New insights from Seqrite, the enterprise division of Quick Heal Technologies, reveal a significant shift in the tactics employed by ransomware attackers. These cybercriminals are no longer relying solely on traditional malware; instead, they are increasingly leveraging legitimate IT tools to infiltrate systems, a phenomenon that Seqrite has termed the “dual-use dilemma.”
Turning Help into Harm
In a striking transformation, hackers are utilizing low-level utilities that offer deep access to operating systems. Tools such as Process Hacker and IOBit Unlocker, originally designed to assist technicians in troubleshooting and resolving system issues, are now being weaponized. The investigation indicates that these programs are being employed to discreetly disable antivirus software.
Notably, IOBit Unlocker has been identified in various cyber campaigns, including those orchestrated by LockBit Black 3.0 and Dharma, while Process Hacker has gained traction among operators of Phobos and Makop ransomware. The critical aspect of these tools is their digital signatures, which grant them a level of trust from users’ systems, allowing hackers to operate undetected. As highlighted in Seqrite’s blog, today’s adversaries resemble penetration testers but with malicious intent, using these trusted utilities to create an environment where they can work without triggering security alerts.
A Step-by-Step Takeover
The methodology behind a ransomware attack typically follows a well-defined path known as a kill chain. This process often begins with a seemingly innocuous phishing email or compromised credentials. Once attackers establish a foothold, they employ tools like PowerRun or YDArk to gain SYSTEM-level or kernel-level control—the highest permissions available within an operating system.
Seqrite’s research indicates that these attacks generally unfold in two phases. Initially, hackers deploy “process killers” such as ProcessKO or 0th3r_av5.exe, frequently associated with MedusaLocker attacks, to terminate antivirus monitoring. This step is crucial for ensuring that the ransomware can operate without detection.
Following the neutralization of antivirus defenses, the second phase commences. Attackers utilize tools like Mimikatz, which has recently been leveraged by INC Ransomware, to extract passwords and Unlock_IT to erase logs. This erasure of forensic evidence complicates tracking efforts, making it increasingly difficult for organizations to respond effectively.
The Future of the Threat
The evolution of ransomware tactics presents a growing concern. Unlike their predecessors, which relied on straightforward commands, contemporary ransomware variants are utilizing automated kits known as Ransomware-as-a-Service (RaaS). Examples include LockBit 3.0 and BlackCat, which come equipped with features specifically designed to disable antivirus protections.
Looking to the future, researchers anticipate a rise in AI-assisted methodologies, where software autonomously determines the most effective means to circumvent security measures. This trend suggests that the very tools we depend on to manage our devices are becoming ideal covers for digital intruders, raising critical questions about the security landscape ahead.
