Cyberattacks are often associated with hackers installing new, unknown malware on a victim’s systems. However, that is not always the case. In a recently halted incident involving the ransomware family Akira, the attackers used a method known as Living off the Land (LOTL). This approach leverages already installed, legitimate IT tools to carry out the attack, allowing the attackers to hide behind activity that appears to be normal IT operations.
The attack was stopped by Barracuda’s XDR team, and the incident offers important lessons for organizations of all sizes.
How the attack unfolded
The attack began early in the morning on a national holiday. Cybercriminals using the flexible Ransomware-as-a-Service platform Akira targeted a domain controller server — a critical system used for authentication and access to files and applications.
That server had the remote management tool Datto Remote Monitoring and Management (RMM) installed.
Rather than deploying new malware, the attackers exploited the RMM console together with previously installed backup clients. Using those trusted tools, they executed scripts, changed firewall rules, and disabled security functions — actions that closely resembled routine system administration and therefore did not raise immediate suspicion.
When files began to be encrypted and received the extension .akira, Barracuda Managed XDR detected the initial encryption attempts. The affected server was immediately isolated, and the attack was stopped before it could spread further.
Key lessons from the attack
- The attackers did not install new software that would trigger typical alerts; instead, they relied on trusted, preinstalled tools.
- Their activity mimicked the legitimate behavior of backup clients, making it difficult to distinguish the attack from ordinary IT operations.
- Akira operates as a Ransomware-as-a-Service platform rented out to different actors. Because each affiliate may use the service differently, every attack can look different and the threat becomes harder to predict.
Containment, recovery, and remediation
After the attack was halted, Barracuda’s team worked with the customer to isolate affected devices, remove the threat, search for any remaining traces of Akira, and restore systems securely.
Subsequent steps included strengthening security policies and controls to reduce the risk of similar incidents in the future. This involved reviewing privileged access, hardening RMM usage and configurations, tightening firewall and endpoint protection settings, and improving backup verification practices.
To defend against this class of sophisticated attacks, comprehensive XDR solutions are essential. Such solutions give security teams full visibility across networks, servers, and endpoints, enabling early detection of anomalous behavior even when attackers hide behind legitimate, preinstalled tools.
Organizations should also adopt layered defenses: strict access controls, continuous monitoring of administrative activity, proactive threat hunting, regular backup validation, and incident response planning. Together these measures reduce the window of opportunity for attackers who rely on living-off-the-land techniques, limit damage if a breach occurs, and accelerate recovery.