Skip to content
.ca
sign in
4 minhigh

Intelligence Center

Ransomware tactics in 2025 have shifted heavily toward 'Living off the Land' (LotL) techniques, with threat actors leveraging valid accounts and built-in administrative tools like RDP, PowerShell, and PsExec to evade detection. Qilin has emerged as the most prolific ransomware group, utilizing double-extortion tactics, while manufacturing remains the most targeted industry.

Conf:highAnalyzed:2026-03-31reports

Authors: Hazel Burton

ActorsQilinAkiraPlayLockBitINC RansomSAFEPAYLynxDragonForceRansomHubSinobiMedusaEverest GroupKillSecWorld LeaksRhysidaNightSpire
PhishingAkiraRansomwareQilinLiving off the Land

Source:Cisco Talos

Key Takeaways

  • Ransomware actors are increasingly using 'Living off the Land' techniques, leveraging built-in tools like RDP, PowerShell, and PsExec to blend in with normal administrative activity.
  • Phishing accounts for 40% of initial access, leading to the widespread abuse of valid accounts across multiple attack stages.
  • Manufacturing and Professional/Scientific/Technical services are the most targeted sectors due to complex environments and limited tolerance for disruption.
  • Qilin emerged as the most prolific ransomware group in 2025, accounting for 17% of leak site posts, followed by Akira (10%) and Play (6%).
  • LockBit dropped significantly to 35th place following sustained law enforcement pressure.

Affected Systems

  • Windows environments (implied by the prevalent use of RDP, PowerShell, and PsExec)

Attack Chain

Attackers typically gain initial access via phishing (40% of the time) to compromise valid accounts. Once inside, they utilize legitimate administrative tools such as RDP, PowerShell, and PsExec to conduct lateral movement and expand access while blending in with normal network traffic. The attack culminates in double-extortion, where data is both encrypted and threatened with public release on leak sites.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

No specific detection rules or queries are provided in the article.

Detection Engineering Assessment

EDR Visibility: Medium — Because attackers are using legitimate built-in tools (LotL), pure signature-based EDR alerts may not trigger; behavioral context and baselining are required. Network Visibility: Medium — RDP and SMB (PsExec) traffic is common in enterprise networks, requiring anomaly detection to identify malicious lateral movement. Detection Difficulty: Hard — Blending in with legitimate administrative tools requires mature baselining, continuous anomaly monitoring, and strict identity tracking to differentiate threat actors from actual administrators.

Required Log Sources

  • Windows Security Event Logs (Event ID 4624, 4625)
  • PowerShell Script Block Logging (Event ID 4104)
  • Sysmon Event ID 1 (Process Creation)
  • Sysmon Event ID 3 (Network Connection)

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Threat actors are using compromised valid accounts to execute PowerShell or PsExec for lateral movement outside of normal administrative patterns.Process creation logs, PowerShell script block logging, authentication logsLateral MovementHigh
Adversaries are initiating RDP sessions from unusual source machines or during off-hours to expand access.Windows Security Event Logs (Logon events), Network flow logsLateral MovementMedium

Control Gaps

  • Lack of strict identity and access management (IAM)
  • Insufficient behavioral baselining for administrative tools
  • Inadequate asset management and inventory

Key Behavioral Indicators

  • Abnormal RDP access requests (off-hours, unusual source/destination)
  • Unexpected PowerShell execution by non-admin users or service accounts
  • PsExec usage outside of approved maintenance windows or from non-management subnets

False Positive Assessment

  • High

Recommendations

Immediate Mitigation

  • Monitor the use of built-in administrative tools (RDP, PowerShell, PsExec) for unexpected usage patterns and abnormal access requests.

Infrastructure Hardening

  • Strengthen identity protections, focusing on the accounts that hold administrative privileges.
  • Enhance backup, EDR, network segmentation, logging, and recovery capabilities.
  • Maintain clear asset inventories and establish network behavior baselines.

User Protection

  • Implement robust phishing and social engineering training for employees.

Security Awareness

  • Regularly test ransomware response readiness, potentially utilizing historically lower-activity months like January for tabletop exercises.

MITRE ATT&CK Mapping

  • T1566 - Phishing
  • T1078 - Valid Accounts
  • T1021.001 - Remote Desktop Protocol
  • T1059.001 - PowerShell
  • T1569.002 - Service Execution
  • T1486 - Data Encrypted for Impact

Related