Ransomware Groups Weaponize RMM Tools to Infiltrate Networks and Exfiltrate Data

Ransomware gangs have increasingly co-opted Remote Monitoring and Management (RMM) tools originally designed for IT operations to orchestrate sophisticated network intrusions, persistence, lateral movement, and data exfiltration.

Investigations conducted in the second half of 2024 and the first quarter of 2025 revealed this pattern across incidents affecting two US-based organizations and one UK-based entity.

These tools, trusted within enterprise environments for tasks like software deployment and system monitoring, evade traditional security controls due to their legitimate status, blurring the lines between authorized administrative actions and covert malicious behavior.

Researchers from Cato Networks, in their 2025 CTRL Threat Report, analyzed multiple commercial and open-source RMM solutions, including AnyDesk, ScreenConnect, SimpleHelp, and PDQ Deploy, which were exploited by groups such as Hunters International and Medusa.

This dual-use capability mirrors that of Remote Access Trojans (RATs), enabling remote execution, script deployment, stealth access via hidden sessions, and encrypted peer-to-peer connections that complicate detection and attribution.

Real-World Incidents

Detailed forensic analysis uncovered recurring tactics in these campaigns. In one Q3 2024 incident, Hunters International targeted a UK manufacturing firm using AnyDesk and ScreenConnect for persistent access over a month, facilitating potential large-scale data exfiltration before ransomware deployment.

The gang’s recent shutdown and provision of free decryptors underscore the volatile nature of these operations.

Similarly, in Q4 2024, Medusa infiltrated a US construction company via a malicious ScreenConnect installer, leveraging PDQ Deploy for internal scanning and lateral movement, raising questions about whether the tools were pre-existing or attacker-introduced.

A Q1 2025 attack on a US non-profit involved an unknown ransomware group deploying SimpleHelp for initial persistence, followed by AnyDesk on additional hosts to expand network control.

Across these cases, attackers utilized multiple RMM tools simultaneously to enhance resilience, exploiting features like agentless access, certificate pinning, and elevated privileges that bypass endpoint detection and response (EDR) systems.

Network behavior analysis, including Wireshark captures of AnyDesk sessions on port 7070 and anomaly detections in Cato XDR, demonstrated how these tools generate suspicious WAN-bound connections, triggering automated alerts for host-to-host interactions or first-time usage.

Proof-of-Concept

To illustrate the ease of exploitation, a proof-of-concept attack simulated a phishing-delivered LNK file launching PowerShell to activate pre-installed AnyDesk, establishing a connection to an attacker’s endpoint and enabling persistence.

Cato’s detection mechanisms flagged the anomalous network signals, generating XDR stories for rapid response.

This trend, informed by threat intelligence from CISA’s #StopRansomware advisories, extends beyond ransomware to nation-state actors seeking low-cost RAT alternatives.

Mitigation requires enhanced network visibility and operational controls: organizations should track RMM usage patterns, enforce allowlisting of approved tools, apply least-privilege principles, secure consoles with multi-factor authentication, monitor for behavioral anomalies like unusual traffic on non-standard ports, and conduct regular audits of configurations.

By combining these with contextual analysis, enterprises can differentiate legitimate IT activity from threats, preserving RMM benefits while countering their weaponization.

Get Free Ultimate SOC Requirements Checklist Before you build, buy, or switch your SOC for 2025 - Download Now