Ransomware gangs and Living Off the Land (LOTL) attacks: A deep dive

We’ve told you about ransomware-as-a-service (RaaS) gangs; we’ve told you about living off the Land (LOTL) attacks. What do you get when you bring the two together? Bad news. 

Our recent report, Threat Brief: Ransomware Gangs & Living Off the Land Attacks, takes a deep dive into why the intersection of these two threats is so dangerous.  

Ransomware gangs use LOTL attacks to carry out their malicious activities using legitimate IT administration tools like Powershell, PsExec or Windows Management Instrumentation (WMI). This is exactly why LOTL attacks are so dangerous: by mimicking normal behavior, LOTL attacks make it extremely difficult for IT teams and security solutions to detect any signs of malicious activities

And that’s one big reason why RaaS gangs like Lockbit, Vice Society, and ALPHV love using these attacks so much: LOTL attacks allow ransomware gangs to master the art of blending their criminal activities within normal network operations. 

The report also dives into the challenges of spotting these stealthy attacks and why defenders often miss the mark. For example, traditional security systems, which are designed to flag overtly malicious activities, often overlook the subtle and covert tactics LOTL attacks employ. Simply put, when it comes to fighting LOTL and RaaS, organizations can’t afford to overlook the importance of combining human expertise with advanced detection technologies.

Further key points in the report include:

  • Expert insights: Gain wisdom from cybersecurity pros who contribute their knowledge, emphasizing the importance of multi-layered defense strategies against LOTL threats.
  • Practical tips: The report isn’t just theory; it offers actionable advice for IT teams on staying one step ahead of these covert operations.
  • Real-world scenarios: Engage with case studies that bring the concepts to life, demonstrating the impact and intricacies of LOTL attacks in action.

Ransomware gangs and LOTL attacks are a dual threat that organizations need to be prepared to take down. Read our report, Threat Brief: Ransomware Gangs & Living Off the Land Attacks, to get the vital intelligence you need to uncover LOTL techniques in the ransomware attack chain. 

Get the report


Bill Cozens

Content Writer

Bill Cozens is content writer for the Malwarebytes business blog, where he writes about industry challenges and how best to address them.