Ransomware Gangs ‘More Persistent Than Ever’ At Bypassing Security Tools: ThreatLocker CPO

While cybercriminals are often seen as only interested in low-hanging fruit, attackers that’ve paid for access to an environment are ‘not going to give up that easily,’ says ThreatLocker Chief Product Officer Rob Allen.

Contrary to the common belief that cybercriminals will quickly give up on deploying ransomware when moving through an environment becomes too challenging, many threat groups are becoming more persistent at finding ways to bypass security tools, according to Rob Allen, chief product officer of endpoint security vendor ThreatLocker.

While speaking to an audience of MSP executives Monday, Allen shared several real-world ransomware scenarios that ThreatLocker has observed — including one incident where attackers showed a willingness to push past initial defenses until they discovered a weak spot, Allen said.

Along with using application allowlisting functionality from ThreatLocker — which only enables sanctioned software to run — the victim had been running other security tools including endpoint detection and response.

The threat actor, however, managed to find a weak entry point in the form of an open Remote Desktop Protocol connection that was not protected by multi-factor authentication. The attacker was ultimately able to remove all security software from running on the victim’s server in order to deploy ransomware, Allen said during the session Monday at XChange March 2025, which is hosted by CRN parent The Channel Company and being held this week in Orlando.

For years now, the typical assumption about ransomware gangs has been that they are essentially “lazy” and only drawn to exploiting the low-hanging fruit, he noted.

The widespread belief has been that “if they get into an environment and they run into a roadblock — like, ‘ThreatLocker is on this machine, I can't get it off’ — very often, they'll just walk away. They'll move to another target,” Allen said.

However, “in this case, they didn't. They were persistent,” he said. “And this is something that we are seeing a lot more of. Ransomware gangs are more persistent than they ever were.”

Without a doubt, many MSPs are “seeing more-sophisticated attacks” now than in the past, said Atul Bhagat, president and CEO of BASE Solutions, a Vienna, Va.-based MSP.

Thus, in the current threat environment, securing customers is “not as basic as just watching an email inbox” for attacks such as phishing attempts, Bhagat said. Instead, attackers are finding their way into an environment using a variety of different tactics and entry points, he said.

As a result, “it's very important for us as MSPs to make sure we're aligning ourselves with vendors that are truly trying to evolve that security practice,” Bhagat said — with ThreatLocker being an example of a vendor that has expanded its capabilities substantially to enable it to take "full control of the endpoint.”

“It’s to a point where it’s creating a one-stop security solution for the endpoint,” he said of ThreatLocker’s platform.

As for why attackers are now becoming more persistent at finding ways to bypass security controls, Allen said he does have a theory. In all likelihood, he suggested, the attackers have purchased access to an environment from a broker.

In other words, “they didn’t hack into it themselves. They went on to the darkweb. They purchased access to this environment,” Allen said. “They're invested in it. So they’re not going to give up that easily.”