Editors’ note: While the analysis and detection opportunities remain applicable, this page has not been updated since 2022.
Adversaries regularly abuse remote monitoring and management (RMM) tools because they’re widely used for legitimate reasons and seem benign. Along with the ability to blend in while moving laterally, these tools offer adversaries a reliable way to communicate with and pass information in and out of infected hosts.
In 2021 we identified an uptick of ransomware operators abusing RMM to remotely control victim machines and deploy additional malicious payloads. RMM has typically been used by help desk technicians to resolve issues on client computers. These software suites allow users to remotely control hosts, providing adversaries with a user-friendly graphical interface, secure network connections via cloud hosted infrastructure, and host persistence. This makes it a challenge for defenders to catch the early stages of intrusions. It became increasingly clear to us throughout the year that being able to initially detect abnormal installation and execution of these tools can help thwart ransomware or slow further deployment of malicious payloads.
Not all ransomware operators or affiliates use these tools as part of their intrusion chain, meaning other security controls are still important to cover other access paths. Community reporting has identified ransomware groups like REvil, Conti, Avos Locker, and Blackheart using software suites such as ScreenConnect, Atera, and Anydesk to gain persistent footholds to hosts after compromising them. In many instances, this led to the deployment of ransomware. Identifying rogue instances of these management tools is a great starting point to help understand and defend your endpoints.