Welcome to IT-Branschen – The Channel for IT News, Cybersecurity and Digital Trends

For Companies, Suppliers and Decision Makers in the IT Industry

Digital strategy and insights for decision-makers in the IT industry

Subscribe

Stay up to date with the most important news

By pressing the Subscribe button, you confirm that you have read and agree to our privacy policy and terms of use
Subscribe
Facebook Twitter Instagram LinkedIn Pinterest
Contact us

Hackers use corporate tools to evade detection – Barracuda stops ransomware attack

IT industrybyIT industry
October 1, 2025
Barracuda, Akira ransomware Barracuda, Akira ransomware

Cyberattacks are often associated with hackers installing new and unknown malware on the victim's system. But that doesn't always have to be the case. In a recent ransomware family case, Akira the attackers used a method called Living off the Land (LOTL). It is based on utilize already installed and fully legitimate IT tools to carry out the attack – and thus hide behind what looks like normal IT operations.

The attack was stopped by Barracuda's XDR Team, and the lessons are many for companies of all sizes.

https://blog.barracuda.com/adobe/dynamicmedia/deliver/dm-aid--a2be199e-06f2-463b-864a-5cf79545a61a/soc-case-file-2025-9.png?width=1024&quality=95&preferwebp=true

This is how the attack happened

The attack took place early in the morning on a national holiday. Cybercriminals, armed with the flexible Ransomware-as-a-Servicesolution, Akira, targeted a domain management server – a central function for logging in and accessing files and applications.

Advertisement

The server had the remote management tool Datto Remote Monitoring and Management (RMM) installed.

Instead of installing new malware, the attackers leveraged the RMM console along with previously installed backup clients to run scripts, change firewall settings, and disable security features—actions that looked like routine system administration and therefore did not raise suspicion.

When the files later started to be encrypted and received the extension .akira discovered Barracuda Managed XDR immediately the first encryption attempts. The server was immediately isolated and the attack was stopped before it could spread.

Lessons from the attack

  1. The attackers did not install any new programs that would have triggered warning signals, but instead used already trusted tools.
  2. The activity was similar to what a backup client might normally do, making the attack more difficult to distinguish from normal IT operations.
  3. Akira is a Ransomware-as-a-Servicesolution that is rented out to different actors. Therefore, each attack looks different, which makes the threat more difficult to predict.

Restoration and recovery

After the attack was stopped, the Barracuda's team with the customer to isolate affected devices, remove the threats, scan for any remaining traces of Akira, and safely restore the systems.

https://blog.barracuda.com/adobe/dynamicmedia/deliver/dm-aid--8bcef93e-8415-4c83-bab4-ea7f152922b4/soc-case-files-tools-techniques-0925.png?width=1024&quality=95&preferwebp=true

In the next step, security policies were strengthened to reduce the risk of similar incidents in the future.

https://blog.barracuda.com/adobe/dynamicmedia/deliver/dm-aid--44d788ac-769c-4731-99d2-f060b3d38a0d/soc-case-files0925-iocs.png?width=1024&quality=95&preferwebp=true

To counter this type of sophisticated attack required comprehensively XDR solutions which gives security teams full overview of networks, servers and devices. This makes it possible to detect anomalous behavior early – even when they are hidden behind already installed tools.

Share
Share
Pin it
Tweet
Share
Share
IT industrybyIT industry
Published

Stay up to date with the most important news

By pressing the Subscribe button, you confirm that you have read and agree to our privacy policy and terms of use
convendum banner
Advertisement

READ MORE