5 tools IT admins should block right now

Block these tools to ruin a ransomware gang’s day.

In an effort to stay hidden as they operate on your network, ransomware gangs increasingly put aside malware in favor of using legitimate software tools that don’t look out of place on the computers they’re attacking—a tactic known as Living Off The Land (LOTL).

Across the ransomware incidents we observe, certain non-Windows-native tools consistently show up in attackers’ arsenals. Below are five that ransomware operators frequently abuse—and you should block unless you have a good reason not to.

1. Select RMM tools

As we wrote about earlier this year, RMM tools have become a core part of ransomware gangs’ attack strategies.

Tools like AnyDesk, NinjaRMM, and TeamViewer are used by attackers to provide remote access to environments they’ve compromised, giving them the control they need to further an attack. Once inside, attackers can manipulate these tools to exfiltrate data, escalate privileges, or deploy ransomware.

We recommend you conduct a thorough audit of every RMM tool currently in use. Identify which ones are absolutely necessary and block or remove any that are non-essential using tools like ThreatDown Application Block.

To block select RMM tools, I'm adding AnyDesk, TeamViewer, and NinjaRMM to my "Ransomware tools" rule ThreatDown Application Block.
To block select RMM tools, I’m adding AnyDesk, TeamViewer, and NinjaRMM to my “Ransomware tools” rule ThreatDown Application Block.

2. PDQ Deploy

PDQ Deploy is a legitimate tool designed for administrators to install and update software across a network. Ransomware attackers use it for the very same task—to deploy their malware quickly to every connected machine in an organization.

We’ve seen multiple ransomware attacks in which PDQ Deploy has played a critical role. For example, the Medusa ransomware gang, one of the most prolific groups this year, has been observed using PDQ Deploy to rapidly spread ransomware across multiple machines.

If your organization isn’t actively using PDQ Deploy, block it. If it’s being used, ensure its access is tightly controlled and monitored.

For applications not listed in Application Block, like PDQ Deploy, you can add your own rule by hash, certificate property, and so on. More here.
For applications not listed in Application Block, like PDQ Deploy, you can add your own rule by hash, certificate property, and so on. More here.

3. Advanced IP Scanner

Advanced IP Scanner is another tool we see quite often in ransomware attacks, particularly by the Akira ransomware gang.

This tool helps IT admins scan local area networks (LAN) to identify connected devices. In the wrong hands, this same capability is used by attackers to perform network mapping—identifying all IP addresses, device types, and operating systems on the network. This information allows them to prioritize targets, figure out which machines contain valuable data, and decide where to exploit vulnerabilities.

If Advanced IP Scanner isn’t essential to your day-to-day operations, consider blocking it to prevent attackers from performing their own network reconnaissance.

Adding Advanced IP Scanner to my "Ransomware tools" rule in ThreatDown Application Block.
Adding Advanced IP Scanner to my “Ransomware tools” rule in ThreatDown Application Block.

4. IObit Unlocker

IObit Unlocker is designed to force unlock files that have been locked by another process. This is helpful for when files are locked by security programs or system processes and need to be modified.

Unfortunately, we’ve observed ransomware gangs using IObit Unlocker in their attacks as well.

For example, using IObit Unlocker, ransomware operators can unlock files tied to security programs, allowing them to disable or delete protective measures. Without these defenses, the attackers are free to execute their malicious payloads unchallenged.

There are other tools similar to IObit Unlocker, such as Unlocker or LockHunter, that provide similar functionality. Unless your team has a legitimate need for these tools, block them all.

Adding IObit to my "Ransomware tools" rule in ThreatDown Application Block
Adding IObit to my “Ransomware tools” rule in ThreatDown Application Block

5. Process Hacker

Process Hacker is an open-source task manager used to manage processes and system services. While helpful for legitimate IT tasks, we’ve also observed ransomware attackers exploiting it to disable security software.

Since Process Hacker operates using elevated privileges and kernel-mode drivers, it can terminate protected processes by interacting with system services at a deeper level. Needless to say, it’d be wise to block Process Hacker on your endpoints until and unless you need it.

Adding Process Hacker to our "'Ransomware tools" rule in ThreatDown Application Block
Adding Process Hacker to our “Ransomware tools” rule in ThreatDown Application Block

Beyond application blocking

Blocking these tools can slow down a ransomware gang’s progress, make them less dangerous, and make their activity more obvious, but will not stop an attack entirely. So, while blocking tools like IObit Unlocker is an important step, it’s crucial to complement this with proactive defenses like MDR, which provides continuous monitoring and rapid response to potential threats.

ThreatDown MDR’s team of dedicated analysts monitors your network 24×7, diving into alerts in real-time. They handle the investigation, cross-check details, and reach out when needed to confirm whether the activity is legitimate or a potential threat.

Get in touch with ThreatDown MDR today here and make sure your network is protected every hour of the day.