Threats
T1486Ransomware
How ransomware operators gain access, encrypt data, and extort organizations — and how analysts detect and respond at each stage of the attack chain. Includes detection Event IDs, SPL/KQL queries, and a full triage workflow.
View on Graph
What It Is and How Ransomware Operators Work
- Ransomware is malicious software that encrypts files or locks systems and demands a ransom payment for the decryption key.
- MITRE ATT&CK maps data encryption for impact to
T1486(Data Encrypted for Impact). - This is the final stage of the attack chain, not the beginning. By the time files are encrypted, the attacker has typically been inside the network for days or weeks performing reconnaissance, stealing credentials, exfiltrating data, and deploying the ransomware payload across every reachable system.
- Modern ransomware operations follow the double extortion model: the attacker exfiltrates data before encryption and threatens to publish it if the ransom is not paid.
The Ransomware Attack Chain — Detection at Each Stage
Ransomware follows a predictable chain. Detecting the intrusion at an earlier stage prevents encryption entirely.
Stage 1: Initial Access (Days -2 to -7)
Common vectors:
- Phishing email with malicious attachment or link
- Remote Desktop Protocol (RDP) brute force
- Vulnerable internet-facing application
- Compromised credentials from a prior breach (may involve credential stuffing)
- Drive-by download via compromised website
Event IDs to monitor:
| Event ID | What It Detects |
|---|---|
| 4625 | Failed logon — brute force indicator |
| 4648 | Explicit credential use — first sign of credential theft |
| 4688 | Process creation — suspicious binary execution |
| Sysmon 1 | Process creation with command-line detail |
SPL query — detect initial access via RDP brute force:
index=windows sourcetype=WinEventLog:Security EventCode=4625 LogonType=10
| stats count, values(AccountName) as TargetedAccounts by IpAddress, bin(_time, 5m)
| where count > 10
| eval alert = "RDP BRUTE FORCE — " . count . " failed RDP logins from " . IpAddress . " targeting accounts: " . mvjoin(TargetedAccounts, ", ")
| table _time, IpAddress, count, TargetedAccounts, alert
Stage 2: Persistence and Defense Evasion (Days -1 to -3)
Common techniques:
- Creating scheduled tasks for persistence
- Disabling security tools (Windows Defender, EDR, AV)
- Modifying firewall rules
- Deleting volume shadow copies (
vssadmin delete shadows /all /quiet) - Deploying backdoor via Cobalt Strike or other C2 frameworks
Event IDs to monitor:
| Event ID | Log Source | What It Detects |
|---|---|---|
| 4698 | Security | Scheduled task created |
| 4688 | Security | vssadmin.exe executed |
| Sysmon 13 | Sysmon | Registry value change — disabling security tools |
| Sysmon 3 | Sysmon | Outbound C2 connections |
| 7036 | System | Service stopped — EDR/AV disabled |
SPL query — detect VSS deletion (ransomware precursor):
index=windows sourcetype=WinEventLog:Sysmon EventCode=1
| search CommandLine="*vssadmin*delete*shadows*" OR CommandLine="*wmic*shadowcopy*delete*"
| eval alert = "CRITICAL — Volume Shadow Copy deletion — ransomware precursor"
| table _time, Computer, User, Image, CommandLine, alert
Stage 3: Credential Theft (Days -1 to -2)
Common techniques:
- LSASS memory dumping (Mimikatz, ProcDump)
- DCSync attack
- SAM hive extraction
- Keylogging
Event IDs to monitor:
| Event ID | Log Source | What It Detects |
|---|---|---|
| Sysmon 10 | Sysmon | Process access — non-LSASS accessing LSASS |
| 4662 | Security | Directory Service access — DCSync |
| 4688 | Security | Command line with lsadump, sekurlsa, mimikatz |
Stage 4: Lateral Movement (Hours to days before encryption)
Common techniques:
- RDP to other workstations and servers — often facilitated by LOLBins
- WMI / WinRM for remote command execution
- PsExec for remote service creation
- SMB file share propagation
- Cobalt Strike SMB beacon or SSH tunneling
Event IDs to monitor:
| Event ID | Log Source | What It Detects |
|---|---|---|
| 4624 LogonType 3 | Security | Network logon — lateral movement |
| 4697 | Security | Service installed — PsExec |
| Sysmon 1 | Sysmon | WMI process creation via wmiprvse.exe |
| 4648 | Security | Explicit credential use |
SPL query — detect lateral movement via network logons:
index=windows sourcetype=WinEventLog:Security EventCode=4624 LogonType=3
| search AccountName!="SYSTEM" AccountName!="ANONYMOUS LOGON" AccountName!="*$"
| stats dc(WorkstationName) as UniqueWorkstations by AccountName, Computer
| where UniqueWorkstations > 3
| eval alert = "LATERAL MOVEMENT — " . AccountName . " accessed " . UniqueWorkstations . " unique workstations from " . Computer
| table _time, AccountName, Computer, UniqueWorkstations, alert
Stage 5: Data Exfiltration (Hours before encryption)
Common techniques:
- HTTP/HTTPS POST to attacker server
- FTP/SFTP upload
- Cloud storage API upload (S3, Azure Blob)
- Email exfiltration
- DNS tunneling
Event IDs to monitor:
| Event ID | Log Source | What It Detects |
|---|---|---|
| Sysmon 3 | Sysmon | Outbound network connections — large data transfers |
| Sysmon 22 | Sysmon | DNS queries — DNS tunneling exfiltration |
| Proxy logs | Web proxy | Large POST requests, unusual User-Agents |
SPL query — detect data exfiltration via large POST requests:
index=proxy sourcetype=access_combined
| search method=POST status=200
| eval size_mb = bytes/1048576
| where size_mb > 10
| stats sum(bytes) as total_bytes, count by src_ip, dest_ip, user
| where total_bytes > 50000000
| eval alert = "DATA EXFIL — " . round(total_bytes/1048576, 2) . "MB uploaded via POST from " . src_ip . " by user " . user
| table _time, src_ip, user, dest_ip, total_bytes, alert
Stage 6: Encryption (The “boom” — 0 to +60 minutes)
What you see:
- Mass file creation/modification events (Sysmon Event 11)
- High disk I/O alerts
- Ransom note creation (Sysmon Event 11 — filename = README, DECRYPT, etc.)
- Service or process with high CPU/Disk activity and unknown origin
- File share disconnection alerts from users unable to open files
Event IDs to monitor:
| Event ID | Log Source | What It Detects |
|---|---|---|
| Sysmon 11 | Sysmon | Mass file creation — encryption in progress |
| 1 | Sysmon | Encryption binary execution |
| System 1001 | System | Bugcheck (BSOD) — ransomware crash |
| System 7036 | System | Service stopped — backup service killed |
SPL query — detect mass file creation (encryption):
index=windows sourcetype=WinEventLog:Sysmon EventCode=11
| stats count, values(TargetFilename) as Files by Computer, Image, bin(_time, 60s)
| where count > 200
| eval alert = "CRITICAL — " . count . " files modified by " . Image . " on " . Computer . " — ransomware encryption likely in progress"
| table _time, Computer, Image, count, Files, alert
Ransomware Detection — Full SIEM Correlation Query
SPL query — ransomware detection correlation:
index=windows sourcetype=WinEventLog:Sysmon OR WinEventLog:Security
| search EventCode IN (1, 3, 10, 11, 22, 4624, 4625, 4648, 4697, 4698)
| eval stage = case(
EventCode=4625 AND LogonType=10, "Initial Access - RDP Brute Force",
CommandLine="*vssadmin*delete*", "Defense Evasion - VSS Deletion",
CommandLine="*wmic*shadowcopy*delete*", "Defense Evasion - VSS Deletion",
EventCode=1 AND CommandLine="*,skip*, *-exclusion*", "Defense Evasion - AV Bypass",
EventCode=10 AND GrantedAccess=0x1FFFFF, "Credential Theft - LSASS Access",
EventCode=4697 AND ServiceFileName="*Temp*", "Lateral Movement - Service Install",
EventCode=4698, "Persistence - Scheduled Task",
EventCode=3 AND DestinationPort=443, "C2 - HTTPS Beacon",
EventCode=3 AND DestinationPort IN (21, 22), "Data Exfiltration - FTP/SSH",
EventCode=11 AND count > 200, "Encryption - Mass File Modification",
"Other"
)
| stats count by Computer, stage, bin(_time, 1h)
| search stage!="Other"
| sort - count
| eval alert = "RANSOMWARE CHAIN — " . stage . " on " . Computer . " (" . count . " events)"
| table _time, Computer, stage, count
Triage Decision Matrix — Where in the Chain You Are
| Detected At | Response |
|---|---|
| Stage 1-2 (Initial access, persistence) | Isolate the compromised host. Reset compromised credentials. Close the vector. No data loss expected. |
| Stage 3 (Credential theft) | Isolate. Reset ALL credentials in the domain. The attacker has your keys. |
| Stage 4 (Lateral movement) | Isolate affected segments. Assume multiple hosts compromised. Prepare for encryption. |
| Stage 5 (Data exfiltration) | Block outbound traffic. Prepare for double extortion. Begin breach notification process. |
| Stage 6 (Encryption) | Full incident response. Ransomware playbook. Backup restoration. Law enforcement notification. |
Prevention — Controls That Stop Ransomware
| Control | What It Stops | Priority |
|---|---|---|
| EDR with behavioral detection | Early-stage detection of ransomware behavior | Highest — alerts on process behavior, not just file hashes |
| MFA on all external-facing services | RDP brute force / credential theft | Highest — prevents initial access via compromised credentials |
| Disable RDP from internet | RDP-based initial access | Critical — RDP is the #1 initial access vector for ransomware |
| Backup strategy (3-2-1 rule) | Ensures recovery without paying ransom | Critical — 3 copies, 2 media types, 1 offsite |
| VSS protection | Prevents attacker from deleting shadow copies | High — enables local file recovery |
| ASR rules (Attack Surface Reduction) | Blocks LSASS credential theft, Office child process creation, PSExec | High — stops common ransomware techniques |
| Network segmentation | Limits lateral movement blast radius | High — attacker cannot encrypt domain controllers from a workstation |
| Restrict PowerShell | Prevents fileless malware and in-memory credential theft | Medium — Constrained Language Mode, logging |
Related
- Ransomware Fundamentals — covers the ransomware fundamentals concepts
- Ransomware Response — detection and response for T1486 techniques
- Kill Chain — covers the kill chain concepts
- API Attacks — OWASP API Top 10 — detection and response for T1190 techniques
- Cloud Threats — Credential Theft, IMDS Abuse, Hijacking, Privilege Escalation — detection and response for T1525, T1552, T1613 techniques
- First VPN Dismantled in Global Takedown — how first vpn dismantled in global takedown over use by 25 ransomware groups attacks work and how to detect them
