Living off the Land (LOTL) attacks: Detecting ransomware gangs hiding in plain sight

Regular readers of our monthly ransomware review (read our April edition here) know that Ransomware-as-a-Service (RaaS) gangs have been making headlines globally with their disruptive attacks on organizations.

Sometimes, though, it’s not enough to merely know about of the problem.

In order to truly protect ourselves from RaaS gangs, we have to ‘peel back the onion’, so to speak, and get a closer look at how, exactly, they behave. If we know how RaaS gangs evade detection once in a network, for example, we may be able to kick them out before they can do any damage.

One of the most concerning behaviors we’ve observed from RaaS gangs is their use of Living off the Land (LOTL) attacks, where attackers leverage legitimate tools to evade detection, steal data, and more.

Let’s dive into the dangers of LOTL attacks in RaaS operations and provide guidance for under-resourced IT teams on how to detect and block such threats.

The deceptive nature of LOTL attacks

In an ideal world, IT teams whose organizations are under attack would have clear and direct evidence of the malicious activity.

For example, if unusual network connections are being made to remote IP addresses associated with known malicious actors, then there’s little doubt that you’re under attack—enabling IT to put a halt to the behavior early on.

But now imagine you’re diligently monitoring a network for any signs of suspicious activity. As you scan a seemingly endless stream of logs, searching for any anomalies that could signal trouble, you notice some activity from PowerShell, a versatile and legitimate scripting tool.

Script Block Logging records all blocks of code as they’re executed by PowerShell, which could you point to suspicious activity. Source.

Namely, there are scripts using commands that an attacker could use to steal data from the company’s network, but which also resembled legitimate administrative tasks used by IT professionals for various system administration tasks. Considering it’s regular business hours, you figure it’s part of a routine IT maintenance operation and move on.

But, lo and behold, it was a RaaS gang the whole time!

The attacker had studied the company’s environment and had a deep understanding of the tools and processes typically used by employees, and so they managed to avoid raising suspicion by blending in with typical PowerShell usage. By conducting the attack during normal business hours, the attackers also avoided any of the usual scrutiny that would come from moving across a network late at night. 

This is exactly why LOTL attacks are so dangerous: by mimicking normal behavior, LOTL attacks make it extremely difficult for IT teams and security solutions to detect any signs of malicious activities. Experienced analysts, however, might be able to pick up on subtle anomalies or patterns that indicate a LOTL attack, leveraging their expertise and deep understanding of system behaviors.

On the other hand, new or under-resourced teams may struggle to identify such attacks due to a lack of experience or insufficient tools, leaving them vulnerable to these stealthy threats.

5 LOTL tools used by ransomware gangs 

While attackers use a seemingly innumerable amount of legitimate tools for LOTL attacks, below are five of the most common ones we’ve seen the most active ransomware gangs using for their attacks.

ToolUsed ForUsed ToUsed By
PowerShellVersatile scripting language and shell framework for Windows systemsExecute malicious scripts, maintain persistence, and evade detectionLockBit, Vice Society, Royal, BianLian, ALPHV, Black Basta
PsExecLightweight command-line tool for executing processes on remote systemsExecute commands or payloads via a temporary Windows serviceLockBit, Royal, ALPHV, Play, BlackByte
WMIAdmin feature for accessing and managing Windows system componentsExecute malicious commands and payloads remotelyLockBit, Vice Society, Black Basta, Dark Power, Cl0p, BianLian
MimikatzOpen source tool for Windows security and credential managementExtract credentials from memory and perform privilege escalationLockBit, Black Basta, Cuba, ALPHV
Cobalt StrikeCommercial pen test to assess network security and simulate advanced threat actor tacticsCommand and control, lateral movement, and exfiltration of sensitive dataLockBit, Black Basta, Royal, ALPHV, Play, Cuba, Vice Society

Again, readers of our monthly ransomware review will recognize that each gang listed here are responsible for the lion’s share of yearly ransomware attacks.

LockBit, for example, topped our 2023 State of Malware Report as being responsible for more than 3 times more attacks than the next most active ransomware, ALPHV. In February 2023 alone, the LockBit group identified 126 victims onto its leak page.

Vice Society, on the other hand, is responsible for 70 percent of known attacks on UK education institutions.

Advice for IT teams

The four tips listed below, combined of cutting-edge technology and unique expertise, can greatly help IT teams uncover LOTL attacks:

1. Regularly monitor network traffic and logs

  • Regularly analyze your network traffic for any unusual patterns or connections to known malicious IP addresses or domains associated with the use of tools like Chisel, Qakbot, or Cobalt Strike. 
  • Enable logging on critical systems (firewalls, servers, and endpoint devices) and regularly review logs for unusual activities or signs of compromise.

2. Stay informed of the latest threat intelligence

  • Leverage threat intelligence feeds to stay informed about new attack techniques, indicators of compromise (IOCs), and other relevant threat data.
  • Use this data to fine-tune your security monitoring, detection, and response capabilities to identify and mitigate LOTL attacks.

3. Leverage behavioral analysis and anomaly detection

  • Implement advanced monitoring tools that focus on detecting unusual user or system behavior rather than relying solely on known signatures or patterns.
  • Machine learning and artificial intelligence can be leveraged to identify deviations from normal behavior, which might indicate an ongoing LOTL attack.

Malwarebytes EDR observes the behaviors of processes, registry, file system, and network activity on the endpoint using a heuristic algorithm looking for deviations. Here you can see all detection rules triggered in the suspicious activity and their mapping to MITRE ATT&CK.

4. Restrict the abuse of legitimate tools

  • Focus on managing and controlling the use of legitimate tools and system features often exploited in LOTL attacks.
  • Limit access to certain tools only to users who require them, monitoring their usage, and applying specific security policies to restrict potentially harmful actions.

In short, by continuously analyzing network and system data, identifying potential weak points, and anticipating attacker tactics, IT teams can begin to get the upper-hand against RaaS gangs that employ LOTL techniques.

24×7 security monitoring and threat hunting for your organization

Monitoring network traffic, enabling and reviewing logs, checking for anomaly detection, and implementing application control are essential steps for detecting and blocking malicious activity. However, these efforts often require around-the-clock coverage and deep cybersecurity expertise, which can be difficult for small and medium-sized organizations to maintain.

This is where Malwarebytes Managed Detection and Response (MDR) comes in.

Malwarebytes MDR analysts are experienced in detecting malicious use of legitimate tools and blocking attackers. They use their expertise to identify unusual patterns or connections to malicious IP addresses, domains, or unauthorized application usage related to the LOTL attacks conducted by the RaaS gangs.

By partnering with Malwarebytes MDR, businesses can enhance their security posture and gain peace of mind, knowing that a skilled team of security experts is working 24x7x365 to proactively detect and respond to potential threats. Find more MDR resources below!