Threats

T1486

Ransomware

How ransomware operators gain access, encrypt data, and extort organizations — and how analysts detect and respond at each stage of the attack chain. Includes detection Event IDs, SPL/KQL queries, and a full triage workflow.

View on Graph

What It Is and How Ransomware Operators Work

  • Ransomware is malicious software that encrypts files or locks systems and demands a ransom payment for the decryption key.
  • MITRE ATT&CK maps data encryption for impact to T1486 (Data Encrypted for Impact).
  • This is the final stage of the attack chain, not the beginning. By the time files are encrypted, the attacker has typically been inside the network for days or weeks performing reconnaissance, stealing credentials, exfiltrating data, and deploying the ransomware payload across every reachable system.
  • Modern ransomware operations follow the double extortion model: the attacker exfiltrates data before encryption and threatens to publish it if the ransom is not paid.

The Ransomware Attack Chain — Detection at Each Stage

Ransomware follows a predictable chain. Detecting the intrusion at an earlier stage prevents encryption entirely.

Stage 1: Initial Access (Days -2 to -7)

Common vectors:

  • Phishing email with malicious attachment or link
  • Remote Desktop Protocol (RDP) brute force
  • Vulnerable internet-facing application
  • Compromised credentials from a prior breach (may involve credential stuffing)
  • Drive-by download via compromised website

Event IDs to monitor:

Event IDWhat It Detects
4625Failed logon — brute force indicator
4648Explicit credential use — first sign of credential theft
4688Process creation — suspicious binary execution
Sysmon 1Process creation with command-line detail

SPL query — detect initial access via RDP brute force:

index=windows sourcetype=WinEventLog:Security EventCode=4625 LogonType=10
| stats count, values(AccountName) as TargetedAccounts by IpAddress, bin(_time, 5m)
| where count > 10
| eval alert = "RDP BRUTE FORCE — " . count . " failed RDP logins from " . IpAddress . " targeting accounts: " . mvjoin(TargetedAccounts, ", ")
| table _time, IpAddress, count, TargetedAccounts, alert

Stage 2: Persistence and Defense Evasion (Days -1 to -3)

Common techniques:

  • Creating scheduled tasks for persistence
  • Disabling security tools (Windows Defender, EDR, AV)
  • Modifying firewall rules
  • Deleting volume shadow copies (vssadmin delete shadows /all /quiet)
  • Deploying backdoor via Cobalt Strike or other C2 frameworks

Event IDs to monitor:

Event IDLog SourceWhat It Detects
4698SecurityScheduled task created
4688Securityvssadmin.exe executed
Sysmon 13SysmonRegistry value change — disabling security tools
Sysmon 3SysmonOutbound C2 connections
7036SystemService stopped — EDR/AV disabled

SPL query — detect VSS deletion (ransomware precursor):

index=windows sourcetype=WinEventLog:Sysmon EventCode=1
| search CommandLine="*vssadmin*delete*shadows*" OR CommandLine="*wmic*shadowcopy*delete*"
| eval alert = "CRITICAL — Volume Shadow Copy deletion — ransomware precursor"
| table _time, Computer, User, Image, CommandLine, alert

Stage 3: Credential Theft (Days -1 to -2)

Common techniques:

  • LSASS memory dumping (Mimikatz, ProcDump)
  • DCSync attack
  • SAM hive extraction
  • Keylogging

Event IDs to monitor:

Event IDLog SourceWhat It Detects
Sysmon 10SysmonProcess access — non-LSASS accessing LSASS
4662SecurityDirectory Service access — DCSync
4688SecurityCommand line with lsadump, sekurlsa, mimikatz

Stage 4: Lateral Movement (Hours to days before encryption)

Common techniques:

  • RDP to other workstations and servers — often facilitated by LOLBins
  • WMI / WinRM for remote command execution
  • PsExec for remote service creation
  • SMB file share propagation
  • Cobalt Strike SMB beacon or SSH tunneling

Event IDs to monitor:

Event IDLog SourceWhat It Detects
4624 LogonType 3SecurityNetwork logon — lateral movement
4697SecurityService installed — PsExec
Sysmon 1SysmonWMI process creation via wmiprvse.exe
4648SecurityExplicit credential use

SPL query — detect lateral movement via network logons:

index=windows sourcetype=WinEventLog:Security EventCode=4624 LogonType=3
| search AccountName!="SYSTEM" AccountName!="ANONYMOUS LOGON" AccountName!="*$"
| stats dc(WorkstationName) as UniqueWorkstations by AccountName, Computer
| where UniqueWorkstations > 3
| eval alert = "LATERAL MOVEMENT — " . AccountName . " accessed " . UniqueWorkstations . " unique workstations from " . Computer
| table _time, AccountName, Computer, UniqueWorkstations, alert

Stage 5: Data Exfiltration (Hours before encryption)

Common techniques:

  • HTTP/HTTPS POST to attacker server
  • FTP/SFTP upload
  • Cloud storage API upload (S3, Azure Blob)
  • Email exfiltration
  • DNS tunneling

Event IDs to monitor:

Event IDLog SourceWhat It Detects
Sysmon 3SysmonOutbound network connections — large data transfers
Sysmon 22SysmonDNS queries — DNS tunneling exfiltration
Proxy logsWeb proxyLarge POST requests, unusual User-Agents

SPL query — detect data exfiltration via large POST requests:

index=proxy sourcetype=access_combined
| search method=POST status=200
| eval size_mb = bytes/1048576
| where size_mb > 10
| stats sum(bytes) as total_bytes, count by src_ip, dest_ip, user
| where total_bytes > 50000000
| eval alert = "DATA EXFIL — " . round(total_bytes/1048576, 2) . "MB uploaded via POST from " . src_ip . " by user " . user
| table _time, src_ip, user, dest_ip, total_bytes, alert

Stage 6: Encryption (The “boom” — 0 to +60 minutes)

What you see:

  • Mass file creation/modification events (Sysmon Event 11)
  • High disk I/O alerts
  • Ransom note creation (Sysmon Event 11 — filename = README, DECRYPT, etc.)
  • Service or process with high CPU/Disk activity and unknown origin
  • File share disconnection alerts from users unable to open files

Event IDs to monitor:

Event IDLog SourceWhat It Detects
Sysmon 11SysmonMass file creation — encryption in progress
1SysmonEncryption binary execution
System 1001SystemBugcheck (BSOD) — ransomware crash
System 7036SystemService stopped — backup service killed

SPL query — detect mass file creation (encryption):

index=windows sourcetype=WinEventLog:Sysmon EventCode=11
| stats count, values(TargetFilename) as Files by Computer, Image, bin(_time, 60s)
| where count > 200
| eval alert = "CRITICAL — " . count . " files modified by " . Image . " on " . Computer . " — ransomware encryption likely in progress"
| table _time, Computer, Image, count, Files, alert

Ransomware Detection — Full SIEM Correlation Query

SPL query — ransomware detection correlation:

index=windows sourcetype=WinEventLog:Sysmon OR WinEventLog:Security
| search EventCode IN (1, 3, 10, 11, 22, 4624, 4625, 4648, 4697, 4698)
| eval stage = case(
    EventCode=4625 AND LogonType=10, "Initial Access - RDP Brute Force",
    CommandLine="*vssadmin*delete*", "Defense Evasion - VSS Deletion",
    CommandLine="*wmic*shadowcopy*delete*", "Defense Evasion - VSS Deletion",
    EventCode=1 AND CommandLine="*,skip*, *-exclusion*", "Defense Evasion - AV Bypass",
    EventCode=10 AND GrantedAccess=0x1FFFFF, "Credential Theft - LSASS Access",
    EventCode=4697 AND ServiceFileName="*Temp*", "Lateral Movement - Service Install",
    EventCode=4698, "Persistence - Scheduled Task",
    EventCode=3 AND DestinationPort=443, "C2 - HTTPS Beacon",
    EventCode=3 AND DestinationPort IN (21, 22), "Data Exfiltration - FTP/SSH",
    EventCode=11 AND count > 200, "Encryption - Mass File Modification",
    "Other"
  )
| stats count by Computer, stage, bin(_time, 1h)
| search stage!="Other"
| sort - count
| eval alert = "RANSOMWARE CHAIN — " . stage . " on " . Computer . " (" . count . " events)"
| table _time, Computer, stage, count

Triage Decision Matrix — Where in the Chain You Are

Detected AtResponse
Stage 1-2 (Initial access, persistence)Isolate the compromised host. Reset compromised credentials. Close the vector. No data loss expected.
Stage 3 (Credential theft)Isolate. Reset ALL credentials in the domain. The attacker has your keys.
Stage 4 (Lateral movement)Isolate affected segments. Assume multiple hosts compromised. Prepare for encryption.
Stage 5 (Data exfiltration)Block outbound traffic. Prepare for double extortion. Begin breach notification process.
Stage 6 (Encryption)Full incident response. Ransomware playbook. Backup restoration. Law enforcement notification.

Prevention — Controls That Stop Ransomware

ControlWhat It StopsPriority
EDR with behavioral detectionEarly-stage detection of ransomware behaviorHighest — alerts on process behavior, not just file hashes
MFA on all external-facing servicesRDP brute force / credential theftHighest — prevents initial access via compromised credentials
Disable RDP from internetRDP-based initial accessCritical — RDP is the #1 initial access vector for ransomware
Backup strategy (3-2-1 rule)Ensures recovery without paying ransomCritical — 3 copies, 2 media types, 1 offsite
VSS protectionPrevents attacker from deleting shadow copiesHigh — enables local file recovery
ASR rules (Attack Surface Reduction)Blocks LSASS credential theft, Office child process creation, PSExecHigh — stops common ransomware techniques
Network segmentationLimits lateral movement blast radiusHigh — attacker cannot encrypt domain controllers from a workstation
Restrict PowerShellPrevents fileless malware and in-memory credential theftMedium — Constrained Language Mode, logging

Sources