By Bharat Mistry
Ransomware is an existential threat to many European businesses. And the bad news is the malicious actors behind it are hard at work refining their tactics. Legitimate tools like remote access software are increasingly popular as a means to bypass traditional security. A defence-in-depth approach grounded in attack surface risk management provides a robust response.
Ransomware continues to represent the biggest cybersecurity and organised crime threat to the UK – and Europe. According to the UK’s National Crime Agency, the threat is poses to critical national infrastructure (CNI) even elevates it to a national security risk. That’s why the British government recently proposed drastic action: a ban on ransom payments by CNI providers and public bodies.
Yet the media attention surrounding the proposals threatens to distract businesses from the task in hand. Ransomware continues to cause huge financial and reputational damage for European businesses. And it’s getting smarter and harder to detect.
Down but not out
Globally, there was actually an estimated 35% decline in ransomware payments in 2024, thanks to law enforcement action and a growing refusal by victims to pay. However, this is no time to celebrate victory. Threat actors still managed to extort over $813m from their victims last year. And they’re already looking for ways to grow that figure in 2025. For many smaller businesses especially, ransomware continues to represent an existential threat. Just ask Kettering-based KNP Logistics Group, which was forced into administration following an attack.
So how are threat actors evolving their tactics? Up to now, a key method of gaining initial access was via a simple phishing email, likely containing a malicious link or attachment. However, going forward we’ll see more attacks start with vulnerability exploitation, or use of stolen credentials.
The huge number of virtual and physical servers, laptops, mobile and IoT devices, applications and other corporate assets we call the “cyber-attack surface” is expanding for most organisations. And many of these endpoints are riddled with vulnerabilities. Over 40,000 were published in 2024 alone. As corporate security teams struggle to patch them all, many will be left wide open to exploit. Then there are credentials. Fuelled by a surge in infostealer malware, the dark web is awash with stolen credentials, which allow ransomware actors to waltz past perimeter defences masquerading as legitimate users. This situation is further exacerbated by the rise of non-human identities, such as service accounts and automated bots, which can be exploited to gain unauthorized access. These non-human identities often have elevated privileges and can operate undetected, posing significant risks as they blend seamlessly into normal network activity, making it increasingly difficult for organizations to identify and mitigate potential threats.
Legitimate tools with illicit goals
Cybercriminals are also turning to legitimate tools to achieve initial access and subsequent lateral movement inside targeted networks, where they go hunting for sensitive data and systems to encrypt. These might include Remote Monitoring and Management (RMM) tools like AnyDesk, Atera and Splashtop. They were originally designed for IT administrators to remotely access and manage devices in their networks, but increasingly serve the same purpose for ransomware actors—enabling them to deploy malicious payloads at will. Because the tools are trusted, traditional security controls will not sounds the alarm when they’re being abused in this way.
Attackers are also abusing tools like PsExec, a legitimate Windows utility for executing processes on remote systems, to deploy ransomware across a network.?PsExec is designed for system administrators to manage remote machines.
These “living-off-the-land” techniques are favoured by cybercriminals and nation state actors alike. Not only do they evade the scrutiny of security tools, they also reduce development costs for the hackers—saving them time and resources, while increasing success rates.?In the case of RMM solutions, they can support multiple simultaneous attacks, if a campaign compromises a tool used by a managed service provider (MSP) to access its customers’ networks.
When compared to traditional email phishing, such tactics are more stealthy—unlike malicious messages which are often blocked by spam filters or detected by users. They’re also more efficient at providing automated access to multiple systems; whereas phishing relies on individual user actions. And they’re well documented and reliable—ensuring that attackers can achieve their objectives without encountering technical difficulties.
In the wild
We’ve detected threat actors using such tactics at least as far back as 2018, when we spotted a ransomware variant bundled with a version of AnyDesk to help with post-exploitation activity. More recently, in 2022, US security agency CISA spotted a campaign by Iranian APT group MuddyWater which used ScreenConnect for initial access and lateral movement. And a year later, it warned of a threat group using SecureConnect and AnyDesk for a sophisticated scam targeting federal government employees.
Ransomware affiliates working for the Black Basta group—especially one known as “Scattered Spider”—are well-known for using legitimate tooling in their attacks. A favourite tactic is to flood an employee’s inbox with spam, and then initiate a Teams call impersonating the IT helpdesk. Using social engineering techniques, the bad actor will persuade the victim to download RMM software like Quick Assist, giving them remote access to the machine. Microsoft warned corporate customers of such tactics last year.
Hitting back
The bad news is that these and other efforts are likely to be supercharged as cybercriminals begin to harness the power of AI in their attacks. Generative AI (GenAI) in particular will help them to use legitimate penetration testing tools more effectively for reconnaissance of targets—ie scanning and suggesting the best exploits to use on specific victims. They could help write scripts for post-exploitation activity like privilege escalation, and even customise payloads to bypass security defences. GenAI can also help threat actors scale highly convincing phishing campaigns in multiple languages at once.
As digital investments continue to expand the corporate attack surface, how can network defenders respond? First, by understanding their environment and all the potential entry points, from vulnerable software to exposed services. Assessing the risk associated with each vulnerability and prioritising remediation based on business impact is paramount.
This foundation should inform all other layers of a defence-in-depth approach. This includes enhanced threat detection focusing on behavioural analysis—to spot when RMM tools are being used in suspicious ways, for example. And robust security awareness training to combat AI-powered phishing. A Zero Trust security model is also critical in today’s highly distributed IT environments, while global threat intelligence will help security teams to stay ahead of evolving tactics. Comprehensive incident response plans remain essential. But only through this holistic approach, grounded in attack surface management and risk prioritisation, can organisations effectively mitigate the escalating threat of ransomware in an evolving landscape.
That may be a lot to think about. But for most businesses, it’s a risk that must be managed.
About the Author
Bharat Mistry is a technology leader with deep expertise in cybersecurity and a passion for driving secure product development. As an industry evangelist, he bridges the gap between technical and business teams, ensuring products are not only cutting-edge but also secure, scalable, and aligned with evolving cyber threats. With a focus on strategy, innovation, and collaboration, Bharat works with cross-functional teams to deliver cybersecurity solutions that empower organisations to grow with confidence in a digital-first world.
#Ransomware #Evolving #Todays #Business #Landscape