Ransomware Crews Are Winning With Legitimate Access, Not Malware
- 22 hours ago
- 8 min read

By Yonatan Hoorizadeh — CISSP, CISM, CRISC, AAISM
Published By: Purple Shield Security
Published: July 2, 2026
Last updated: July 2, 2026
Three ransomware operations profiled this week Anubis, The Gentlemen, and the VECT/TeamPCP partnership barely used malware to break in. They used stolen VPN logins, a patched but forgotten Citrix flaw, signed drivers, and everyday remote access tools. The defensive lesson: detection now has to be behavioral, because the tools attackers use are the same ones your IT team uses.
The word "ransomware" still makes most people picture a malicious payload landing on a machine and lighting it up. The reporting that came out this week points somewhere less dramatic and more uncomfortable: the crews doing the most damage are getting in with credentials that work, tools that are signed, and software your own administrators already run. Arctic Wolf, Kaspersky, and Sophos each published findings on a different group, and the common thread across all three is that the loud, signature-detectable part of the attack has moved to the very end after the intruders already own the environment.
What did Arctic Wolf, Kaspersky, and Sophos actually find?
Three separate research teams documented three separate ransomware operations, and each one leaned on legitimate access rather than custom malware. Arctic Wolf tracked the Anubis group. Kaspersky detailed a group called The Gentlemen. Sophos Counter Threat Unit investigated a partnership between two crews named VECT and TeamPCP. Different actors, same playbook shift.
Anubis is a ransomware-as-a-service (RaaS) operation a group that rents its ransomware to affiliates for a cut of the proceeds. It emerged in late 2024 as a rebrand of the earlier Sphinx ransomware. According to data from Ransomware.Live cited by The Hacker News, Anubis has claimed 91 victims on its leak site, including 11 in June 2026 alone, concentrated in healthcare, business services, manufacturing, technology, and financial services. More than half its victims are in the United States.
Arctic Wolf's description of the Anubis tradecraft is worth quoting directly, because it names the tools: "Anubis affiliates repeatedly abused legitimate remote access and administration tools, including ScreenConnect, Zoho Assist, MeshAgent, Remotely, UltraVNC, and Total Software Deployment, to blend in with normal IT activity while maintaining control of victim systems." None of those are malware. They are the same remote management products a legitimate managed service provider installs on purpose.
Why is 'legitimate access' harder to defend than malware?
Legitimate access is harder to catch because there is nothing inherently malicious to flag. Antivirus and endpoint detection tools are built to recognize bad files and bad behavior. When an attacker signs in with a valid VPN credential and then drives the environment with an IT tool your team also uses, the malicious signal and the normal signal look identical. The difference is context who, from where, doing what not the tool itself.
Arctic Wolf traced the Anubis intrusion chain from a valid login all the way to encryption without a traditional malware dropper doing the heavy lifting: "Malicious VPN authentication was then followed by login activity involving RDP and SMB, leading to credential access, PsExec service creation, RMM deployment, and ultimately invoking cloud transfer tooling for exfiltration." RDP, SMB, and PsExec are native Windows machinery. rclone, WinSCP, and S3 Browser the tools used to steal the data are legitimate file transfer utilities.
The practitioner point that mainstream coverage keeps underplaying: this is a detection engineering problem, not a tooling purchase problem. You cannot buy your way out of it with one more agent. When the adversary's toolkit is your own toolkit, the thing that separates a caught intrusion from a successful one is whether anyone is watching for the pattern a VPN login from a hosting provider IP address, an RMM tool appearing on a server that never had one, a service created by PsExec at 3 a.m. That watching is a program and a person, not a product.
Is Citrix Bleed 2 still a live threat in mid 2026?
Yes. Anubis affiliates were observed this year exploiting CVE-2025-5777 — "Citrix Bleed 2" — a critical flaw (CVSS 9.3) in Citrix NetScaler ADC and Gateway appliances that lets an attacker bypass authentication when the device is configured as a Gateway or AAA virtual server. Citrix patched it in 2025. It is still being used to break into companies in 2026.
That gap between "patch released" and "patch actually applied everywhere" is where the damage lives. NetScaler appliances sit at the edge of the network by design internet-facing, handling remote access and single sign-on so a missed one is a wide-open front door, not a minor oversight. The uncomfortable question for any leadership team is not "did we patch Citrix Bleed 2?" It is "can we prove we patched it on every appliance, including the one a contractor stood up two years ago that nobody's tracking?"
Arctic Wolf also noted that some intrusions did not even need the vulnerability they came in on valid VPN credentials whose origin was unknown, possibly bought from an initial access broker or harvested by an information stealer. This is where a virtual CISO (vCISO) or fractional security leader earns their keep: making sure edge device patching and credential hygiene are tracked as an ongoing program with an owner, not a one-time ticket that got closed and forgotten.
What is BYOVD, and why doesn't my EDR stop it?
BYOVD stands for "bring your own vulnerable driver." The attacker brings a legitimately signed but flawed driver onto the system, loads it, and abuses its kernel level access to switch off security software from underneath. Because the driver is properly signed, Windows trusts it even a fully patched, up to date machine can be disarmed this way.
Kaspersky documented The Gentlemen RaaS group using this technique to kill protected security processes tied to Microsoft, ESET, Palo Alto Networks, and SentinelOne. According to Expel's analysis, the group weaponized a zero-day flaw in a little-known third-party driver, ktapi.sys, to get that kernel access. Security researcher Marcus Hutchins put the stakes plainly: "BYOVD continues to be a huge threat to enterprises, enabling attackers to disable state-of-the-art endpoint security systems in seconds. Even using the latest Windows version, with all exploit mitigations enabled, does not provide complete protection."
Read that quote again, because it reframes what endpoint detection can promise. EDR is necessary and it is not sufficient. If a determined crew can turn it off at the kernel level, then the assumption that "our EDR will catch it" is the exact belief that leaves a company blind. The answer is not to distrust EDR it is to make sure something outside the endpoint (network telemetry, identity monitoring, driver-load alerting, tested offline backups) can still see the attack when the endpoint agent goes dark.
What does the VECT/TeamPCP partnership change?
It lowers the barrier to entry. Sophos Counter Threat Unit investigated a partnership, announced in March 2026, between a crew called VECT and one called TeamPCP. The arrangement lets TeamPCP hand VECT the ability to deploy ransomware across every organization compromised in the Trivy and LiteLLM supply chain attacks meaning stolen credentials harvested at scale from a software supply chain get fed directly into a ransomware operation.
Sophos framed the significance without hype: "The convergence of large-scale supply chain credential theft, a maturing RaaS operation, and mass underground forum mobilization constitutes an unprecedented model of industrialized ransomware deployment that significantly lowers the barrier to entry for cybercrime." Worth noting: independent analysis from Check Point and JUMPSEC found VECT's encryptor is technically broken — it permanently destroys any file larger than 128 KB instead of encrypting it. TeamPCP has publicly claimed it never used VECT's encryptor and runs its own locker.
The broken encryptor is almost a distraction. The real story is the assembly line. Credential theft, ransomware-as-a-service, and forum based recruitment are being wired together into a repeatable pipeline. When the supply chain feeds the ransomware operation directly, the company that gets hit may have done nothing wrong on its own perimeter the credential was stolen upstream, from a vendor or a dependency.
What should a business do?
Focus on the access, not the malware. Because these campaigns run on valid credentials and trusted tools, the highest value moves this week are about knowing your edge, your identities, and your normal so that abnormal stands out.
Concrete places to start:
Confirm with evidence, not assumption that every internet-facing NetScaler/Citrix appliance is patched against CVE-2025-5777, and inventory whether any are configured as a Gateway or AAA virtual server.
Rotate credentials and terminate sessions on any remote access path you can't positively vouch for, and put multi factor authentication in front of every VPN and remote entry point.
Inventory the remote management (RMM) tools that are supposed to be in your environment ScreenConnect, AnyDesk, Zoho Assist, and the like so that a new one appearing is an alarm, not background noise.
Make sure something other than your endpoint agent can see an attack: network and identity telemetry, alerting on new driver loads, and backups you have actually tested restoring offline.
Treat supply chain credential exposure as your problem, not just your vendor's assume a dependency or provider could be the source of a working login.
If your team can't answer "are we exposed to any of this?" with confidence in an afternoon, that uncertainty is the finding. A risk assessment that maps your edge exposure, identity hygiene, and detection coverage is a faster path to an answer than waiting for an incident to reveal the gaps for you.
Frequently asked questions
Are we exposed if we already patched Citrix Bleed 2 months ago?
Patching the appliance closes that specific door, but it does nothing about credentials that were stolen before you patched. If Citrix Bleed 2 (CVE-2025-5777) was exploitable on your NetScaler at any point, treat any credentials, session tokens, or VPN logins that passed through it as potentially compromised rotate them and invalidate active sessions. The patch stops new theft; it doesn't undo old theft.
We use ScreenConnect and AnyDesk for real IT work. Should we rip them out?
No. These tools are abused precisely because they're legitimate and common. The fix isn't removal, it's an approved inventory: know exactly which remote management tools are supposed to exist, on which machines, run by whom. Once that baseline exists, an unexpected instance of ScreenConnect on a file server becomes a high fidelity alert instead of something that blends in.
Does BYOVD mean our EDR investment was a waste?
No, it means EDR can't be your only layer. Bring your own vulnerable driver attacks can disable endpoint tools at the kernel level, as researchers documented with The Gentlemen group killing processes from Microsoft, ESET, Palo Alto Networks, and SentinelOne. Keep the EDR, and add detection that survives the endpoint going dark: network telemetry, identity monitoring, driver-load alerting, and tested offline backups.
We're a 60-person firm. Is any of this actually aimed at us?
Yes. Anubis alone concentrated on healthcare, business services, manufacturing, technology, and financial services sectors full of small and mid-market firms and the VECT/TeamPCP model is explicitly designed to lower the cost of hitting more targets. Industrialized, credential-driven ransomware doesn't need you to be a Fortune 500; it needs you to have a reachable login and thin monitoring. Mid-market companies often have exactly that combination.
The through-line across Anubis, The Gentlemen, and VECT/TeamPCP is that modern ransomware runs on access, not malware and access is a leadership and detection problem before it's a tooling problem. Purple Shield Security helps small and mid-market companies figure out where their real exposure sits edge devices, identities, and whether anyone is actually watching and build the program to close it. If you want a second set of eyes on whether your team could spot an attack like this before the encryption starts, that's a conversation worth having.



