Modern ransomware operations have transitioned from rudimentary opportunistic attacks to intricate, multi-stage campaigns that leverage legitimate Remote Access Tools (RATs). This evolution allows adversaries to maintain stealth and persistence while systematically dismantling organizational defenses. Ransomware remains one of the most disruptive cyber threats, encrypting critical data and demanding ransom payments for restoration. Unlike early campaigns that relied on mass phishing or opportunistic malware distribution, today’s ransomware operations are highly targeted and sophisticated.
Adversaries are increasingly exploiting trusted administrative software such as AnyDesk, UltraViewer, RustDesk, and Splashtop to establish backdoors, escalate privileges, and deploy devastating payloads across enterprise networks. These attackers do not merely infect machines; they move laterally across networks, harvest credentials, neutralize defenses, and maintain persistent control—all while evading detection.
The Remote Access Tools mentioned are legitimate software products designed for IT administration and remote support. However, when misconfigured, poorly managed, or left unmonitored, they can be misused in ransomware campaigns. It is important to clarify that the tools themselves are not inherently vulnerable or malicious. A key enabler of these attacks is the exploitation of legitimate RATs, which are often easy to deploy, widely trusted, and frequently whitelisted in enterprise environments. These tools provide:
- Unattended access: Connect without user interaction.
- File transfer: Move binaries or exfiltrate data.
- Interactive desktop control: Execute administrative tasks remotely.
- Encrypted communications: Evade network monitoring.
Organizations often trust the digital signatures of Remote Access Tools, which attackers exploit to bypass security controls and persist stealthily. Understanding how these tools can be abused is critical for building effective defenses against modern ransomware threats.
The Ransomware Kill Chain
The ransomware kill chain outlines each stage of an attack, from initial access to final impact. When attackers leverage legitimate Remote Access Tools, they gain stealth, persistence, and control, making detection and mitigation more challenging. Understanding each stage of the kill chain is essential for defenders, as it helps in recognizing attack patterns early and building stronger, layered defenses to thwart attackers.
Stage 1: Initial Access – Credential Compromise
Attackers gain legitimate access using stolen or brute-force credentials, bypassing defenses while masquerading as trusted users. Targeting administrator accounts provides maximum control and enables subsequent stages like Remote Access Tool deployment and lateral movement.
Common Attack Pathways:
- Brute-force attacks against RDP/SMB endpoints.
- Credential reuse from leaks or past breaches.
- Targeting administrator accounts for maximum privileges.
Detection Indicators:
- Windows Event IDs 4625 → 4624 (multiple failed logins immediately followed by success).
- RDP logon type 10 at unusual hours.
- Logins from unexpected geolocations.
Stage 2: Remote Tool Abuse – Hijacking vs. Silent Installation
After gaining access, attackers focus on deploying Remote Access Tools for stealthy persistence. They can either hijack an existing Remote Access Tool to avoid detection or perform a silent installation using signed installers with minimal footprint.
Method 1: Hijacking Existing Remote Access Tools
- Enumerate installed Remote Access Tools via WMI, registry, or PowerShell.
- Add attacker credentials or modify access configurations.
- Avoid creating new files or processes, reducing detection risk.
Method 2: Silent Installation of Remote Access Tools
Deploy lightweight, signed installers without user interaction using silent install flags like /S, /VERYSILENT, /quiet, /NORESTART.
| Remote Tools | Commands | Purpose / Effect |
|---|---|---|
| AnyDesk | anydesk.exe --install "C:ProgramDataAnyDesk" --silent --start-with-win |
Persistent remote access service |
| UltraViewer | UltraViewer_Setup.exe /VERYSILENT /NORESTART |
Install quietly with no reboot |
| AppAnywhere | msiexec /i AppAnywhere.msi /quiet /norestart |
Enterprise-style silent deployment |
| RustDesk | rustdesk.exe --service install --password "Str0ngPass123" |
Enables unattended remote access |
| CloneDesk | CloneDesk_Setup.exe /S /D=C:ProgramDataCloneDesk |
Minimal footprint installation |
| Splashtop | Splashtop_Streamer.exe /s /i silent=1 precheck=0 confirm=0 |
Quiet, enterprise deployment |
| TightVNC | tightvnc-setup.exe /S /NORESTART |
CLI-driven hidden installation |
Stage 3: Persistence & Privilege Consolidation
Attackers leverage registry run keys, hidden scheduled tasks, and configuration file modifications to maintain persistence. Privilege escalation is achieved using tools like PowerRun or TrustedInstaller, allowing Remote Access Tools to run with SYSTEM privileges and bypass user-level restrictions.
Mechanisms:
- Registry Run Keys:
HKCUSoftwareMicrosoftWindowsCurrentVersionRun - Scheduled Tasks: Hidden tasks to auto-restart Remote Access Tools.
- Configuration Files: Modify config.toml (RustDesk) for unattended access.
- Privilege Escalation: Launch Remote Access Tool as SYSTEM using PowerRun or TrustedInstaller.
Stage 4: Antivirus Neutralization & Anti-Forensics
Using Remote Access Tools, attackers can interactively stop antivirus services, manipulate group policies, and add Remote Access Tool directories to exclusion lists. Critical logs are cleared, and file shredding tools are employed to remove forensic evidence, complicating post-incident investigations.
Techniques:
- Stop Antivirus services:
sc stopornet stop - Policy manipulation: Add Remote Access Tool directories to exclusions.
- Log clearing: Adversaries often use commands such as:
wevtutil cl Securitywevtutil cl Systemwevtutil cl Application
- File shredding: Remove forensic artifacts.
Stage 5: Payload Deployment & Execution
Attackers stop antivirus services, modify security policies, disable recovery mechanisms, clear event logs, and shred sensitive files to evade detection and hinder forensic investigations. They may also tamper with backup solutions, disable shadow copies, and utilize Living-off-the-Land Binaries (LOLBins) like rundll32 or PowerShell to blend malicious actions with legitimate processes. Ransomware is delivered through Remote Access Tool channels, often disguised as trusted updates or administrative actions, and executed within existing remote sessions to bypass user suspicion and security monitoring.
Real-World Campaign Examples
Below are commonly abused Remote Access Tools leveraged by adversaries in ransomware campaigns for persistence, deployment, and lateral movement:
| Remote Access Tool | Associated Ransomware Campaigns |
|---|---|
| AnyDesk | TargetCompany, D3adCrypt, Makop, Mallox, Phobos, LockBit 2.0, LockBit 3.0, LockBit 2025 Renegade, Beast, Dharma, Proton/Shinra, MedusaLocker |
| UltraViewer | Beast, CERBER, Dharma (.cezar Family), GlobeImposter 2.0, LockBit 3.0, Makop, Phobos, SpiderPrey, TargetCompany |
| AppAnywhere | Makop, Ryuk, D3adCrypt, Dharma |
| RustDesk | Mimic, LockXXX, Dyamond, D3adCrypt, Makop |
| Splashtop | Makop, BlueSky, RansomHub, Proxima |
| TightVNC | Cerber 4.0/5.0 |
Understanding the tactics, techniques, and procedures (TTPs) used by adversaries is crucial for defending against Remote Access Tool-driven ransomware campaigns. By mapping these activities to the MITRE ATT&CK framework, security teams can visualize how attackers gain access, deploy tools, maintain persistence, escalate privileges, and ultimately deliver impactful payloads.
| Stages | Technique | MITRE ATT&CK Sub-Technique ID | Observations |
|---|---|---|---|
| Initial Access | Brute Force | T1110.001 | Targeting RDP/SMB endpoints to gain initial access |
| Tool Deployment | Ingress Tool Transfer | T1105 | Remote access utilities transferred for execution |
| Execution | Remote Services | T1021.001 | Remote sessions used to execute payloads |
| Persistence | Registry Run Keys | T1547.001 | Registry keys created/modified for tool persistence |
| Privilege Escalation | Abuse Elevation Control Mechanism | T1548.002 | Elevation of privileges observed to run tools with SYSTEM rights |
| Defense Evasion | Impair Defenses | T1562.001 | Security services disabled, logs cleared |
| Lateral Movement | Remote Services | T1021.001 | Remote services abused to move across endpoints |
| Impact | Data Encrypted for Impact | T1486 | Tools leveraged to deploy ransomware and encrypt data |
Emerging Trends & Future Threats
As ransomware operators evolve, new tactics are emerging that expand beyond traditional on-premise exploitation. These trends highlight how attackers are combining automation, cloud abuse, and RaaS ecosystems to maximize the scale and stealth of their operations:
- AI-driven Remote Access Tool deployment: Automated decision-making for payloads.
- Cloud Remote Access Tool abuse: Exploiting cloud-based remote access portals.
- RaaS integration: Remote Access Tools embedded in ransomware-as-a-service offerings for enterprise campaigns.
- Multi-stage attacks: Initial Remote Access Tool compromise followed by secondary payloads (data exfiltration, cryptojacking, lateral ransomware).
Comprehensive Defense Strategy
Ransomware actors may attempt to weaponize trusted tools, but comprehensive security solutions are built with multiple layers of defense to thwart them. By combining real-time monitoring, self-protection, and advanced behavioral detection, modern security platforms ensure that attackers cannot easily disable security measures or slip past unnoticed.
Core Protection Layers:
- Virus Protection: Actively detects and neutralizes trojanized installers or hidden payloads before they can execute.
- Antivirus Self Protection: Prevents attackers from forcefully terminating or uninstalling security services.
- Behavior-Based Detection: Monitors for abnormal activities linked to ransomware, such as mass file changes or suspicious process launches.
- Ransomware Protection: Blocks unauthorized encryption attempts in real time, cutting off the attack before data is locked.
- Application Control: Restricts the use of unauthorized remote tools, ensuring only trusted applications are allowed to run.
Legitimate IT tools can easily become hidden attack vectors when mismanaged, and Remote Access Tool abuse is now a critical enabler of next-generation ransomware. To counter this risk, enterprises need a layered approach that combines governance, monitoring, and rapid response. Modern security solutions play a central role in this defense strategy, providing strong antivirus protection, behavioral detection, and anti-ransomware measures. When paired with strict governance and incident response, organizations can stay ahead of attackers and protect their critical assets from increasingly sophisticated ransomware campaigns.
