5 tools IT admins should block right now
Block these tools to ruin a ransomware gang’s day.
In an effort to stay hidden as they operate on your network, ransomware gangs increasingly put aside malware in favor of using legitimate software tools that don’t look out of place on the computers they’re attacking—a tactic known as Living Off The Land (LOTL).
Across the ransomware incidents we observe, certain non-Windows-native tools consistently show up in attackers’ arsenals. Below are five that ransomware operators frequently abuse—and you should block unless you have a good reason not to.
1. Select RMM tools
As we wrote about earlier this year, RMM tools have become a core part of ransomware gangs’ attack strategies.
Tools like AnyDesk, NinjaRMM, and TeamViewer are used by attackers to provide remote access to environments they’ve compromised, giving them the control they need to further an attack. Once inside, attackers can manipulate these tools to exfiltrate data, escalate privileges, or deploy ransomware.
We recommend you conduct a thorough audit of every RMM tool currently in use. Identify which ones are absolutely necessary and block or remove any that are non-essential using tools like ThreatDown Application Block.
2. PDQ Deploy
PDQ Deploy is a legitimate tool designed for administrators to install and update software across a network. Ransomware attackers use it for the very same task—to deploy their malware quickly to every connected machine in an organization.
We’ve seen multiple ransomware attacks in which PDQ Deploy has played a critical role. For example, the Medusa ransomware gang, one of the most prolific groups this year, has been observed using PDQ Deploy to rapidly spread ransomware across multiple machines.
If your organization isn’t actively using PDQ Deploy, block it. If it’s being used, ensure its access is tightly controlled and monitored.
3. Advanced IP Scanner
Advanced IP Scanner is another tool we see quite often in ransomware attacks, particularly by the Akira ransomware gang.
This tool helps IT admins scan local area networks (LAN) to identify connected devices. In the wrong hands, this same capability is used by attackers to perform network mapping—identifying all IP addresses, device types, and operating systems on the network. This information allows them to prioritize targets, figure out which machines contain valuable data, and decide where to exploit vulnerabilities.
If Advanced IP Scanner isn’t essential to your day-to-day operations, consider blocking it to prevent attackers from performing their own network reconnaissance.
4. IObit Unlocker
IObit Unlocker is designed to force unlock files that have been locked by another process. This is helpful for when files are locked by security programs or system processes and need to be modified.
Unfortunately, we’ve observed ransomware gangs using IObit Unlocker in their attacks as well.
For example, using IObit Unlocker, ransomware operators can unlock files tied to security programs, allowing them to disable or delete protective measures. Without these defenses, the attackers are free to execute their malicious payloads unchallenged.
There are other tools similar to IObit Unlocker, such as Unlocker or LockHunter, that provide similar functionality. Unless your team has a legitimate need for these tools, block them all.
5. Process Hacker
Process Hacker is an open-source task manager used to manage processes and system services. While helpful for legitimate IT tasks, we’ve also observed ransomware attackers exploiting it to disable security software.
Since Process Hacker operates using elevated privileges and kernel-mode drivers, it can terminate protected processes by interacting with system services at a deeper level. Needless to say, it’d be wise to block Process Hacker on your endpoints until and unless you need it.
Beyond application blocking
Blocking these tools can slow down a ransomware gang’s progress, make them less dangerous, and make their activity more obvious, but will not stop an attack entirely. So, while blocking tools like IObit Unlocker is an important step, it’s crucial to complement this with proactive defenses like MDR, which provides continuous monitoring and rapid response to potential threats.
ThreatDown MDR’s team of dedicated analysts monitors your network 24×7, diving into alerts in real-time. They handle the investigation, cross-check details, and reach out when needed to confirm whether the activity is legitimate or a potential threat.
Get in touch with ThreatDown MDR today here and make sure your network is protected every hour of the day.