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the United Kingdom National Cyber Security Center (NSC-UK) now have joined together to help defenders better identify and protect against these attacks with the publication of a new report, “Identifying and Mitigating Living Off the Land Techniques.” 

In another white paper, “Advances in Endpoint Security,” Dave Gruber, Principal Analyst Enterprise Strategy Group (ESG) writes, “More than half of security leaders (52%) reported to ESG that security operations are more challenging than they were two years ago, fueled by a growing and changing attack surface alongside a rapidly changing threat landscape. This includes an increased use of LOTL tools.”   

And the risks posed by LOTL and dual-use tools extend far beyond ransomware. As CISA, the FBI, NCSC and the NSA recently revealed, nation-state actors often use these techniques to evade detection. For example, BlackTech actors use living off the land TTPs to blend in with normal operating system and network activities, allowing them to evade detection by endpoint detection and response (EDR) products.

LOTL vs. Dual-Use Tool-Based Attacks   

The majority of LOTL tools are legitimate software already installed on a device and often a component of Windows such as PowerShell, WMI and Vssadmin. Based on our analysis, most ransomware groups have predefined methods to use these LOTL tools in their arsenal. In contrast, dual-use tools are widely used legitimate software packages that are often introduced by attackers onto targeted networks. Remote desktop/remote administration software is the most commonly abused dual use category, employed to control endpoints in place of deploying malware. In fact, the LockBit ransomware group recently made news when it took advantage of remote monitoring and management software to spread its foothold in targeted networks.

Other popular dual-use tools that we have observed in ransomware attacks include:

• PsExec: Microsoft Sysinternals tool for executing processes on other systems. The tool is primarily used by attackers to move laterally on victim networks.
• NetScan: SoftPerfect Network Scanner (netscan.exe), a publicly available tool used for discovery of host names and network services.
• AdFind: A publicly available tool that is used to query Active Directory. It has legitimate uses, but is widely used by attackers to help map a network.
• Rclone: Open-source tool that can legitimately be used to migrate content to the cloud, but has been abused by ransomware actors to exfiltrate data from victim machines.
• AnyDesk: A legitimate remote desktop application, which recently suffered its own hack. AnyDesk and similar tools are often used by attackers to obtain remote access to computers on a network. 

In their recent report, CISA accurately sums up the many security challenges defenders are facing when trying to prevent stealth attackers from abusing known “good” tools. “There is a general lack of conventional indicators of compromise (IOCs) associated with LOTL activity, complicating network defenders’ efforts to identify, track, and categorize malicious behavior.” Traditional security methods are not effective in protecting enterprises from this risk. 

Protecting against the malicious use of legitimate tools that are critical to an organization is a tough problem. Is there an easy solution? We will address this in our next blog.