In the ever-evolving landscape of cybersecurity, ransomware remains one of the most insidious threats to businesses worldwide. Today, we’re speaking with Dominic Jainy, an IT professional with deep expertise in artificial intelligence, machine learning, and blockchain, who has been closely following the latest trends in cyber threats. With ransomware gangs now exploiting legitimate software and remote access tools to devastating effect, Dominic offers invaluable insights into how these attacks have evolved, the tactics behind them, and what organizations can do to protect themselves. Our conversation dives into the shift toward targeted campaigns, the misuse of trusted tools, and the profound impact on victims, while exploring actionable strategies for defense.
How have ransomware operators adapted their strategies in recent years, moving from broad malware attacks to more focused, targeted campaigns?
Ransomware operators have undergone a significant transformation in their approach. Initially, they relied on scattershot methods—think mass phishing emails with malicious attachments hoping to catch anyone off guard. Now, they’ve shifted to highly targeted campaigns where they research specific organizations, identify vulnerabilities, and customize their attacks. They’re looking for high-value targets like enterprises with critical data or infrastructure. This shift allows them to maximize impact and ransom demands because they know exactly who they’re hitting and what’s at stake. It’s a move from quantity to quality, focusing on persistence and stealth over sheer volume.
What makes these targeted campaigns more dangerous compared to the older, more opportunistic methods?
The danger lies in the precision and preparation. Unlike the older, opportunistic attacks that might fail against basic defenses, targeted campaigns are tailored to exploit specific weaknesses in an organization’s setup. Attackers often spend weeks or months inside a network, mapping it out and gaining privileged access before striking. This means they can disable backups, encrypt critical systems, and even lock out IT teams. The damage is deeper, and recovery is much harder because they’ve already neutralized many of the safeguards that would help in a less sophisticated attack.
Can you explain why remote access tools like AnyDesk or Splashtop have become such attractive targets for ransomware gangs?
These tools are attractive because they’re legitimate, widely used, and often trusted by security systems. They’re designed for remote administration, which means they inherently have powerful capabilities like file access and system control—exactly what attackers want. Since they’re often whitelisted in corporate environments, their activity doesn’t raise red flags. Plus, many organizations don’t monitor their usage closely, so attackers can install or hijack these tools and operate under the radar, blending in with normal IT activity.
How do attackers manage to install or misuse these tools without immediate detection?
Attackers are clever about staying stealthy. They often use silent installation commands that don’t pop up any user prompts or notifications. For instance, they might deploy a tool with specific flags to install it as a background service that starts automatically. In other cases, they hijack pre-installed tools by modifying configuration files or injecting malicious credentials, avoiding the need to drop new files that antivirus might catch. They also leverage legitimate processes like PowerShell to enumerate what’s already on the system, so their actions look like routine admin work.
How do attackers use legitimate software to bypass traditional security controls in these attacks?
They exploit the trust that security systems place in legitimate software. Many tools come with signed installers, which are digitally verified and thus bypass antivirus or endpoint detection that looks for unsigned or suspicious files. Attackers use these installers as they’re meant to be used, but for malicious purposes. They also mimic normal IT behavior—running commands or accessing systems in ways that don’t deviate from what a legitimate admin might do. This makes it incredibly hard for traditional signature-based defenses to spot anything wrong until it’s too late.
What are some warning signs that organizations might notice when remote access tools are being abused?
One of the biggest red flags is anomalous remote sessions, especially connections coming from unexpected locations or at odd hours. If you see logins from a country where your company doesn’t operate, that’s a huge clue. Other signs include unusual account activity, like privileged accounts being used in ways they typically aren’t, or changes to tool configurations that weren’t authorized. Even subtle things, like a remote access tool running with higher privileges than necessary, can indicate trouble if you’re paying attention.
How can companies detect these red flags early enough to stop an attack from escalating?
Early detection comes down to proactive monitoring. Companies need to keep a close eye on network traffic and login patterns, using tools that can flag geolocation anomalies or unusual session durations. Implementing behavior-based monitoring is key—look for deviations in how tools are used, not just whether they’re present. Regularly auditing privileged account activity and setting up alerts for configuration changes in remote access tools can also catch issues before they spiral. It’s about shifting from a reactive to a preventive mindset.
What are the common ways attackers gain access to privileged accounts to deploy these tools in the first place?
Attackers often start with tried-and-true methods like phishing and credential stuffing. Phishing tricks employees into handing over login details through fake emails or websites, while credential stuffing uses stolen passwords from other breaches to try and access accounts, banking on password reuse. Once they have a foothold, they escalate privileges through vulnerabilities or by exploiting weak access controls. These initial entry points are often the weakest link, especially if multi-factor authentication isn’t enforced across all accounts.
Can you describe the kind of impact these ransomware campaigns are having on businesses that fall victim?
The impact is often catastrophic. Businesses face encrypted file shares, meaning critical data is locked away until a ransom is paid—if it’s even recoverable. Attackers also disable backups to cut off recovery options and sometimes change credentials for remote access tools to lock out legitimate admins. Beyond the technical damage, there’s significant downtime, which halts operations and costs money. The financial hit includes not just the ransom, if paid, but also recovery efforts, lost productivity, and sometimes reputational damage that can linger for years.
Some ransomware groups are pairing remote access tool abuse with other destructive tactics. Can you shed light on what they’re doing?
Absolutely, groups like LockBit and Black Basta are getting more ruthless. Beyond using remote access tools for entry and persistence, they’re employing file-shredding techniques to destroy data and erase forensic evidence. This not only makes recovery harder but also extends their dwell time in the network, giving them more leverage to demand higher ransoms. They’re layering multiple tactics—encryption, data destruction, and access denial—to create a perfect storm of disruption that pressures victims into paying up.
What is your forecast for the future of ransomware tactics, especially regarding the abuse of legitimate tools?
I think we’re going to see ransomware gangs double down on abusing legitimate tools because it’s a strategy that works so well against traditional defenses. As organizations catch on, attackers will likely pivot to even more obscure or niche software that’s still trusted but less monitored. We might also see them integrating AI to automate target selection and optimize their use of these tools for stealth and efficiency. On the flip side, I expect defenders to push harder for behavior-based detection and zero-trust models, but it’s going to be a cat-and-mouse game for the foreseeable future.