Home Blog Cato CTRL™ Threat Research: Investigation of RMM Tools Leveraged by Ransomware Gangs in Real-World Incidents July 21, 2025 6m read Cato CTRL™ Threat Research: Investigation of RMM Tools Leveraged by Ransomware Gangs in Real-World Incidents Dr. Guy Waizel , Ronen Jaffa Table of Contents 1. Executive Summary 2. Technical Overview 3. Security Best Practices 4. Conclusion Wondering where to begin your SASE journey? We've got you covered! Listen to post: Getting your Trinity Audio player ready... Executive Summary Remote Monitoring and Management (RMM) tools are essential for IT operations, but their powerful capabilities and trusted status within enterprise networks have also made them valuable to threat actors. In the second half of 2024 and first quarter of 2025, we uncovered a recurring pattern during a series of cyber forensic investigations and threat detections impacting two US-based organizations and one UK-based organization. We found that ransomware gangs across multiple campaigns were leveraging legitimate RMM solutions to carry out sophisticated intrusions. Our research identified multiple commercial and open-source RMM tools that have been leveraged by ransomware gangs to target organizations. These RMM tools were exploited for initial access, persistence, lateral movement, and data exfiltration. In many cases, they bypassed traditional security controls due to their legitimate presence in the enterprise environment. This dual-use nature of RMM tools presents a growing challenge for organizations, where the line between authorized administrative activity and malicious behavior is increasingly difficult to define and detect. We will share findings from the real-world incidents we investigated, highlight the specific RMM tools most frequently abused, explain our analysis approach, demonstrate a real-world RMM attack scenario, and provide recommendations for detecting and mitigating this threat in enterprise environments. Technical Overview RMM Tools Are Increasingly Being Leveraged by Ransomware Gangs RMM tools are widely used by IT teams and managed service providers (MSPs) to remotely monitor and control systems across enterprise networks. They support essential tasks such as software deployment, system configuration, and performance monitoring at scale. However, the same features that make RMM tools essential also make them attractive to ransomware gangs. RMM tools share many capabilities with Remote Access Trojans (RATs), including remote control, script execution, file transfers, and persistence. The key difference lies in intent. While RATs are designed for covert access, RMMs operate as trusted software. This trust can be exploited by threat actors. Ransomware gangs are increasingly using commercial RMMs instead of custom malware to gain access, avoid detection, and blend in with legitimate administrative activity. Their trusted status and modular design allow malicious components to be deployed without raising immediate alarms. As a result, RMM tools have become a reliable and stealthy method of having persistent access to a target network. Security teams must now rethink how they detect and respond to this evolving threat. Analysis Approach We examined how legitimate RMM tools are being leveraged in real-world attacks. The process began with the analysis of threat intelligence reports, including CISA’s #StopRansomware advisories, where we identified repeated use of RMM tools across multiple ransomware campaigns. This led us to investigate multiple commercial and open-source RMM tools that have been leveraged by a wide range of threat actors. While ransomware gangs are prominent users, nation-state groups have also adopted these tools as low-cost, easily available alternatives to custom RATs. To better understand this trend, we systematically tested and analyzed these RMM tools in a test environment. We examined their network behavior and fingerprinted unique traffic patterns, enabling us to identify RMM-driven activity within enterprise environments and evaluate the security implications of their misuse. 2025 Cato CTRL™ Threat Report | Download the report Capabilities Leveraged by Ransomware Gangs in Recently Analyzed Attacks Across the RMM tools we studied, we identified several recurring capabilities that were actively exploited by ransomware gangs: Remote Execution and Script Deployment : Used to run commands, deploy payloads, and establish persistence through native administrative features. Stealth Access : Enabled by support for hidden terminal sessions and silent execution. Connection Models : Cloud and peer-to-peer configurations that complicate detection and attribution. Privilege and Visibility Gaps : RMMs often run with elevated permissions and are inherently trusted, reducing detection by standard tools. Agentless Access and Certificate Pinning : Portable execution and encrypted channels limit visibility and inspection. We also observed three real-world incidents where ra