{ "id": "f5dd7f27-ce33-4f59-96e0-e8959027240a", "created_at": "2026-04-06T00:18:21.232464Z", "updated_at": "2026-04-10T03:24:24.811916Z", "deleted_at": null, "sha1_hash": "37caa248dd4fbf07b86dbd9c3cfba27ded806852", "title": "Locked, Loaded, and in the Wrong Hands: Legitimate Tools Weaponized for Ransomware in 2021", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 254468, "plain_text": "Locked, Loaded, and in the Wrong Hands: Legitimate Tools\r\nWeaponized for Ransomware in 2021\r\nArchived: 2026-04-05 20:33:00 UTC\r\nX\r\nCommonly Abused Legitimate Tools\r\nHere is a summary of some of the most commonly abused legitimate tools:\r\nTool Intended Use\r\nHow It is Used for\r\nRansomware Campaigns\r\nRansomware Campaigns That\r\nUsed This Tool\r\nCobalt\r\nStrike\r\nThreat emulation\r\nLateral movement,\r\nbackdoor\r\nHas many other\r\ncapabilities as a remote\r\naccess trojan (RAT)\r\nClop, Conti, DoppelPaymer,\r\nEgregor, Hello (WickrMe),\r\nNefilim, NetWalker, ProLock,\r\nRansomExx, Ryuk\r\nPsExec\r\nExecuting processes on\r\nother systems\r\nArbitrary command shell\r\nexecution, lateral\r\nmovement\r\nDoppelPaymer, Nefilim,\r\nNetWalker, Maze, Petya,\r\nProLock, Ryuk, Sodinokibi\r\nMimikatz\r\nProof-of-concept code for\r\ndemonstrating\r\nvulnerabilities\r\nCredential dumping\r\nDoppelPaymer, Nefilim,\r\nNetWalker, Maze, ProLock,\r\nRansomExx, Sodinokibi\r\nProcess\r\nHacker\r\nMonitoring system\r\nresources, debug\r\nsoftware, and detect\r\nmalware\r\nProcess/service discovery\r\nand termination (including\r\nantimalware solutions)\r\nCrysis, Nefilim, Sodinokibi\r\nAdFind\r\nActive Directory (AD)\r\nsearch utility\r\nAD discovery (can be a\r\nprerequisite for lateral\r\nmovement)\r\nNefilim, NetWalker, ProLock,\r\nSodinokibi\r\nMegaSync\r\nCloud-based\r\nsynchronization\r\nData exfiltration Hades, LockBit, Nefilim\r\nTable 1. Weaponized legitimate tools\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/locked-loaded-and-in-the-wrong-hands-legitimate-tools-weaponized-for-ransomware-in-2021\r\nPage 1 of 7\n\nSome of the tools listed in the following figure also have similar purposes with other platforms. For example, like\r\nProcess Hacker, PC Hunter, GMER, and Revo Uninstaller can be exploited to terminate antimalware solutions.\r\nLikewise, both Mimikatz and LaZagne can be used for credential dumping.\r\nopen on a new tab\r\nFigure 1. Examples of ransomware campaigns that abuse legitimate tools for various attack stages\r\nNotably, some campaigns use several tools at the same time, rather than just a single tool at a time, since one tool\r\ncan enable the other. For example, Mimikatz, which can be abused to steal credentials, can grant access to PsExec\r\nfunctions that require admin privileges. One of the campaigns that employed several tools at the same time is\r\nNefilim, which used AdFind, Cobalt Strike, Mimikatz, Process Hacker, PsExec, and MegaSync, among other\r\ntools.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/locked-loaded-and-in-the-wrong-hands-legitimate-tools-weaponized-for-ransomware-in-2021\r\nPage 2 of 7\n\nopen on a new tab\r\nFigure 2. How weaponized legitimate tools are used in a ransomware campaign\r\nIn the next sections, we elaborate further on the uses of these tools as well as how they are used in ransomware\r\ncampaigns.\r\nCobalt Strike\r\nTool’s intended use: Cobalt Strikeopen on a new tab is meant to be used as a threat emulation software that can\r\nperform reconnaissance, covert communication, spear phishing, and post-exploitation. It is used by security\r\nresearchers for a variety of functions, including penetration testing.\r\nPossible uses for ransomware: Cybercriminals use this tool in campaigns for lateral movementopen on a new tab\r\nor as a backdoor. As a RAT, it also has many other capabilities. This tool can avoid detection by obfuscating\r\nshellcode and using Malleable Command and Control (aka Malleable C2).\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/locked-loaded-and-in-the-wrong-hands-legitimate-tools-weaponized-for-ransomware-in-2021\r\nPage 3 of 7\n\nCampaigns that it was used for: Some ransomware campaigns that abused Cobalt Strike are Conti, Clopopen on\r\na new tab, DoppelPaymer, Egregoropen on a new tab, Helloopen on a new tab (WickrMe), NetWalkeropen on a\r\nnew tab, Nefilimnews- cybercrime-and-digital-threats, ProLockopen on a new tab, RansomExx, and Ryuk, and\r\nSodinokibiopen on a new tab. We also found that it is compatible with proof-of-concept ransomware\r\nPovlsomware.\r\nIn our recent analysis on Conti, the ransomware dubbed as the successor of Ryuk, we discussed how Cobalt Strike\r\nbeaconsopen on a new tab (Cobalt Strike’s covert payload) served as backdoors for the attack. The tool was also\r\nused for lateral movement. This was performed via actions such as accessing and dumping credential hashes from\r\nLSASS, using the harvested passwords for further movement, sending files to remote drives, and using Windows\r\nManagement Instrumentation (WMI) commands to run either a DLL or EXE copy of itself.\r\nPsExec\r\nTool’s intended use: PsExecopen on a new tab is a “light-weight telnet-replacement” utility that lets users run\r\nWindows Server processes on remote systems. It also features full interactivity for console applications without\r\nneeding to install the client software manually.\r\nPossible uses for ransomware: With attackers leveraging the features that enable a user to execute processes on\r\nremote systems, PsExec can be abused for arbitrary command shell execution and lateral movement. PsExec can\r\nalso be used for propagation and remote execution of ransomware.\r\nMimikatz\r\nTool’s intended use: Mimikatzopen on a new tab is intended to be, in the tool creator’s own words, “A little tool\r\nto play with Windows security.” Mimikatz was built as a proof-of-conceptopen on a new tab code to demonstrate\r\nthe vulnerabilities in Microsoft authentication protocols. It can harvest passwords, hashes, PIN codes, and\r\nKerberos tickets.\r\nPossible uses for ransomware: Cybercriminals employ the features of Mimikatz for credential dumpingopen on a\r\nnew tab to extract usernames, passwords, and other credentials that might be used to escalate privilege in other\r\nphases of the attack.\r\nCampaigns that it was used for: Attacks where Mimikatz is abused include those for DoppelPaymer, Nefilim,\r\nNetWalker, Mazeopen on a new tab, ProLockopen on a new tab, RansomExx, and Sodinokibiopen on a new tab.\r\nNetWalker can be executed filelessly using legitimate programs in the system; the ransomware is not compiled but\r\nis written in PowerShell and executed in the memory directly without needing to store the actual binary into the\r\ndisk. The sample from the campaign that we observed abused PowerSploit’s Invoke-Mimikatz, an open-source\r\nprogram that can reflectively load Mimikatz. After being loaded, the tool can then perform credential dumping.\r\nOther campaignsopen on a new tab have also shown how NetWalker launches Mimikatz to steal credentials that\r\nwill then be used to launch PsExec and deploy the said ransomware.\r\nSimilar tool: LaZagneopen on a new tab, an open-source application used to retrieve passwords for various\r\nsoftware, has also been exploited for credential dumping in campaigns for several ransomware variants such as\r\nRansomExx and Nefilim and NetWalkeropen on a new tab. NetPass can also be used to gather credentials.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/locked-loaded-and-in-the-wrong-hands-legitimate-tools-weaponized-for-ransomware-in-2021\r\nPage 4 of 7\n\nProcess Hacker\r\nTool’s intended use: Process Hackeropen on a new tab is a free tool that is intended to be used to identify and\r\nstop processes. In turn, it can be employed for detecting malware, monitoring system resources, and debugging\r\nsoftware. It can pinpoint runaway processes, processes that are using a particular file, programs that have active\r\nnetwork connections, and real-time information on disk access and usage, among other things.\r\nPossible uses for ransomware: As Process Hacker can be used to gain an overview of processes currently being\r\nused, cybercriminals have weaponized this function for ransomware campaigns to discover and terminate arbitrary\r\nprocesses and services, including those that are antimalware-related.\r\nCampaigns that it was used for: Campaigns that benefited from this tool include Crysisopen on a new tab,\r\nNefilim, and Sodinokibi. The tool was used to identify and disable antimalware solutions.\r\nCrysis (aka Dharma) has, on several occasions, used Process Hacker to alter processes and security solutions. The\r\ninstaller of the tool was also part of a 2018 attackopen on a new tab as prc.exe. A more recent attackopen on a new\r\ntab also used the tool (as Processhacker.exe) for similar functions.\r\nSimilar tools: Tools such as PC Hunteropen on a new tab (which grants access to system processes, kernel modes,\r\nand hooks), GMERopen on a new tab (which detects and removes rootkits) and Revo Uninstalleropen on a new\r\ntab (which can uninstall apps and programs) also terminate programs and antimalware solutions. Similar to the\r\ncase of Process Hacker, the three have been used in Crysis and Nefilim campaigns.\r\nAdFind\r\nTool’s intended use: AdFindopen on a new tab is a free command-line AD query tool that can be used to collect\r\ninformation from AD. AdFind can query AD for computers, identify domain users and domain groups, extract\r\nsubnet information from AD, and collect information about organizational units on domain trusts.\r\nPossible uses for ransomware: AdFind can be used to discover computers, users, or groups with AD as a\r\nreconnaissance tool, as well as to equip ransomware with the resources that it needs for lateral movement via AD.\r\nMegaSync\r\nTool’s intended use: MegaSyncopen on a new tab is a cloud-based synchronization tool that is designed to work\r\nwith the MEGAopen on a new tab file-sharing service. It lets users sync files to devices and can also be used for\r\nstoring and managing files, as well as for collaborating and sharing data with other users.\r\nPossible uses for ransomware: MEGA and MegaSync can be used for data exfiltration — a vital step for recent\r\nransomware campaigns that wield the double extortion technique, since they not only encrypt files but also steal\r\nand threaten to publicly expose a targeted company’s sensitive data.\r\nCampaigns that it was used for: Hadesopen on a new tab, LockBitopen on a new tab, and Nefilimnews-cybercrime-and-digital-threats are some of the ransomware campaigns that used this tool.\r\nLockBit is one of the ransomware variants that employs the double extortion technique. The LockBit ransomware\r\noperators employ MegaSync for exfiltration, taking advantage of the storage and ease of access of the tool to be\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/locked-loaded-and-in-the-wrong-hands-legitimate-tools-weaponized-for-ransomware-in-2021\r\nPage 5 of 7\n\nable to quickly upload files from the affected system.\r\nDefense Against Disguised Enemies\r\nThe presence of weaponized legitimate tools must be detected so that security teams can stop a ransomware\r\ncampaign dead in its tracks. However, this is easier said than done as these tools might evade detection in several\r\nways. One is through features that can be used to implement evasion techniques, like in the case of Cobalt\r\nStrikeopen on a new tab. Cybercriminals can also alter the codeopen on a new tab of these tools to tweak parts\r\nthat trigger antimalware solutions.\r\nAdditionally, when spotted from a single entry point (for example, when looking at the endpoint alone), the\r\ndetections might seem benign by themselves, even when they should raise the alarm — that is, if they were\r\nviewed from a broader perspective and with greater context with regard to other layers such as emails, servers, and\r\ncloud workloads.\r\nIn tracking ransomware campaigns, organizations would be better protected if they rely not only on detections of\r\nfiles and hashes but also on monitoring behavior across layers. This is what we did for our recent investigation on\r\nthe Conti ransomwarenews article, which we tracked using Trend Micro Vision One™products.\r\nSolutions such as Trend Micro Vision One provide increased visibility and correlated detections across layers\r\n(endpoints, emails, servers, and cloud workloads), ensuring that no significant incidents go unnoticed. This allows\r\nfaster response to threats before they can do any real damage to the system.\r\nIndicators of Compromise (IOCs)\r\nNote: Actual detections might vary based on the hashes involved in the attack.\r\nTool Trend Micro Pattern Detection\r\nCobalt Strike Backdoor.Win64.COBEACON.SMA\r\nPsExec\r\nN/A\r\nRecommendation: Check suspicious PsExec activity in SMB network and shared folders\r\nMimikatz HackTool.Win32.MIMIKATZ.SMGD\r\nProcess Hacker PUA.Win64.ProcHack.AC\r\nPC Hunter PUA.Win64.PCHunter.A\r\nGMER PUA.Win32.GMER.A\r\nLaZagne HackTool.Win64.LAZAGNE.AE\r\nHIDE\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/locked-loaded-and-in-the-wrong-hands-legitimate-tools-weaponized-for-ransomware-in-2021\r\nPage 6 of 7\n\nLike it? Add this infographic to your site:\r\n1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your\r\npage (Ctrl+V).\r\nImage will appear the same size as you see above.\r\nWe Recommend\r\nThe Industrialization of Botnets: Automation and Scale as a New Threat Infrastructurenews article\r\nComplexity and Visibility Gaps in Power Automatenews article\r\nCracking the Isolation: Novel Docker Desktop VM Escape Techniques Under WSL2news article\r\nAzure Control Plane Threat Detection With TrendAI Vision One™news article\r\nThe AI-fication of Cyberthreats: Trend Micro Security Predictions for 2026predictions\r\nRansomware Spotlight: DragonForcenews article\r\nStay Ahead of AI Threats: Secure LLM Applications With Trend Vision Onenews article\r\nThe Road to Agentic AI: Navigating Architecture, Threats, and Solutionsnews article\r\nSource: https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/locked-loaded-and-in-the-wrong-hands-legitimate-t\r\nools-weaponized-for-ransomware-in-2021\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/locked-loaded-and-in-the-wrong-hands-legitimate-tools-weaponized-for-ransomware-in-2021\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/locked-loaded-and-in-the-wrong-hands-legitimate-tools-weaponized-for-ransomware-in-2021" ], "report_names": [ "locked-loaded-and-in-the-wrong-hands-legitimate-tools-weaponized-for-ransomware-in-2021" ], "threat_actors": [ { "id": "8670f370-1865-4264-9a1b-0dfe7617c329", "created_at": "2022-10-25T16:07:23.69953Z", "updated_at": "2026-04-10T02:00:04.716126Z", "deleted_at": null, "main_name": "Hades", "aliases": [ "Operation TrickyMouse" ], "source_name": "ETDA:Hades", "tools": [ "Brave Prince", "Gold Dragon", "GoldDragon", "Lovexxx", "Olympic Destroyer", "Running RAT", "RunningRAT", "SOURGRAPE", "running_rat" ], "source_id": "ETDA", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434701, "ts_updated_at": 1775791464, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/37caa248dd4fbf07b86dbd9c3cfba27ded806852.pdf", "text": "https://archive.orkl.eu/37caa248dd4fbf07b86dbd9c3cfba27ded806852.txt", "img": "https://archive.orkl.eu/37caa248dd4fbf07b86dbd9c3cfba27ded806852.jpg" } }