This describes the typical Cyber Kill Chain®, which walks through each of the seven stages of a targeted ransomware attack.

It provides visibility into the intruders’ tactics, techniques, and procedures (TTPs).

• Step 1: Reconnaissance – intruder harvests email addresses of all the employees in a company and prepares to launch a phishing campaign.

• Step 2: Weaponization – intruder uses a ransomware kit purchased off the dark web tailored to deliver that malware through an email attachment.

• Step 3: Delivery – intruder delivers the ransomware through a fake email as the payload or through a remote desktop protocol (RDP) service.

• Step 4: Exploitation – When an employee unknowingly opens the fake email attachment, the malware exploits a known vulnerability and infects their laptop.

• Step 5: Installation – The ransomware installs as a binary, which opens an access point (backdoor) to communicate with a command and control site.

• Step 6: Command and Control (CnC) – Ransomware sends target host IP address and gets encryption key needed for encrypting all files and databases.

• Step 7: Action – Ransomware exfiltrates sensitive documents to the CnC server and then encrypts those files and databases. It then displays a ransom note to the end user.