LockBit Ransomware Exploits RMM Software to Compromise Networks: The Growing Threat and How to Protect Against It

The LockBit ransomware group has emerged as a formidable threat by leveraging remote monitoring and management (RMM) software to infiltrate targeted networks. This article explores the group’s tactics, highlighting case studies where manufacturers and a managed service provider (MSP) became victims of LockBit’s attacks, leading to further compromises for downstream customers.

Case studies: Manufacturers and MSPs

LockBit’s exploitation of RMM software has been particularly prevalent in the manufacturing sector. In one instance, a home decor manufacturer fell victim to a LockBit attack in February 2022. Researchers from eSentire discovered an affiliate of LockBit with administrative access to an unprotected machine. The attacker attempted to establish persistence and spread throughout the network using the RMM software, specifically the popular tool AnyDesk.

Another company targeted by LockBit was a storage materials manufacturer that relied on the RMM software, ConnectWise. In a June attack, LockBit capitalized on the company’s use of ConnectWise by installing its own instance within the network. This allowed the ransomware group to evade detection and extend its reach, compromising sensitive data and demanding ransom payments.

The trend towards “Living off the Land”

Cybercriminals like LockBit are increasingly adopting the strategy of “living off the land,” which involves avoiding traditional malware for initial access into target networks. This technique allows them to bypass security measures focused on detecting malware and increases their chances of remaining undetected during the infiltration stage. Instead, attackers exploit vulnerable entry points such as unprotected machines or weakly secured RMM software.

Specific Attack Example: Home Decor Manufacturer

During the attack on the home decor manufacturer, LockBit’s affiliate gained admin access to an unprotected machine. By exploiting this entry point, the attacker attempted to establish persistence and spread to other computers using the widely used RMM software, AnyDesk. This highlights the need for organizations to secure their RMM software and implement effective access controls to prevent unauthorized access.

Specific Attack Example: Storage Materials Manufacturer

In the case of the storage materials manufacturer, LockBit targeted the company’s usage of the RMM software ConnectWise. Instead of directly attacking the ConnectWise infrastructure, LockBit took advantage of the network’s reliance on the software. By installing its own instance of ConnectWise within the network, LockBit bypassed existing security measures, enabling the group to freely move laterally and encrypt critical data.

Implications for organizations

The incidents involving LockBit underscore the risks that organizations face when utilizing RMM software without implementing proper security controls. The breach of the MSP in February serves as a stark reminder of the potential impact not only on the organization itself but also on its partners and customers. The MSP’s failure to secure its ConnectWise login panel exposed them to a swift and devastating attack from LockBit.

Lack of Security Controls: Exposing ConnectWise Login Panel

The MSP’s critical mistake of leaving the ConnectWise login panel exposed to the open internet resulted in dire consequences. Within minutes of LockBit’s intrusion, the ransomware group began dropping its malicious binaries on multiple endpoints, rapidly spreading its reach and encrypting valuable data. This emphasizes the urgent need for organizations to implement robust security measures for their RMM tools.

Strengthening defense against RMM abuse

Organizations can protect themselves against the abuse of RMM software by implementing preventive measures. Key recommendations include:

1. Apply multi-factor authentication to RMM tools: By requiring additional verification steps, organizations can prevent unauthorized access and reduce the risk of a successful attack.

2. Implement strict access controls: Ensure that only authorized personnel have access to RMM systems, and regularly review and update access privileges to minimize the chances of unauthorized activity.

3. Regularly update and patch RMM software: Keeping RMM tools up to date with the latest patches and security updates is crucial in preventing vulnerabilities that cybercriminals can exploit.

LockBit ransomware’s utilization of RMM software to infiltrate networks highlights the evolving tactics of cybercriminals. The case studies discussed illustrate the devastating consequences for organizations that fail to secure their RMM tools adequately. By implementing multi-factor authentication, strict access controls, and regular software updates, organizations can fortify their defenses against these attacks and protect their networks, partners, and customers from the growing threat posed by ransomware groups like LockBit.

Explore more

UK’s 5G Networks Lag Behind Europe in Quality and Coverage

In 2025, a digital challenge hovers over the UK as the nation grapples with underwhelming 5G network performance compared to its European counterparts. Recent analyses from MedUX, a firm specializing in mobile network assessment, have uncovered significant discrepancies between the UK’s target for 5G accessibility and real-world consumer experiences. While theoretical models predict widespread reach, everyday exchanges suggest a different

Shared 5G Standalone Spectrum – Review

The advent of 5G technology has revolutionized telecommunications by ushering in a new era of connectivity. Among these innovations, shared 5G Standalone (SA) spectrum emerges as a novel approach to address increasing data demands. With mobile data usage anticipated to rise to 54 GB per month by 2030, mainly due to indoor consumption, shared 5G SA spectrum represents a significant

How Does Magnati-RAKBANK Partnership Empower UAE SMEs?

The landscape for small and medium-sized enterprises (SMEs) in the UAE is witnessing a paradigm shift. Facing obstacles in accessing finance, SMEs now have a lifeline through the strategic alliance between Magnati and RAKBANK. This collaboration emerges as a pivotal force in transforming financial accessibility, employing advanced embedded finance services tailored to SMEs’ unique needs. It’s a partnership set to

How Does Azure Revolutionize Digital Transformation?

In today’s fast-paced digital era, businesses must swiftly adapt to remain competitive in the ever-evolving technological landscape. The concept of digital transformation has become essential for organizations seeking to integrate advanced technologies into their operations. One key player facilitating this transformation is Microsoft Azure, a cloud platform that’s enabling businesses across various sectors to modernize, scale, and innovate effectively. Through

Digital Transformation Boosts Efficiency in Water Utilities

In a world where water is increasingly scarce, the urgency for efficient water management has never been greater. The global water utilities sector, responsible for supplying this vital resource, is facing significant challenges. As demand is projected to surpass supply by 40% within the next decade, water utilities worldwide struggle with inefficiencies and high water loss, averaging losses of one-third