-
Ransomware operators are using legitimate IT tools like Process Hacker and IOBit Unlocker to stealthily kill antivirus software before striking.
-
According to a prominent research group Seqrite, attackers take advantage of the trusted digital signatures on these legit services to slip past security systems without any flags.
-
The rate at which AI-assisted methods are now emerging, speculations remain that automated systems may soon start to independently select the most effective tool to disable a target’s defenses in the coming future.
Cybersecurity researchers at Seqrite, the enterprise division of Quick Heal Technologies, have caught up with a nefarious trend in the ransomware attack sector. Attackers now combine malicious software and trusted IT tools to hit their targets badly.
Seqrite, the enterprise cybersecurity arm of Quick Heal Technologies Limited, calls this the “dual-use dilemma.” Attackers take software whose function is to troubleshoot and repair systems and turn it directly against those systems. Since your computer already trusts these IT tools, hackers then take advantage of it to bypass any defenses without flagging on the radar.
Hackers Turn Everyday IT Tools into Weapons
The tools, Process Hacker as well as IOBit Unlocker, are old tools that help IT professionals deal with stubborn processes and get rid of locked files.
However, according to Seqrite’s investigation, ransomware groups now deploy these same utilities to first kill off antivirus protection stealthily and then launch their attacks.
Thanks to the digital signatures of these tools, security systems do not flag them and antivirus programs do not block them.
The research tied specific tools to active ransomware campaigns:
- IOBit Unlocker appeared in Dharma and LockBit Black 3.0 campaigns.
- Process Hacker facilitated the Makop and Phobos operators.
- ProcessKO and 0th3r_av5.exe flagged several times in MedusaLocker attacks.
Seqrite researchers say modern attackers behave more like skilled penetration testers with malicious intent than traditional criminals, using legitimate tools to carry out silent attacks without triggering alerts.
Ransomware Attacks Now Follow a Two-Stage Kill Chain
Seqrite’s findings reveal that modern ransomware attacks follow a deliberate, structured sequence researchers call a kill chain and attackers move through each stage with precision.
It typically starts with a phishing email or a set of stolen login credentials. Once attackers establish a foothold, tools like YDArk or PowerRun provide them with kernel-level or SYSTEM-level access, the deepest, most powerful permissions a Windows machine can grant, at the core of the operating system. From there, the attack moves through two distinct phases:
In phase one, attackers use process-killing tools to disable antivirus monitoring, preventing any security software from triggering alerts.
The human element of cybercrime can be just as dangerous as technical exploits, in a shocking case, an FBI informant helped run a dark web drug market linked to fatal fentanyl sales, demonstrating that sometimes the most effective way to infiltrate criminal networks is from within, even as ransomware gangs evolve their technical capabilities.
In phase two, tools like Mimikatz, recently flagged in active INC Ransomware attacks, harvest passwords straight from system memory. Attackers then adopt utilities services like Unlock.IT to clean off event logs, eradicating the forensic trail and making the event significantly harder to trace or investigate.
AI and Automation Are Accelerating This Threat
The ransomware landscape is not standing still. Older attacks leaned on basic command-line instructions. Today’s operations run on automated kits known as Ransomware-as-a-Service (RaaS).
Platforms like BlackCat and LockBit 3.0 now carry attributes that can kill antivirus. If criminals can afford a subscription. They can carry out advanced attacks without writing any code.
Seqrite’s researchers warn that the next evolution is already forming. AI-assisted methods are beginning to emerge, where automated systems scan a target’s defenses and independently select the most effective tool to disable them. As such, there’s no need for human decision-making in the course of an attack.
For organizations, the path forward is clear. Endpoint monitoring must be strengthened, particularly to detect and block UAC bypass attempts. Restricted user privileges, application legal, and fully patched Windows systems come in handy at times like this.
For everyday users, the entry point remains unchanged, a suspicious email attachment, a random download link, one careless click.
