Ransomware Gangs Leverage Remote Access Tools to Gain Persistence and Evade Defenses

Ransomware operators have shifted from opportunistic malware distribution to highly targeted campaigns that exploit legitimate software for stealth and persistence.

Emerging in early 2025, several ransomware families began abusing popular remote access tools—such as AnyDesk and Splashtop—to establish footholds within enterprise networks.

By hijacking or silently installing these utilities, adversaries bypass security controls that traditionally trust signed installers, enabling initial access without tripping conventional detection mechanisms.

Organizations rapidly discovered anomalous remote sessions connecting from unexpected geolocations.

Seqrite analysts identified that attackers leveraged credential stuffing and phishing to obtain privileged accounts, then deployed remote access tools to move laterally.

Rather than relying solely on custom malware binaries, threat actors used existing administration frameworks to blend malicious activity into everyday IT operations, rendering their actions practically invisible to legacy endpoint protections.

The impact of these campaigns has been profound. Victims report encrypted file shares, disabled backups, and altered Remote Access Tool credentials to lock out administrators.

In high-profile intrusions attributed to LockBit and Black Basta variants, attackers combined RAT abuse with file-shredding commands to eradicate forensic traces, extend dwell time, and maximize ransom demands.

Organizations suffered costly downtime and data loss, underscoring the urgency of reevaluating trust in routine IT utilities.

Persistence Tactics of Remote Access Tool Abuse

A critical enabler of these ransomware operations is the attackers’ ability to maintain persistent control through run-of-the-mill remote administration software.

Two primary methods emerged: hijacking preinstalled tools to avoid file creation and deploying lightweight installers via command-line flags.

In the hijacking scenario, adversaries enumerate installed applications through Windows Management Instrumentation or PowerShell, then inject malicious credentials or modify JSON configuration files to grant unattended access under the attacker’s account.

This approach leaves no new executables on disk and evades antivirus scanning by abusing trusted executables already whitelisted in enterprise policies.

When opportunistic targets lack preexisting remote access utilities, attackers fall back on silent installation.

Using known installer parameters, they deploy signed binaries with minimal noise:-

Start-Process -FilePath '.\AnyDesk.exe' -ArgumentList 'INSTALL=C','STARTWITHWINDOWS=1','SILENT=1' -NoNewWindow

This command installs AnyDesk as a service that launches at boot, granting the adversary persistent entry points for follow-on operations.

Similar flags—such as VERYSILENT and NORESTART—are documented in vendor manuals yet rarely monitored by defenders.

Once embedded, the remote tool runs with elevated privileges if attackers escalate via utilities like TrustedInstaller or PowerRun.

Combined with registry run-key manipulation and hidden scheduled tasks, this chain ensures that even if an incident responder removes one backdoor, a secondary access path remains.

This layered persistence model frustrates remediation efforts and demands a shift toward behavior-based monitoring that flags anomalous tool usage rather than file signatures.

By abusing trusted remote administration software, ransomware gangs have turned IT convenience into their most potent weapon.

Defenders must implement strict application whitelisting, enforce multi-factor authentication, and monitor command-line arguments associated with common remote access tools to detect and disrupt these stealthy persistence tactics before encryption can occur.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.