This describes the typical Cyber Kill Chain®, which walks through each of the seven stages of a targeted ransomware attack.
It provides visibility into the intruders’ tactics, techniques, and procedures (TTPs).
• Step 1: Reconnaissance – intruder harvests email addresses of all the employees in a company and prepares to launch a phishing campaign.
• Step 2: Weaponization – intruder uses a ransomware kit purchased off the dark web tailored to deliver that malware through an email attachment.
• Step 3: Delivery – intruder delivers the ransomware through a fake email as the payload or through a remote desktop protocol (RDP) service.
• Step 4: Exploitation – When an employee unknowingly opens the fake email attachment, the malware exploits a known vulnerability and infects their laptop.
• Step 5: Installation – The ransomware installs as a binary, which opens an access point (backdoor) to communicate with a command and control site.
• Step 6: Command and Control (CnC) – Ransomware sends target host IP address and gets encryption key needed for encrypting all files and databases.
• Step 7: Action – Ransomware exfiltrates sensitive documents to the CnC server and then encrypts those files and databases. It then displays a ransom note to the end user.