Ransomware gangs are turning trusted Windows tools into antivirus killers before encryption starts

Modern ransomware attacks often begin long before files get encrypted. Researchers say many operators now abuse legitimate Windows utilities and low-level tools to disable antivirus and endpoint protection first, giving the final payload a much better chance of running without interruption.

Seqrite says tools such as Process Hacker, IOBit Unlocker, PowerRun, and AuKill are showing up in these attack chains because they already have real administrative uses. That makes them harder to flag than custom malware, especially in environments where IT staff also use similar software for troubleshooting and maintenance.

This is part of a wider “living off the land” trend. Huntress says attackers increasingly prefer legitimate tools and trusted software to blend into normal activity, which helps explain why these ransomware playbooks now focus so heavily on defense evasion before encryption begins.

Why attackers disable security tools first

Seqrite describes antivirus neutralization as a deliberate stage in the ransomware kill chain, not a side step. If endpoint defenses stay active, they can block the payload, detect unusual process behavior, or alert security teams before the attack spreads.

By shutting those protections down first, attackers create a quieter path to the next steps. That usually includes privilege escalation, credential theft, persistence, lateral movement, and only then ransomware deployment.

This approach also fits what other defenders are seeing. SOC Prime says attackers are increasingly abusing legitimate low-level utilities to obtain SYSTEM or kernel-level access, kill security products, and prepare systems for ransomware execution.

How the two-stage attack chain works

Seqrite breaks the activity into two broad stages. In the first stage, attackers focus on antivirus neutralization and privilege escalation by using tools that can unlock files, kill protected processes, unload drivers, or launch programs with higher privileges.

In the second stage, the focus shifts to credential theft, kernel manipulation, persistence, and final payload execution. Seqrite lists tools such as Mimikatz, YDArk, Unlock_IT, and AuKill in this phase, depending on the campaign.

That does not mean every ransomware operator uses the exact same toolkit. It means defenders should stop thinking only in terms of ransomware binaries and start looking earlier in the chain for suspicious administrative activity that appears out of place.

Tools researchers say are being abused

Seqrite also maps this behavior to MITRE ATT&CK techniques such as disabling security tools, modifying the registry, abusing elevation mechanisms, and OS credential dumping. That mapping matters because it turns what looks like routine admin activity into a recognizable ransomware precursor pattern.

Campaign examples need careful wording

This behavior has become a defining feature of campaigns ranging from LockBit 3.0 and BlackCat to Dharma, Phobos, and MedusaLocker. Seqrite does list many of those families alongside specific tools in campaign examples, but it is safer to say researchers have observed overlaps between these tools and multiple ransomware families rather than imply a universal or identical playbook across them all.

That tighter wording makes the article stronger, not weaker. It keeps the focus on a documented trend without overstating how standardized the tooling is across all ransomware groups.

What defenders should watch for

Security teams should look closely at administrative activity that appears just before high-impact events. Seqrite specifically points to suspicious use of process killers, unlockers, registry changes affecting antivirus startup, and commands such as sc stop, net stop, and taskkill.

Application control also matters here. If organizations can restrict which utilities are allowed to run, attackers have a harder time turning signed tools into stealthy kill switches for security products. Seqrite recommends application whitelisting, tighter access to low-level administrative tools, and stronger monitoring around privileged actions.

Multi-factor authentication and fast endpoint isolation remain important too. Once an attacker gets admin access and starts dismantling protections, the window to stop lateral movement gets much smaller.

Quick takeaways

• Ransomware operators increasingly abuse legitimate Windows tools before encryption starts.
• The goal is to disable antivirus and EDR before the payload runs.
• Tools like Process Hacker, IOBit Unlocker, PowerRun, and AuKill appear in these playbooks.
• Suspicious admin activity can be an early sign of a ransomware attack in progress.
• Restricting tool execution and monitoring privileged actions can help break the chain early.

FAQ