Understanding the Adversary: How Ransomware Attacks Happen

IBM Security X-Force Incident Response (IR) has responded to hundreds of ransomware incidents across every geography and industry. As we have taken time to analyze these incidents, a clear pattern has emerged. Although we observe dozens of ransomware groups in operation across the globe, many with multiple affiliate groups working under them, most ransomware actors tend to follow a similar attack flow and set of standard operating procedures. It is possible that ransomware actors are cross-training and sharing with each other their most effective techniques, which are becoming standard practices for many ransomware groups and affiliates. But whatever forces are bringing ransomware actors together, security defenders can use knowledge of these attacks to their advantage to better defend networks against ransomware attacks and catch attackers before they accomplish their final objectives.

The Five Stages of a Ransomware Attack

The X-Force IR team has observed that most ransomware attacks occur in a predictable pattern that we break down into five stages: Initial Access, Post-Exploitation Foothold, Reconnaissance/Credential Harvesting/Lateral Movement, Data Collection and Exfiltration, and Ransomware Deployment.

While no two ransomware incidents are exactly the same, by analyzing the behaviors of the adversaries across various engagements, operators, and geo-locations, X-Force IR has created this generalized attack graph which can be used to identify logical control and detection opportunities that are applicable to a majority of ransomware operators.

Figure 1: Standard Attack Flow for Ransomware Attacks, As Observed by X-Force Incident Response (Source: X-Force)

Stage 1: Initial Access

The most common access vectors for ransomware attacks continue to be phishing (MITRE ATT&CK Technique 1566), vulnerability exploitation including Exploitation of a Public Facing Application (T1190), and External ..

Support the originator by clicking the read the rest link below.