Ransomware 2021

Here is how Ransomware 2021 used legitimate tools to exploit the victims in ransomware campaigns. The tools were intended to be used for authorized and security researches but the ransomware gangs used them for their attacks.

Experts say that ransomware attackers are equipped with more advanced weapons in their campaigns and target the organizations that can suffer from huge financial damages worth Millions, along with exposure of sensitive data. 

Today Ransomware campaigns use double extortion techniques (Combination of unwanted data encryption of sensitive data by malware actors and data exfiltration of critical files to hold for until the ransom is paid). As the attack increases, we can see various new families of ransomware are emerging in Ransomware 2021. And this year, attackers tend to use almost legitimate available tools to exploit their targets.

The security tools are not intended for malicious purposes, but they intension to gain knowledge on studies and security research purposes. However, like other tools, hackers use the tools for their hacking purposes to expose the targets. Even UK’s NCSC (National Cyber Security Center) has published such tools in a report.

The main reasons for using these legitimate tools by cybercriminals as they are Open-source to use it free in public, they might easily evade the security detections. Finally, these tools are used by both security researchers and as well as hackers and this is used as a double-edged sword. 

We will discuss few common tool legitimate tools that were abused by the hackers.

A list of few commonly used tools as follows,


It’s a dangerous open-source security tool developed by the ethical hacker Benjamin Delpy around 2011. This tool is designed to steals and dumps the passwords, hashes, extract Kerberos tickets, and authentication tokens from the infected system, and used as post-exploitation tools in the Windows platform.

  • Designated use – To understand the Proof-of-concept code for demonstrating vulnerabilities.
  • Purpose of a tool in Ransomware attacks – Credential Dumping.
  • Ransomware attacks used this tool – DoppelPaymer, Nefilim, NetWalker, Maze, ProLock, RansomExx, Sodinokibi.


Portable tools from Microsoft which used to helps the process to execute from a remote location using any user’s credentials. It’s similar to RDP but connects through Command prompt.

  • Designated use – Executing processes on remote systems.
  • Purpose of a tool in Ransomware attacks – Arbitrary command shell execution, lateral movement techniques.
  • Ransomware attacks used this tool – DoppelPaymer, Nefilim, NetWalker, Maze, Petya, ProLock, Ryuk, Sodinokibi. 


This app allows cloud-synchronization means that any files can be streamed from the MEGA cloud platform to download a file using a file link.

  • Designated use – Cloud-based synchronization.
  • Purpose of a tool in Ransomware attacks – Data exfiltration.
  • Ransomware attacks that used this tool – Hades, LockBit, Nefilim.


It’s a free command-line query tool that is used to gather information from Active Directory.

  • Designated use – Active Directory (AD) search utility.
  • Purpose of a tool in Ransomware attacks – AD discovery (can be a prerequisite for lateral movement).
  • Ransomware attacks used this tool – Nefilim, NetWalker, ProLock, Sodinokibi.

Process Hacker

It’s a free and powerful tool that is a multi-purpose tool used to detect malware, debug software, and monitor system resources.

  • Designated use – Monitoring system resources, debug software, and detect malware.
  • Purpose of a tool in Ransomware attacks – Process/service discovery and termination (including antimalware solutions).
  • Ransomware attacks used this tool – Crysis, Nefilim, Sodinokibi.

Cobalt Strike

It’s a threat emulation tool used in Red teaming and penetration testing. It leverages the post-exploitation techniques used for Attack tactics that executed in the targeted system.

  • Designated use – Threat emulation.
  • Purpose of a tool in Ransomware attacks – Lateral movement, backdoor, other capabilities as a remote access Trojan (RAT).
  • Ransomware attacks used this tool – Clop, Conti, DoppelPaymer, Egregor, Hello (WickrMe), Nefilim, NetWalker, ProLock, RansomExx, Ryuk.

By Michael

Writer of Infohaunt is an Cyber Security Professional have experience in SOC operations, Threat Management, Incident Response, Threat Hunting, Digital Forensics.