What Is the Ransomware Kill Chain?

The ransomware kill chain is a specific version of the Cyber Kill Chain that details the various stages in a typical ransomware infection. This view can be useful for cyber defenders because it can help with identifying potential points where the threat can be detected and eliminated before data theft and encryption begin.

The various ransomware groups have different tactics, techniques, and procedures (TTPs) that they use, meaning that the ransomware kill chain isn’t “one size fits all.” However, mapping attack campaigns to frameworks like the Lockheed Martin Cyber Kill Chain or the MITRE ATT&CK framework can provide valuable insights.

Key Highlights

• The ransomware kill chain breaks down an attack into stages so defenders can disrupt it before encryption occurs.
• Many modern ransomware campaigns include discovery, privilege escalation, and lateral movement before the final impact.
• Double extortion adds a distinct data exfiltration phase that can happen before encryption.
• Network and access controls can reduce ransomware risk by blocking known malicious destinations, detecting exploits, limiting access, and preventing the transfer of sensitive data.
• Breaking any stage can reduce the blast radius, response costs, and business downtime.

How the Ransomware Kill Chain Is Different from the Traditional Cyber Kill Chain

Lockheed Martin defined the Cyber Kill Chain as a general-purpose model for cyberattacks. The ransomware kill chain focuses on the specifics of ransomware attacks, often emphasizing intrusion mechanisms and the ransomware impacts of data exfiltration and encryption.

As a result, these ransomware kill chains may introduce additional malware-specific stages into the process. For example, Cisco’s ransomware kill chain includes the following stages:

• Recon
• Stage
• Launch
• Exploit
• Install
• Call Back
• Persist

While this is a high-level model, actual ransomware attack chains vary. For example, some attackers may perform additional actions between gaining an initial foothold and pursuing impact.

Why Do Defenders Use Staged Models?

Defenders commonly use staged models because they make it easier to think about an attack and identify potential opportunities to interrupt and contain an attack. Ideally, this involves catching and eliminating the threat early within its lifecycle since this reduces the cost and complexity of remediation. Additionally, staged models make it easier to develop repeatable SOC and incident response (IR) playbooks that apply generally to multiple ransomware operators rather than a specific campaign.

The Core Stages of the Ransomware Kill Chain

Ransomware attacks can vary dramatically from one threat actor to another and even across campaigns. Additionally, different cybersecurity vendors have different models of the ransomware kill chain. However, whether the model contains four steps or nine, breaking down the process has its benefits.

In this article, we’ll use the following stages for the ransomware kill chain:

1. Initial Access and Infection: Malware is installed and executed on a target system
2. Lateral Movement and Propagation: Ransomware spreads through the network to high-value systems
3. Command-and-Control Communication: Malware establishes communication with the attacker for instructions and data exfiltration
4. Data Exfiltration: Sensitive data is exfiltrated from the network in double-extortion attacks
5. Encryption: Data is encrypted to induce victims to pay a ransom

How Attackers Typically Gain Initial Access in Ransomware Campaigns

Attackers can use a variety of methods to gain initial access to a target environment. Some of the most common techniques include phishing attacks, malicious websites, exploitation of exposed services, and stolen credentials.

While ransomware campaigns can vary dramatically, most attackers use one of these techniques. The reason for this is that these are often low-hanging fruit, exploiting trust, weak authentication, or unpatched systems to gain initial access.

What Initial Compromise Looks Like in Security Telemetry

After gaining an initial foothold, the attacker’s goal is to get their malware running on the infected system. Also, the malware commonly establishes a connection with command-and-control infrastructure to receive instructions and exfiltrate stolen data. This combination of actions often produces the following indicators of compromise (IoCs):

• DNS lookups for suspicious or known-bad domains
• Unusual outbound connections
• New, unknown processes
• Unexpected execution of various tools

While these can be warning signs of a ransomware infection, they’re not absolute proof. For example, a new unknown process might be a new piece of legitimate software that a user has installed and executed on their system.

What Happens after a Foothold, and Why Ransomware Operators Focus on Discovery and Lateral Movement

Ransomware operators rarely gain immediate access to their target systems. For example, a phishing attack likely compromises a user’s workstation, while ransomware is most effective on a high-value system like an important database or file server.

For this reason, attackers will often attempt to move laterally through the network, performing network scanning and exploration to identify potential targets and working to move to them. For example, an attacker might try to steal additional user credentials that would allow them to authenticate to a new system.

Common Attacker Goals in the Middle of the Ransomware Kill Chain

In the middle of the ransomware kill chain, attackers’ goals are to move from their initial entry point to high-value targets. Common actions that they might take to accomplish this include:

• Credential harvesting and privilege escalation
• Mapping network paths and critical assets
• Disabling defenses and preparing encryption at scale

Where Data Exfiltration Fits in the Ransomware Kill Chain, and How Double Extortion Changes It

Traditional ransomware that is focused on file encryption is less effective if the victim has backups that they can restore from. For this reason, many ransomware operators have adopted double extortion techniques, stealing data before they encrypt it and threatening to leak it if the ransom is not paid. Some threat actors integrate additional extortion tactics, such as distributed denial-of-service (DDoS) attacks, as well.

Indicators and Defensive Controls That Matter Most During Exfiltration

With data exfiltration, organizations have an opportunity to identify and block an attack before it moves to the data encryption stage. This requires monitoring and policy enforcement designed to identify and block exfiltration of sensitive data and anomalous behavior, such as bulk data download and exfiltration.

How Can Security Controls Disrupt the Ransomware Kill Chain at Multiple Stages?

Mapping ransomware infections to a multi-stage model enables disruption at various stages of the process. Some ways that security controls can help to mitigate ransomware attacks include:

• DNS Filtering: Identifies and blocks access attempts for malicious domains and phishing destinations.
• Intrusion Prevention System (IPS): Detects and blocks exploit traffic and malicious activity in-line.
• Zero Trust Network Access (ZTNA): Limits resource access by explicit allow policies and least privilege. Reduces lateral movement paths.
• Data Loss Prevention (DLP): Reduces the risk of sensitive data leaving the organization.

How DNS Filtering Disrupts Early Ransomware Kill Chain Activity

DNS is used to convert domain names to IP addresses and is important at multiple stages of the ransomware kill chain. DNS lookups may be needed for the initial malware download, when establishing connections to command-and-control systems, and for data exfiltration. Blocking attempts to access suspicious and known-bad domains prevents these actions from succeeding and can terminate the attack early in the kill chain.

How IPS Helps Block Exploits and Slows Propagation

IPS is an inline security control designed to block malicious content and exploitation attempts. It can be used to prevent vulnerability exploits for initial access and the transfer of ransomware to the target environment.

How ZTNA Contains Access and Limits Lateral Movement

ZTNA implements least privilege access controls, which reduce privileges to the minimum necessary for a role and require each access request to be explicitly validated and approved. This can impair attempted lateral movement by limiting the scope of compromised accounts and allowing the organization to identify and block anomalous and suspicious requests for corporate data or resources.

How DLP Reduces Data Exfiltration Risk

DLP aims to prevent sensitive data from being shared with unauthorized recipients. In a ransomware context, this can help to prevent double extortion attacks if the DLP solution can identify and block the attempted exfiltration of stolen data.

What Security Teams Should Measure to Validate Ransomware Kill Chain Disruption

When trying to disrupt ransomware attacks earlier in the kill chain, some common metrics include:

• Mean time to detection (MTTD)
• Mean time to remediation (MTTR)
• Reduction in the blast radius of the attack (affected endpoints, accounts, data, etc.)

Example Measurement Categories

Organizations can also implement stage-specific metrics designed to identify when they successfully identify and address a ransomware infection, including:

• Prevention: Blocks at the initial access and exploit stages
• Containment: Lateral movement attempts are stopped or segmented
• Data Security: Exfiltration attempts detected or prevented
• Impact Reduction: Lower encryption spread and faster recovery

How Does the Ransomware Kill Chain Improve Incident Response and Post-Incident Hardening?

The ransomware kill chain helps to enhance IR and post-incident hardening by offering a more concrete and granular breakdown of the attack to tie playbooks and lessons learned to. For example, a post-incident retrospective might examine whether the threat was detected at various stages (initial access, lateral movement, data exfiltration, etc.) and how the organization can implement or tune additional controls to address identified visibility or containment gaps.

Ransomware Kill Chain: How to Use the Framework to Reduce Ransomware Impact Over Time

The ransomware kill chain offers a framework for thinking about these attacks and planning security controls and IR actions. Some ways that organizations can make use of the framework include:

• Build stage-based detections and controls
• Run tabletop exercises aligned to stages
• Review incidents by stage and tune controls

FAQ

What are the typical stages in the ransomware kill chain?

Models of the ransomware kill chain can vary in the stages included. A few common stages include initial access, lateral movement, command and control, data exfiltration, and data encryption.

Is data exfiltration always part of ransomware?

No, ransomware originally focused solely on data encryption, not exfiltration. However, double extortion attacks have become more common to prevent victims from avoiding paying the ransom by restoring from backups.

How is the ransomware kill chain related to the Cyber Kill Chain?

The Cyber Kill Chain is a general-purpose model designed to break down common stages of a wide range of potential attacks. The ransomware kill chain uses a similar breakdown but focuses on the ransomware threat.

Which controls can interrupt ransomware earlier than encryption?

Some security controls that can interrupt ransomware attacks before they reach the encryption stage include DNS filtering, in-line exploit prevention, access controls, and data controls. For example, DNS filtering can block access to webpages serving malware and command-and-control infrastructure.

What should teams prioritize if they cannot cover every stage?

If organizations can’t cover every stage of the ransomware kill chain, they should attempt to prioritize earlier stages and those where they have greater visibility and control. For example, an organization may limit user access in line with the principle of least privilege to reduce an attacker’s ability to move laterally through the network to high-value targets.