• Posted by: Eng. Donya Bino
• January 18, 2026

Tools Attackers Use to Deploy Ransomware

Most ransomware attacks do not begin with malware.
They begin with trust being misused.
Attackers succeed because:
1. They use tools already present in environments
2. Activity looks legitimate at first
3. Detection focuses too late in the attack chain
Ransomware is usually the last visible step, not the first.

The Real Ransomware Attack Chain (Observed in Incidents)
1. Initial access (often email or credentials)
2. Privilege abuse
3. Lateral movement
4. Persistence and staging
5. Encryption and extortion
If you stop any earlier step, encryption often never happens.

1. Email & Phishing Toolkits
What Attackers Rely On
1. Mass email platforms
2. Document generators (PDF, DOC)
3. Credential capture pages
These tools are not advanced.
They work because people are busy.

Real World Pattern
1. User receives a realistic invoice or alert
2. Clicks link
3. Enters credentials
4. Attacker reuses credentials for VPN or cloud access

Defensive Tools
1. Email gateways
2. DMARC / SPF / DKIM
3. User reported phishing workflows

2. Credential Abuse & Legitimate Admin Tools
Attackers prefer living off the land.
They abuse:
1. Built in system utilities
2. Admin privileges
3. Trusted remote access tools
Security teams often trust these by default.

Why This Works
Signed tools
1.    valid credentials
2.    normal admin behavior
= delayed detection

Awareness Detection Logic 
IF admin login is successful
AND device or location is new
AND timing is unusual
THEN require step-up verification
This alone stops many attacks early.

3. Remote Access & Persistence Tools
Commonly Abused Categories
1. Remote desktop software
2. IT support agents
3. Monitoring or management tools
Once installed, these look legitimate.

Real Incident Pattern
1. Attacker installs a remote tool quietly
2. Uses it for days or weeks
3. Deploys ransomware later
This delay reduces suspicion.

4. Lateral Movement & Network Exploration
Before ransomware, attackers:
1. Enumerate systems
2. Access file shares
3. Move sideways using credentials
This phase creates noise, but only if you look.

Detection Tools
1. EDR / XDR platforms
2. Network traffic analysis
3. Identity behavior analytics

Awareness Rule 
User accesses 25 systems in 15 minutes
Normally accesses 2 per week
→ investigate immediately
Lateral movement is one of the best stop points.

5. Ransomware Payload Deployment
Important reality:
1. The ransomware binary is often simple
2. It appears briefly
3. It runs only after preparation
Most damage is already prepared by this stage.

Conceptual Flow
Access obtained
↓
Privileges abused
↓
Systems mapped
↓
Backups targeted
↓
Encryption triggered
If backups survive, leverage is lost.

Tools Mapped to Each Phase
Identity & Access
1. Microsoft Entra ID / Azure AD logs
2. Okta system logs
3. Have I Been Pwned (domain monitoring)

Endpoint & Behavior
1. EDR / XDR platforms
2. Sysmon (logging focus)
3. Windows Event Viewer

Network
1. Zeek
2. Firewall logs
3. Network segmentation tools

Email & Browser
1. Secure email gateways
2. Browser isolation (enterprise)
These tools expose misuse, not malware.

Examples of Code (Detection)
A. Visibility of PowerShell Scripts (Read-Only)
# Determine if the script blocks of PowerShell are enabled for logging
Get-ItemProperty `
  HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging

Why is this important?
Criminals will choose an environment based on its logging capabilities.

B. Scheduled Tasks
# Identify any unexpected tasks within the scheduled tasks
Get-ScheduledTask | Select TaskName, State

Purpose:
1. To identify tasks that are newly created.
2. To determine who owns the task and why it was created.

C. Backup Protection 
IF an attempt is made to remove backup files
AND the user is not a backup administrator
THEN create an alert immediately
Ransomware usually fails when backups are still available.

D. File Change Rate
IF many files change rapidly
AND file types vary
THEN isolate endpoint
This detects pre encryption staging, not just encryption.

Free & Low Cost Tools 
1. Sysmon
2. Elastic Stack (free tier)
3. Zeek
4. Wireshark
5. Google Admin Toolbox
6. MXToolbox

Ideal for:
1. Training
2. Tabletop exercises
3. Detection practice

Tabletop Exercise 
Scenario
1. User reports unusual login alert
2. Admin sees new scheduled task
3. Backup deletion attempt logged

Discussion
1. Where is this detected first?
2. Who escalates?
3. What gets isolated?
4. How do you confirm impact calmly?

Common Awareness Gaps
1. Looking only for ransomware files
2. Ignoring “successful” logins
3. Trusting admin tools by default
4. Waiting for systems to break
By the time encryption starts, options are limited.

Key Takeaways
1. Ransomware uses normal tools in abnormal ways
2. Credentials are the real entry point
3. Detection works best before encryption
4. Logging and behavior matter more than signatures
5. Education reduces both panic and damage
If you only search for ransomware,
you’re already late.