Shut the Door on Ransomware Before it Gets Started

Ransomware groups are increasingly using legitimate software to commit attacks. In fact, recent Symantec analysis of ransomware attacks over the past three years (2021-2023) shows evidence that Living-off-the-Land (LOTL) tools – pre-installed legitimate software -- were used in nearly 50% of ransomware attacks. With more and more ransomware attacks making headlines, it’s clear that traditional security methods are not effective against these stealthy attackers.   

In a new whitepaper, “Advances in Endpoint Security,” Dave Gruber, Principal Analyst Enterprise Strategy Group (ESG) writes, “More than half of security leaders (52%) reported to ESG that security operations are more challenging than they were two years ago, fueled by a growing and changing attack surface alongside a rapidly changing threat landscape. This includes an increased use of LOTL tools.” 

With more and more attackers leveraging legitimate software to gain a foothold and move laterally within a network, it’s clear that defenders need to take a different security approach.

Why LOTL attacks are so persistent

One reason LOTL and dual-use tool-based attacks are so successful is because organizations don’t want to block legitimate software. Because of the nature of these attacks, there are also fewer digital artifacts like IOCs for investigators to use to detect intrusions. In fact, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) highlighted this security challenge in its recent report, Identifying and Mitigating Living Off the Land Techniques: “There is a general lack of conventional indicators of compromise (IOCs) associated with LOTL activity, complicating network defenders’ efforts to identify, track, and categorize malicious behavior.”

In addition, “Businesses are unique and employ LOTL tools in various ways—often differently between business units—so a one-size-fits-all [security] approach is inadequate,” writes Gruber in the new whitepaper, “Advances in Endpoint Security.” And despite the dramatically expanded capabilities of endpoint security solutions in the past 10 years, most continue to depend on a model of monitoring attack patterns and responding to these activities. This reactive approach ignores the changing operating characteristics and dynamics of the devices being protected.

Enter Symantec Adaptive Protection. One of the big benefits of Symantec Adaptive Protection is that you don’t need an IOC to protect against LOTL and related attacks. Symantec analyzes  the tools and applications often employed in these attacks, while Adaptive Protection continuously analyzes individual customer operating environments. With a one-year history of where these tools are used in an organization, Adaptive Protection can block tools only where they are not legitimately used. This avoids the risk of false positives, while stopping the malicious use of these tools - cutting off the path that attackers are currently using. 

At the time of this writing, Adaptive Protection is tracking a total of 469 specific behaviors across 54 LOTL tools and applications. As new attack methods emerge, the Symantec Global Intelligence Network feeds new data into Adaptive Protection to stay current. 

Understanding How Attackers Use LOTL 

Our new report, “2024 Ransomware Threat Landscape,” provides a detailed account about how ransomware attackers are eschewing malware to carry out ransomware attacks and, instead, are using LOTL. While PowerShell, WMI and Vssadmin are the top LOTL tools, there are many other pre-installed tools that attackers are using to commit attacks. You can also find a list of these tools in the new ESG whitepaper, “Advances in Endpoint Security.”

As the threat landscape -- including ransomware attacks – continues to evolve, we will continue to innovate to help our customers stay ahead of the threat. Remember, the short- and long-term impact of ransomware attacks is much more than just the cost of the ransom. It’s time to take a new approach to protect against these insidious attacks. We invite you to learn more about Symantec Adaptive Protection at our upcoming webinar and learn how to significantly reduce the risk of LOTL attacks.