Open in app

Sign in

Write

Sign in

RANSOMWARE KILL CHAIN AND HOW TO PROTECT YOUR ORGANIZATION

Segun Ebenezer Olaniyan
5 min readJun 2, 2021

--

Over the years, cyberattacks have evolved with the increased emergence of cybercriminals and diverse cyber actor motives. Many organizations have experienced huge shock seeing how much they have lost due to cyberattacks. Small and medium enterprises that are less of a concern to cybercriminals before now have now become the most targeted while big organizations keep fighting for survival. Individuals have been deeply affected due to the grave effect of diverse cyberattacks. The battle against cyberattacks has become everyone’s battle. Cybersecurity is truly everyone’s responsibility.

The entire world is making its full arrival into the digital space, the world is fast becoming a digital world with the advent of the Internet of Things which means anything at all can be given the ability to have its core on the internet to communicate with humans and other things around the world. This has made cyberattacks like ransomware more prominent.

Ransomware is a type of malware that cybercriminals use to launch a cyberattack at organizations for extortion by entering their network or systems, encrypting their files, and holding their data hostage until a digital payment is made. Ransomware can be classified as an Advanced Persistent Threat (APT), that is, it can lie undetected in the victim organization’s systems for days, weeks, or even months before it’s unveiled through ransom demand.

Many organizations that have been victims of ransomware attacks had zero ideas that their information systems infrastructure has been compromised, they continued with their business processes and operations until the attack has eaten deep into their systems with no remedy hence paying the demanded ransom.

Furthermore, data and files that are held hostage are most likely not recoverable depending on the cyber criminal’s discretion, thus, most times paying the ransom is not the best option but restoring your latest backed up files and data if you have one.

Ransomware Kill Chain

Delivery

This is the stage where strategic techniques are adopted for the arrival of ransomware into the network or system. This entrance medium is not limited to phishing emails alone, there are other media such as insertion of infected removable devices, downloaded software and torrenting, compromised webpages, etc.

Installation

The ransomware is downloaded onto the network or system through these media and begins the execution of its malicious code. These malicious codes are like worms that are self-executing and self-replicative. This process of execution is unknown to the network or system administrator and the computer user.

Command and Control

Here the ransomware makes a connection with the headquarter where the attacker’s Command and Control (CnC) server resides to be instructed of the next actions to take and the series of tasks to be performed.

Credential Access

The ransomware still has its tracks covered up. It will begin to traverse through the network or system to gain access to privileged accounts and steal as many credentials as possible, this will enable the ability to have more control over the network or systems and express access to files and data.

Discovery

The search for files to encrypt begins. The access gained to these aforementioned accounts will give the ransomware the privilege to search for files to encrypt on the network or system.

Lateral Movement

The ransomware moves across the network to compromise more accounts and gain access to more files.

Actions on Objectives

The encryption of files on the entire network as far as it has gained access begins. Hence, the cyber actor requests digital payment to have them decrypted.

How to Detect Ransomware Before the Pay Day?

  1. Watch out for Unusual File Activities: Put in place a monitoring solution that helps you look out for suspicious file activities such as multiple failed file modifications, increased file renames, unknown file extensions, etc.
  2. Implement Network Segmentation: Split your system’s network into subnetworks to improve monitoring and easy detection of atypical activities. Have a segmentation policy that governs the design of your network infrastructure.
  3. Update IDS/IPS with exploit kit (EK) detection rules: Check if your IDS, IPS, or firewall systems can detect exploit kits. Update and apply rules that enable these security solutions to detect exploit kits associated with ransomware such as Angler EK and Neutrino EK.
  4. Setup Deception Tools: It’s a good practice to set up honeypots or distributed deception platforms that can effectively discover an active breach in progress. These tools can lure attackers to invade a network that is not directly linked to the internal network and they can be easily used to monitor breach activities.
  5. Implement DMARC: Domain-based Message Authentication, Reporting, and Compliance (DMARC) used for email authentication, policy, and reporting. This solution can protect your organization from spear phishing and can be used to gather intelligence from rejected phishing emails using its reporting feature.

Proactive Ransomware Protection

  • Create Cybersecurity Awareness for Employees that will get them informed on phishing tactics and techniques, and actions to take if encounter suspicious pop-ups.
  • Disallow Write Permissions on production files and file servers
  • Use a 3–2–1 Backup Strategy where all data and files are backed up to two different offsite locations and two different storage media e.g. disk and tape.
  • Use Cutting-edge Endpoint Protection that can identify new malware variants and detect malicious traffic
  • Use Advanced Enterprise Services Protection that can block access to compromised websites and scan all downloads.
  • Disconnect and Separate from Networks Quickly if an infection is suspected.

Your organization can be exempted from the sting of ransomware if your systems and network infrastructure are well secured and active monitoring is in continuous operation with consistent cybersecurity awareness education for employees. This kill chain reveals the tactics, techniques, and procedures for the delivery and execution of ransomware, this intelligence can be used to prevent ransomware.

Resources

Daniely, Avishag. “4 Techniques for Early Ransomware Detection.” Guardicore, 22 Mar. 2021, www.guardicore.com/blog/4-techniques-for-early-ransomware-detection/. Accessed 2 June 2021.

Delaney, Darragh. “5 Methods for Detecting Ransomware Activity | Rapid7 Blog.” Rapid7, 16 May 2016, www.rapid7.com/blog/post/2016/05/16/methods-for-detecting-ransomware-activity/. Accessed 2 June 2021.

J.P. Morgan. THE ANATOMY of a RANSOMWARE ATTACK. , 9 July 2020.

Sjouwerman, Stu. “Anatomy of a Ransomware Attack [Infographic].” Blog.knowbe4.com, blog.knowbe4.com/anatomy-of-a-ransomware-attack-infographic. Accessed 2 June 2021.

Published By Segun Ebenezer Olaniyan

Originally published at https://www.linkedin.com.

Cybersecurity
Cybersecurity Awareness
Ransomware
Ransomware Attack
Ransomware Protection

--

--

Segun Ebenezer Olaniyan

Written by Segun Ebenezer Olaniyan

15 Followers

Information Security Risk Manager | Experienced Third-Party Risk Analyst | Cybersecurity Career Coach | Cybersecurity Educator & Speaker

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams