Living Off the Land: How Ransomware Groups Weaponize Legitimate Tools

LotL attacks take their name from the survival technique of foraging and using resources available in the natural environment. In cybersecurity, it refers to threat actors utilizing built-in operating system features, commonly used utilities, and other authorized software to compromise systems and networks.

Image: Cybercriminals sharing tutorials on LotL techniques

Some examples of legitimate tools frequently exploited in LotL attacks include:

• PowerShell
• Windows Management Instrumentation (WMI)
• PsExec
• Remote Desktop Protocol (RDP)
• Task Scheduler
• Windows Scripting Host (WSH)
• Sysinternals tools
• Command-line interfaces

By leveraging these trusted utilities, attackers can perform reconnaissance, move laterally within networks, escalate privileges, exfiltrate data, and deploy ransomware payloads – all while flying under the radar of many security solutions.

LotL techniques have several benefits for ransomware operators:

Most antivirus and endpoint detection systems can recognize known malware signatures or suspicious binaries, but LotL attacks with native tools bypass these defenses. Because attackers are not introducing new malicious executables, there are fewer obvious indicators of compromise (IoCs) for analysts to find.

Many system administration tools are privileged so attackers can harvest login credentials and escalate permissions. Malicious activities can exist that are disguised as system tasks allowing long term, stealthy access.

Attackers also no longer need to develop and deploy custom malware – cutting complexity and potential points of failure. All these factors make LotL tactics appealing for cybercriminals.

To give you some examples, here are two examples of ransomware groups that have used LotL techniques:

Vice Society

Vice Society conducts double extortion attacks on the education and health sectors. One incident saw Vice Society post 500GB of stolen data on the dark web for the Los Angeles Unified School District (LAUSD). The group frequently uses PowerShell scripts and Go-backdoor DLLs to avoid detection by common EDR and security tools. They also deploy ransomware variants including HelloKitty for Linux hosts and Zeppelin for Windows hosts through tools like PsExec.

LockBit

LockBit is a notorious ransomware group that uses LotL techniques extensively. In one real incident, with a ThreatDown MDR client, LockBit attackers used the Nltest command to map out the network topology and find possible lateral movement paths. They then started remote processes using Windows Management Instrumentation Command-line (WMIC) to spread ransomware. LockBit also used Rundll32, a legitimate Windows tool, to execute malicious code embedded in DLL files to avoid detection.

To prevent LotL attacks, organizations can employ two main strategies:

First, apply the principle of least privilege – grant users and systems only the minimal access to perform their roles. This limits attackers to exploit elevated privileges.

Continually reviewing user accounts and system processes to ensure that administrative privileges are granted only when absolutely necessary may also help enforce this principle.

Secondly, implement anti data exfiltration (ADX) measures. Monitoring of network movements can detect irregularities or large transfers of data to external locations that may indicate data exfiltration attempts.

For this purpose, BlackFog is an ideal candidate and provides full ADX capabilities to organizations committed to data protection and prevention-based security policies. Keeping unauthorized data off your network lowers risk while improving compliance and audit outcomes.

If you’re interested, book a free ransomware assessment today to see how we can help strengthen your organization’s security.