In recent years, cybercriminals have increasingly adopted a tactic known as “living off the land” (LotL) to carry out devastating ransomware attacks. This approach involves using legitimate system administration tools and processes to evade detection and execute malicious activities. By leveraging trusted software already present on target systems, attackers can blend in with normal operations and bypass many traditional security controls.
What Are Living Off the Land Attacks?
What Are Living Off the Land Attacks?
LotL attacks take their name from the survival technique of foraging and using resources available in the natural environment. In cybersecurity, it refers to threat actors utilizing built-in operating system features, commonly used utilities, and other authorized software to compromise systems and networks.
Image: Cybercriminals sharing tutorials on LotL techniques
Some examples of legitimate tools frequently exploited in LotL attacks include:
- PowerShell
- Windows Management Instrumentation (WMI)
- PsExec
- Remote Desktop Protocol (RDP)
- Task Scheduler
- Windows Scripting Host (WSH)
- Sysinternals tools
- Command-line interfaces
By leveraging these trusted utilities, attackers can perform reconnaissance, move laterally within networks, escalate privileges, exfiltrate data, and deploy ransomware payloads – all while flying under the radar of many security solutions.
Why Are Living Off the Land Tactics Effective?
Why Are Living Off the Land Tactics Effective?
LotL techniques have several benefits for ransomware operators:
Most antivirus and endpoint detection systems can recognize known malware signatures or suspicious binaries, but LotL attacks with native tools bypass these defenses. Because attackers are not introducing new malicious executables, there are fewer obvious indicators of compromise (IoCs) for analysts to find.
Many system administration tools are privileged so attackers can harvest login credentials and escalate permissions. Malicious activities can exist that are disguised as system tasks allowing long term, stealthy access.
Attackers also no longer need to develop and deploy custom malware – cutting complexity and potential points of failure. All these factors make LotL tactics appealing for cybercriminals.
Which Ransomware Groups Use Living Off the Land?
Which Ransomware Groups Use Living Off the Land?
To give you some examples, here are two examples of ransomware groups that have used LotL techniques:
Vice Society
Vice Society conducts double extortion attacks on the education and health sectors. One incident saw Vice Society post 500GB of stolen data on the dark web for the Los Angeles Unified School District (LAUSD). The group frequently uses PowerShell scripts and Go-backdoor DLLs to avoid detection by common EDR and security tools. They also deploy ransomware variants including HelloKitty for Linux hosts and Zeppelin for Windows hosts through tools like PsExec.
LockBit
LockBit is a notorious ransomware group that uses LotL techniques extensively. In one real incident, with a ThreatDown MDR client, LockBit attackers used the Nltest command to map out the network topology and find possible lateral movement paths. They then started remote processes using Windows Management Instrumentation Command-line (WMIC) to spread ransomware. LockBit also used Rundll32, a legitimate Windows tool, to execute malicious code embedded in DLL files to avoid detection.
How Can Living Off the Land Be Mitigated?
How Can Living Off the Land Be Mitigated?
To prevent LotL attacks, organizations can employ two main strategies:
First, apply the principle of least privilege – grant users and systems only the minimal access to perform their roles. This limits attackers to exploit elevated privileges.
Continually reviewing user accounts and system processes to ensure that administrative privileges are granted only when absolutely necessary may also help enforce this principle.
Secondly, implement anti data exfiltration (ADX) measures. Monitoring of network movements can detect irregularities or large transfers of data to external locations that may indicate data exfiltration attempts.
For this purpose, BlackFog is an ideal candidate and provides full ADX capabilities to organizations committed to data protection and prevention-based security policies. Keeping unauthorized data off your network lowers risk while improving compliance and audit outcomes.
If you’re interested, book a free ransomware assessment today to see how we can help strengthen your organization’s security.
Related Posts
BlackFog Wins 2024 CyberSecurity Breakthrough Award
BlackFog Wins Coveted ‘AI-based Cybersecurity Innovation of the Year' in the 2024 CyberSecurity Breakthrough Awards Program
Big Game Hunting is on the Rise in Cybercrime
Big game hunting in cybercrime refers to attacks where cybercriminals target large organizations with the goal of demanding hefty ransoms. This article explores the tactics used in these attacks, provides real-world examples, and explains why this form of cybercrime is becoming increasingly common.
RansomHub: The Rise of a New Ransomware Threat
Explore RansomHub, a ransomware group emerging in Feb 2024. Discover their tactics, notable attacks, sophisticated techniques, and links to other cybercriminals.
The State of Ransomware 2024
BlackFog's state of ransomware report measures publicly disclosed and non-disclosed attacks globally.
TAG Blog Series 3 – How ADX is Integrated by BlackFog
Integrating Anti Data Exfiltration (ADX) solutions is essential for enterprise cybersecurity. This article examines how BlackFog's ADX enhances existing technologies by focusing on prevention and the shift-left paradigm. It illustrates ADX's effectiveness against ransomware and its support for modern managed security service providers, demonstrating how ADX integration creates a comprehensive security solution.
Data Exfiltration Extortion Now Averages $5.21 Million According to IBM’s Report
According to IBM's 2024 Data Breach Report, the financial toll of data exfiltration extortion has surged, with the average cost now reaching $5.21 million per incident. This alarming trend highlights the growing sophistication of cybercriminals and the increasing financial risks organizations face when sensitive data is compromised. As data breaches continue to escalate, businesses must prioritize robust cybersecurity measures to mitigate these costly threats.