In recent years, ransomware groups have evolved from broad, indiscriminate attacks to highly targeted operations that exploit legitimate software to maintain stealth and persistence within enterprise networks. A notable tactic involves the misuse of Remote Access Tools (RATs) such as AnyDesk and Splashtop, enabling attackers to establish and maintain unauthorized access while evading traditional security measures.
The Shift to Targeted Attacks
Historically, ransomware campaigns relied on mass distribution methods, aiming to infect as many systems as possible. However, starting in early 2025, a significant shift occurred. Ransomware operators began focusing on specific targets, leveraging legitimate remote access software to infiltrate networks. By hijacking or silently installing these tools, attackers could bypass security controls that typically trust signed installers, facilitating initial access without triggering conventional detection mechanisms.
Organizations soon detected unusual remote sessions originating from unexpected locations. Analysts at Seqrite identified that attackers employed credential stuffing and phishing techniques to acquire privileged accounts, subsequently deploying remote access tools to move laterally within networks. This approach allowed threat actors to blend malicious activities seamlessly into routine IT operations, rendering their actions nearly invisible to traditional endpoint protections.
Impact on Victims
The consequences of these sophisticated campaigns have been severe. Victims have reported encrypted file shares, disabled backups, and altered credentials for remote access tools, effectively locking out administrators. High-profile intrusions linked to ransomware variants like LockBit and Black Basta have seen attackers combining the misuse of RATs with file-shredding commands to eliminate forensic evidence, extend their presence within networks, and maximize ransom demands. These incidents have led to significant downtime and data loss, highlighting the critical need to reassess the trust placed in standard IT utilities.
Persistence Tactics Involving Remote Access Tools
A key factor enabling these ransomware operations is the attackers’ ability to maintain persistent control through commonly used remote administration software. Two primary methods have emerged:
1. Hijacking Preinstalled Tools: Attackers enumerate installed applications using Windows Management Instrumentation or PowerShell, then inject malicious credentials or modify configuration files to grant unattended access under their control. This method avoids creating new executables on disk, thereby evading antivirus scans by exploiting trusted executables already whitelisted in enterprise policies.
2. Silent Installation of Remote Access Tools: When targets lack existing remote access utilities, attackers opt for silent installations. Utilizing known installer parameters, they deploy signed binaries with minimal detection:
“`
Start-Process -FilePath ‘.\AnyDesk.exe’ -ArgumentList ‘INSTALL=C’,’STARTWITHWINDOWS=1′,’SILENT=1′ -NoNewWindow
“`
This command installs AnyDesk as a service that launches at startup, providing the adversary with persistent entry points for subsequent operations. Similar flags—such as `VERYSILENT` and `NORESTART`—are documented in vendor manuals but are seldom monitored by defenders.
Once established, the remote tool operates with elevated privileges if attackers escalate using utilities like TrustedInstaller or PowerRun. Combined with registry run-key manipulation and concealed scheduled tasks, this strategy ensures that even if an incident responder removes one backdoor, alternative access paths remain. This layered persistence model complicates remediation efforts and necessitates a shift toward behavior-based monitoring that identifies unusual tool usage rather than relying solely on file signatures.
Case Studies Highlighting the Threat
Several incidents underscore the effectiveness of these tactics:
– RansomHub’s Exploitation of RDP Services: In November 2024, RansomHub ransomware operators compromised an entire corporate network through an exposed Remote Desktop Protocol (RDP) server. They gained access via a password spray attack, escalated privileges, and deployed remote access tools to maintain control and exfiltrate over 2GB of sensitive data before deploying ransomware. ([cybersecuritynews.com](https://cybersecuritynews.com/ransomhub-ransomware-rdp-servers/?utm_source=openai))
– LockBit’s Use of Remote Monitoring Tools: Affiliates of the LockBit ransomware gang have been observed deploying Remote Monitoring and Management (RMM) tools to infiltrate target networks discreetly. By masquerading as legitimate IT activity, they bypass endpoint detection solutions and execute ransomware attacks without raising immediate alarms. ([cybersecuritynews.com](https://cybersecuritynews.com/lockbit-using-remote-monitoring-tools/?utm_source=openai))
Mitigation Strategies
To counter these sophisticated tactics, organizations should implement the following measures:
– Strict Application Whitelisting: Define and enforce policies that allow only approved applications to run within the network, preventing unauthorized software installations.
– Enforce Multi-Factor Authentication (MFA): Require MFA for all remote access tools and privileged accounts to add an additional layer of security against credential-based attacks.
– Monitor Command-Line Arguments: Keep a vigilant eye on command-line arguments associated with common remote access tools to detect and disrupt stealthy persistence tactics before they can lead to encryption or data exfiltration.
By exploiting trusted remote administration software, ransomware gangs have transformed IT convenience into a potent weapon. Defenders must adapt by implementing stringent security measures and monitoring strategies to detect and prevent these stealthy persistence tactics before they result in significant harm.
