In recent years, cybercriminals have increasingly adopted a tactic known as “living off the land” (LotL) to carry out devastating ransomware attacks. This approach involves using legitimate system administration tools and processes to evade detection and execute malicious activities. By leveraging trusted software already present on target systems, attackers can blend in with normal operations and bypass many traditional security controls.
What Are Living Off the Land Attacks?
What Are Living Off the Land Attacks?
LotL attacks take their name from the survival technique of foraging and using resources available in the natural environment. In cybersecurity, it refers to threat actors utilizing built-in operating system features, commonly used utilities, and other authorized software to compromise systems and networks.
Image: Cybercriminals sharing tutorials on LotL techniques
Some examples of legitimate tools frequently exploited in LotL attacks include:
- PowerShell
- Windows Management Instrumentation (WMI)
- PsExec
- Remote Desktop Protocol (RDP)
- Task Scheduler
- Windows Scripting Host (WSH)
- Sysinternals tools
- Command-line interfaces
By leveraging these trusted utilities, attackers can perform reconnaissance, move laterally within networks, escalate privileges, exfiltrate data, and deploy ransomware payloads – all while flying under the radar of many security solutions.
Why Are Living Off the Land Tactics Effective?
Why Are Living Off the Land Tactics Effective?
LotL techniques have several benefits for ransomware operators:
Most antivirus and endpoint detection systems can recognize known malware signatures or suspicious binaries, but LotL attacks with native tools bypass these defenses. Because attackers are not introducing new malicious executables, there are fewer obvious indicators of compromise (IoCs) for analysts to find.
Many system administration tools are privileged so attackers can harvest login credentials and escalate permissions. Malicious activities can exist that are disguised as system tasks allowing long term, stealthy access.
Attackers also no longer need to develop and deploy custom malware – cutting complexity and potential points of failure. All these factors make LotL tactics appealing for cybercriminals.
Which Ransomware Groups Use Living Off the Land?
Which Ransomware Groups Use Living Off the Land?
To give you some examples, here are two examples of ransomware groups that have used LotL techniques:
Vice Society
Vice Society conducts double extortion attacks on the education and health sectors. One incident saw Vice Society post 500GB of stolen data on the dark web for the Los Angeles Unified School District (LAUSD). The group frequently uses PowerShell scripts and Go-backdoor DLLs to avoid detection by common EDR and security tools. They also deploy ransomware variants including HelloKitty for Linux hosts and Zeppelin for Windows hosts through tools like PsExec.
LockBit
LockBit is a notorious ransomware group that uses LotL techniques extensively. In one real incident, with a ThreatDown MDR client, LockBit attackers used the Nltest command to map out the network topology and find possible lateral movement paths. They then started remote processes using Windows Management Instrumentation Command-line (WMIC) to spread ransomware. LockBit also used Rundll32, a legitimate Windows tool, to execute malicious code embedded in DLL files to avoid detection.
How Can Living Off the Land Be Mitigated?
How Can Living Off the Land Be Mitigated?
To prevent LotL attacks, organizations can employ two main strategies:
First, apply the principle of least privilege – grant users and systems only the minimal access to perform their roles. This limits attackers to exploit elevated privileges.
Continually reviewing user accounts and system processes to ensure that administrative privileges are granted only when absolutely necessary may also help enforce this principle.
Secondly, implement anti data exfiltration (ADX) measures. Monitoring of network movements can detect irregularities or large transfers of data to external locations that may indicate data exfiltration attempts.
For this purpose, BlackFog is an ideal candidate and provides full ADX capabilities to organizations committed to data protection and prevention-based security policies. Keeping unauthorized data off your network lowers risk while improving compliance and audit outcomes.
If you’re interested, book a free ransomware assessment today to see how we can help strengthen your organization’s security.