Ransomware attacks escalated in 2023 through the use of exploits from CVE vulnerabilities and stolen login credentials.
Ransomware attacks in 2023 have shown a significant evolution, with a growing reliance on legitimate remote access and Remote Monitoring Management (RMM) tools by attackers. According to cybersecurity firm Mandiant, most initial access vectors for ransomware attacks this year have involved stolen credentials or exploited vulnerabilities in public-facing infrastructure.
Mandiant's findings highlight the industry's collective inability to reduce ransomware attacks and the significant damage they inflict. In 2023, the company led 20% more investigations involving ransomware compared to the previous year, with nearly 3 in 5 attacks involving confirmed or suspected data theft. The number of posts on data leak sites surged to over 1,300 in the third quarter of 2022, setting a quarterly record.
Attackers are increasingly exploiting legitimate remote access and RMM tools to gain stealthy, persistent access to networks. This evolution challenges traditional cybersecurity defenses because these tools are trusted and widely used by IT and managed service providers, making malicious activity harder to detect. For Chief Information Security Officers (CISOs), this development expands the risk calculus to include not only preventing malware execution but also monitoring and controlling legitimate administrative tools that can be repurposed by threat actors.
RMM tools such as AnyDesk, Quick Assist, and commercial/open-source remote monitoring platforms are being weaponized by ransomware gangs and nation-state actors. These tools offer remote control, script execution, file transfers, and persistence — capabilities similar to Remote Access Trojans (RATs) but operating under legitimate trust permissions. Attackers leverage them to gain initial access, blend into normal administrative activity, escalate privileges, move laterally across networks, and persist for long durations without raising immediate alarms.
Real-world ransomware groups like DragonForce, Interlock, and Scattered Spider have combined RATs, credential stealers, and living-off-the-land tactics with legitimate remote access tools to evade detection and accelerate network compromise. These campaigns often begin by exploiting unpatched software vulnerabilities or social engineering users to initiate remote sessions. The attackers then harvest credentials, execute reconnaissance, and exfiltrate data before deploying ransomware payloads, sometimes coupled with double extortion strategies.
To address this growing threat, CISOs must evolve their mitigation strategies. This involves implementing monitoring solutions that establish baselines of normal remote tool usage and raise alerts on anomalies or unusual command patterns, adopting least-privilege models and multi-factor authentication even for trusted remote access tools, rapidly identifying and remedying vulnerabilities in RMM and remote access software, leveraging up-to-date intelligence on attacker toolkits and TTPs (tactics, techniques, and procedures) to anticipate new forms of attacks, and developing incident response playbooks that consider adversaries’ use of legitimate administrative tools.
Corporate stakeholders are asking the question: Are we a target? The vast majority of these incidents involved authentication to a victim's corporate VPN infrastructure. As a result, corporate stakeholders are seeking to better understand the risk calculus of their technology stacks. In almost 40% of incidents where the initial access vector was identified, threat actors used compromised legitimate credentials to gain access to victim environments.
The alleged victim organizations named on data leak sites spanned more than 110 countries last year. Mandiant stated that the slight dip in extortion activity in 2022 was an anomaly. Despite this, there were 4,520 posts on data leak sites in 2022, a 75% increase from 2021. Mandiant released a report on Monday, stating that ransomware activity surged last year, with exploited vulnerabilities accounting for almost 30% of ransomware attacks, up from 24% in 2021.
As the threat landscape continues to evolve, it is crucial for organisations to stay vigilant and adapt their cybersecurity strategies to mitigate the risks posed by ransomware attacks leveraging legitimate remote access and RMM tools.
Incident response teams are struggling to keep up with the increasing number of ransomware attacks in 2023, which have evolved to rely heavily on legitimate remote access and Remote Monitoring Management (RMM) tools. To address this threat, Chief Information Security Officers (CISOs) need to implement more robust cybersecurity measures, including monitoring solutions for legitimate administrative tools, adopting least-privilege models and multi-factor authentication, quickly remedying vulnerabilities in RMM and remote access software, and developing incident response playbooks that account for adversaries' use of these tools.
Vulnerabilities in public-facing infrastructure and stolen credentials continue to be the most common initial access vectors for ransomware attacks, according to cybersecurity firm Mandiant. As a result, it is essential for organizations to stay up-to-date with the latest intelligence on attacker toolkits and tactics, techniques, and procedures (TTPs) to anticipate new forms of attacks and better protect against ransomware gangs and nation-state actors using legitimate remote access and RMM tools.
