Cato CTRL™ Threat Research: Investigation of RMM Tools Leveraged by Ransomware Gangs in Real-World Incidents 

Executive Summary 

Remote Monitoring and Management (RMM) tools are essential for IT operations, but their powerful capabilities and trusted status within enterprise networks have also made them valuable to threat actors. In the second half of 2024 and first quarter of 2025, we uncovered a recurring pattern during a series of cyber forensic investigations and threat detections impacting two US-based organizations and one UK-based organization. We found that ransomware gangs across multiple campaigns were leveraging legitimate RMM solutions to carry out sophisticated intrusions. 

Our research identified multiple commercial and open-source RMM tools that have been leveraged by ransomware gangs to target organizations. These RMM tools were exploited for initial access, persistence, lateral movement, and data exfiltration. In many cases, they bypassed traditional security controls due to their legitimate presence in the enterprise environment. This dual-use nature of RMM tools presents a growing challenge for organizations, where the line between authorized administrative activity and malicious behavior is increasingly difficult to define and detect. 

We will share findings from the real-world incidents we investigated, highlight the specific RMM tools most frequently abused, explain our analysis approach, demonstrate a real-world RMM attack scenario, and provide recommendations for detecting and mitigating this threat in enterprise environments. 

Technical Overview 

RMM Tools Are Increasingly Being Leveraged by Ransomware Gangs  

RMM tools are widely used by IT teams and managed service providers (MSPs) to remotely monitor and control systems across enterprise networks. They support essential tasks such as software deployment, system configuration, and performance monitoring at scale. 

However, the same features that make RMM tools essential also make them attractive to ransomware gangs. RMM tools share many capabilities with Remote Access Trojans (RATs), including remote control, script execution, file transfers, and persistence. The key difference lies in intent. While RATs are designed for covert access, RMMs operate as trusted software. This trust can be exploited by threat actors. 

Ransomware gangs are increasingly using commercial RMMs instead of custom malware to gain access, avoid detection, and blend in with legitimate administrative activity. Their trusted status and modular design allow malicious components to be deployed without raising immediate alarms. 

As a result, RMM tools have become a reliable and stealthy method of having persistent access to a target network. Security teams must now rethink how they detect and respond to this evolving threat. 

Analysis Approach 

We examined how legitimate RMM tools are being leveraged in real-world attacks. The process began with the analysis of threat intelligence reports, including CISA’s #StopRansomware advisories, where we identified repeated use of RMM tools across multiple ransomware campaigns. This led us to investigate multiple commercial and open-source RMM tools that have been leveraged by a wide range of threat actors. While ransomware gangs are prominent users, nation-state groups have also adopted these tools as low-cost, easily available alternatives to custom RATs. 

To better understand this trend, we systematically tested and analyzed these RMM tools in a test environment. We examined their network behavior and fingerprinted unique traffic patterns, enabling us to identify RMM-driven activity within enterprise environments and evaluate the security implications of their misuse. 

Capabilities Leveraged by Ransomware Gangs in Recently Analyzed Attacks 

Across the RMM tools we studied, we identified several recurring capabilities that were actively exploited by ransomware gangs: 

• Remote Execution and Script Deployment: Used to run commands, deploy payloads, and establish persistence through native administrative features. 

• Stealth Access: Enabled by support for hidden terminal sessions and silent execution. 

• Connection Models: Cloud and peer-to-peer configurations that complicate detection and attribution. 

• Privilege and Visibility Gaps: RMMs often run with elevated permissions and are inherently trusted, reducing detection by standard tools. 

• Agentless Access and Certificate Pinning: Portable execution and encrypted channels limit visibility and inspection. 

We also observed three real-world incidents where ransomware gangs used RMMs in malicious campaigns. In these cases, multiple RMM tools were used simultaneously to diversify capabilities and maintain persistence. 

Analysis of Real-World Incidents  

Incident 1: Hunters International – Persistent Access and Exfiltration 

In Q3 2024, the Hunters International ransomware gang targeted a UK-based manufacturing organization, using AnyDesk and ScreenConnect to maintain long-term access, potentially in preparation for data exfiltration involving a large volume of files. Both tools were installed from legitimate sources and remained active in the network for over a month before ransomware was executed. The use of multiple RMMs improved resilience and lowered the chance of detection. 

Of note, Hunters International recently announced it shut down and offered free decryptors to help victims recover their data without paying a ransom. 

Incident 2: Medusa – Initial Access and Lateral Movement 

In Q4 2024, the Medusa ransomware gang targeted a US-based construction organization, gaining initial access using a malicious ScreenConnect installer, followed by the use of PDQ Deploy for internal scanning and software deployment. It remains unclear whether these tools were attacker-deployed or already present, underscoring the difficulty of distinguishing legitimate IT activity from malicious behavior. 

Incident 3: Ransomware Incident – Persistent Access 

In Q1 2025, a US-based non-profit organization was targeted by an unknown ransomware gang. After gaining initial access, SimpleHelp was deployed to maintain access to the network, followed by the deployment of AnyDesk on further compromised hosts and lateral movement across the network.   

Example of Cato Detections 

In Figure 1, we show a Wireshark example demonstrating how we identified the initiation and termination of an AnyDesk remote control session by filtering traffic on port 7070.

Figure 1. Wireshark capture of AnyDesk session initiation and termination 

In Figure 2, we show a real-world detection of a WAN-bound AnyDesk connection flagged as suspicious. This detection specifically alerts actual host-to-host connections or first-time use (anomaly detection), not background application traffic. Following the detection, a story was created in Cato XDR. 

Figure 2. Detection of suspicious WAN-bound AnyDesk connection and automated response in Cato XDR 

RMM PoC Attack 

In the following proof-of-concept (PoC) video, we demonstrate how a threat actor can use an RMM tool delivered via phishing to gain remote access and establish persistence. 

The phishing email contains an LNK file that launches a PowerShell command. This command starts AnyDesk (pre-existing in the environment for this scenario) and sends a connection request to the threat actor’s computer using a preconfigured address. 

The demo also highlights how Cato detects the resulting network signal and generates an alert for this type of malicious connection. 

Security Best Practices 

To reduce the risk of RMM misuse, organizations should pair network-level visibility with strict operational controls. Key practices include: 

• Track RMM Usage: Monitor who uses RMM tools, when, and how. 

• Allowlist Approved Tools: Block unauthorized RMM installations. 

• Limit Privileges: Apply the principle of least privilege to users and services. 

• Secure Access: Protect RMM consoles with strong authentication and access controls. 

• Monitor for Anomalies: Detect unusual network behavior associated with RMM activity. 

• Audit Regularly: Review tool configurations and validate security controls. 

These steps, combined with behavioral detection, offer strong protection against RMM-based attacks. 

Conclusion 

Our analysis of RMM tools leveraged by ransomware gangs, including three real-world incidents, shows that the difference between legitimate remote management and malicious access lies in intent, not capability. We also demonstrated a RMM PoC attack to illustrate how easily these tools can be exploited to gain control, persist in networks, and evade detection. 

As RMM tools grow in power and adoption, their misuse presents a serious challenge for defenders. Organizations must strengthen visibility, apply contextual analysis, and enforce proper controls to distinguish routine IT activity from covert threats. With the right safeguards, it is possible to benefit from RMM tools while minimizing the risk of exploitation.