Fundamentals
T1486Ransomware Fundamentals
A SOC analyst's introduction to ransomware --- how operators get in, how encryption works, the double-extortion model, and the major RaaS families dominating the threat landscape.
View on Graph
What Ransomware Is and How It Became an Industry
- Ransomware is malicious software that encrypts files or locks systems and demands a ransom for the decryption key.
- MITRE ATT&CK maps the encryption impact to
T1486(Data Encrypted for Impact). - Ransomware is not a new threat — the first documented ransomware (PC Cyborg/AIDS Trojan) appeared in 1989 — but it has evolved from opportunistic, low-value attacks into a multi-billion-dollar criminal enterprise run as a service.
The Ransomware Kill Chain — How Operators Get In
Ransomware is the final stage of a multi-phase intrusion. Understanding the path in is critical for detection:
| Stage | What Happens | How Attackers Do It | Detection Opportunity |
|---|---|---|---|
| 1. Initial Access | Attacker gains foothold | Phishing (most common), RDP brute force, vulnerability exploitation, compromised VPN credentials | Malicious email attachment or link detection; failed RDP logins from unusual IPs |
| 2. Persistence | Attacker ensures they can get back in | Scheduled tasks, WMI subscriptions, service installation, registry Run keys | Event ID 4698 (scheduled task), Sysmon Event 1 (new service), registry modification |
| 3. Reconnaissance | Attacker maps the network | AD enumeration via BloodHound, net commands, LDAP queries | Excessive 4662 (directory service access), net.exe execution from non-admin workstation |
| 4. Credential Theft | Attacker steals credentials for lateral movement | Mimikatz (LSASS dump), credential harvesting from local SAM, NTDS.dit extraction | Event ID 4688 with lsass.exe in process access; Event ID 4663 with access to lsass.exe; Mimikatz signature detection (strings in memory) |
| 5. Lateral Movement | Attacker spreads across the network | RDP, SMB/PsExec, WMI, WinRM | Event ID 4624 logon type 3 from unusual source; Event ID 4648 (explicit credentials); Service Control Manager events |
| 6. Data Exfiltration | Attacker steals sensitive data before encryption | Large outbound file transfers to cloud storage, FTP, attacker C2 | NetFlow anomalies (spike in outbound volume), unusual S3/cloud API calls from workstation |
| 7. Encryption | Attacker deploys ransomware across the domain | PsExec, GPO push, scheduled task deployment, WMIC deployment | Mass file rename events, EDR alerts for ransomware behavioral signatures, Event ID 4688 for ransomware binary execution across multiple hosts |
| 8. Extortion | Attacker demands payment | Ransom note, dark web leak site, email threat | Post-incident — forensic analysis determines the variant |
Major Ransomware Families and Their TTPs
| Family | First Seen | Initial Access | Lateral Movement | Notable TTPs |
|---|---|---|---|---|
| LockBit | 2019 | Phishing, RDP brute force, compromised VPN | PsExec, scheduled tasks, GPO | Fastest encryption speed. LockBit 3.0 introduced bug bounty program. Self-spreading via GPO. |
| BlackCat/ALPHV | 2021 | Phishing, compromised credentials | PsExec, WMI, WinRM, VSS deletion | Rust-based. Custom exfiltration tool (Munchkin). First major RaaS group to use Rust for cross-platform targeting. |
| Black Basta | 2022 | Phishing (Qakbot), RDP, Zoho vulnerability | PsExec, RDP, SMB | Uses BITS for download. Very fast encryption. Known for exploiting ConnectWise vulnerabilities. |
| Clop | 2019 | Vulnerability exploitation (GoAnywhere MFT, MOVEit, Accellion FTA) | N/A — exploits vulnerable public-facing applications | Exclusively uses zero-day vulnerabilities. Large-scale data theft (MOVEit impacted 2,000+ orgs). |
| REvil/Sodinokibi | 2019 | Phishing, RDP, managed service provider compromise | AD group policy, scheduled tasks | First group to popularize “big game hunting” (>$1M ransoms). Automatic encryption on network shares. |
| Ryuk/Conti | 2018-2021 | Trickbot/Emotet initial access, then hands-on keyboard | PsExec, WMI, RDP | Manual deployment — human-operated, not automated. High ransom demands ($500K-$5M). Conti chat logs leaked in 2022 revealing internal operations. |
| Akira | 2023 | VPN credential compromise (no MFA), CVE exploitation | RDP, PsExec | Linux variant targets ESXi hypervisors. Uses custom Rust encryption. Ransom note demands payment in Bitcoin. |
| Lorenz | 2021 | Phishing, RDP brute force | PsExec, RDP, Cobalt Strike | Known for asymmetric encryption (fast encryption per file, slower for critical files). Uses command-line encryption. |
The Double-Extortion Model
Modern ransomware attackers do not just encrypt data — they steal it first and threaten to publish it. This is the double-extortion model:
- Data exfiltration — before deploying encryption, attackers exfiltrate sensitive data to their servers
- Encryption — files are encrypted on each host
- Demand — ransom note demands payment for both: (a) decryption key, and (b) non-publication of stolen data
Why it changed the game: Organizations with good backups could recover from encryption without paying. With exfiltrated data, the attacker has a second bargaining chip — data breach notification laws, reputational damage, and customer notification costs create pressure to pay.
RaaS (Ransomware-as-a-Service) Economics
| Role | Responsibility | Cut of Ransom |
|---|---|---|
| Developer | Writes and maintains the ransomware code | 20-30% |
| Affiliate | Conducts the intrusion — gains access, moves laterally, deploys ransomware | 70-80% |
| Initial Access Broker | Sells access to networks (bypass, VPN, RDP credentials) | Flat fee per access (varies by network size) |
| Money Launderer | Manages cryptocurrency payments, mixing, and conversion | 3-5% (plus layering costs) |
| Negotiator | Professional ransom negotiator (sometimes third-party IR firms) | Hourly or % of reduction |
Analyst implication: Disrupting any role in the chain affects the economics. Catching the affiliate during lateral movement prevents the encryption. Taking down the developer or infrastructure (leak site, payment portal) disrupts the entire model. This is why law enforcement operations target infrastructure and developers (e.g., REvil takedown, Hive takedown, LockBit takedown).
Detection — Ransomware at Each Stage
| Stage | What to Monitor | Key Indicator |
|---|---|---|
| Initial Access | Email gateway, VPN logs, RDP logs | Phishing URL click, failed VPN login followed by success, user-reported suspicious email |
| Post-compromise | EDR, process creation (4688), PowerShell logs | powershell -EncodedCommand, wget/curl downloads, scheduled task creation |
| Credential Theft | Event 4663 (handle to lsass.exe), Sysmon Event 10 (process access) | Access to lsass.exe from non-standard process (not svchost, winlogon, LogonUI) |
| Lateral Movement | Event 4624 (logon type 3 or 9), Event 4648 (explicit credentials) | Service account logging on to workstations, PSExec service creation (Event 7045) |
| Data Exfiltration | NetFlow, proxy logs, cloud API calls | Outbound traffic spike, large file uploads to cloud storage, HTTP POST to uncommon IP |
| Encryption | EDR alerts, file audit events, high CPU | Mass .encrypted file creation, process with high CPU across multiple hosts, Event 4656 on file handles |
SPL query — detect credential theft (lsass.exe access from non-standard process):
index=windows sourcetype="WinEventLog:Security" EventCode=4663
| search ObjectName="*lsass.exe"
| eval standard_processes = "svchost.exe,winlogon.exe,LogonUI.exe,csrss.exe,lsm.exe"
| where NOT (ProcessName IN (standard_processes))
| stats values(ProcessName) as AccessingProcess, values(AccessMask) as Mask by SubjectUserName, ComputerName
| eval alert = "HIGH — non-standard process " . AccessingProcess . " accessed lsass.exe on " . ComputerNameSPL query — detect lateral movement via service creation:
index=windows sourcetype="WinEventLog:System" EventCode=7045
| search ServiceName IN ("*PSExec*", "*psexesvc*", "*WMI*", "*WinRM*")
| stats values(ServiceAccount) as ServiceAccount, values(ServiceType) as Type by ComputerName, _time
| eval alert = "HIGH — remote service created on " . ComputerName . " — possible lateral movement"Related
- Ransomware — detection and response for T1486 techniques
- Ransomware Response — detection and response for T1486 techniques
- Kill Chain — covers the kill chain concepts
- Cloud Security Fundamentals — detection and response for T1525 techniques