The rise of ‘living-off-the-land’ in cybercrime

17 January 2024
2 min
In the world of cybercrime, so-called “living-off-the-land” tactics are gaining in popularity. This involves criminals abusing legitimate applications. This makes their activity difficult to detect.

It is the famous and emerging ransomware group Medusa that is famous for its “living-off-the-land” techniques. Medusa saw the light sometime in late 2022. A notorious ransomware-as-a-service collective, it quickly climbed the ranks of the cybercriminal underworld, mainly by creating victims among Windows users.

In living-off-the-land attacks, criminals use existing programmes (such as password managers) on victims’ devices to carry out attacks, rather than having external malicious software installed. Not only is this type of attack much harder to detect. It often allows cybercriminals to dwell on their victims’ devices undetected for months.

On the other hand, it is also difficult to take action against it, as you may just disrupt the functioning of those legitimate applications. Living-off-the-land (lotl) in itself is not new, but especially in the past year it has received a lot of attention. The term itself refers to the phenomenon where you have to survive with what you can get your hands on in nature.

Lotl attacks in particular also use legitimate tools like PowerShell or WMI (Windows Management Instrumentation) and thus leave little or no trace. To counter LotL attacks, cybersecurity professionals often use behavioural analysis-based solutions. The technology then detects anomalous programme and user activity: actions that may indicate an attack in progress.


It is Unit 42, the research arm of Palo Alto Network, among others, that sees the living-off-the-land trend emerging. And in parallel, a strong professionalisation of the ransomware group Medusa. In 2023, these cybercriminals made 74 victims, most of them in the US and Europe. The hacker collective also recently launched a new blog on the dark web, where victims are pressured to tack and pay up. Medusa has also launched a Telegram channel where confidential files from the companies are publicly shared with followers.

On the hacker group’s website, you can read the victim’s name, price, time remaining and number of visitors. For a hefty sum, they can delay the payment deadline, for example, or have their data removed from the website. The latter costs an average of $10,000.

This extortion technique is not uncommon either, according to Unit 42 researchers. More so: it is increasingly used to increase the pressure on affected companies.



Gerelateerde artikelen