The Seven Steps in the Ransomware Kill Chain | TorchLight Security

Ransomware can be a large concern for businesses. Stephen Heath, CTO, TorchLight, helps outline Cisco's seven steps in the ransomware kill chain.


The Seven Steps in the Ransomware Kill Chain

Intro: Ransomware can be a large concern for businesses – it compromises resources critical to operation and locks them in an encrypted environment until a ransom is paid. While every business should be aware of ransomware, not all understand the many steps involved in a full attack. Knowing and identifying the following steps in the ransomware kill chain can help businesses defend against it – and get the right security protocols in place before it happens and impedes business operations.

According to Cisco, there are seven steps in the ransomware kill chain:

  1. Recon: An attacker gathers information on a company and decides who to target and what types of ads or emails look trustworthy enough to infiltrate the system.
  2. Stage: Email or web tactics trick users into interacting with malware or handing over their credentials to gain access into networks.
  3. Launch: In the compromise stage of the kill chain, attackers take control of targeted systems by redirecting from “trustworthy sites” to launching exploit kits.
  4. Exploit: Continuing the compromise stage of the attack, ransomware perpetrators scan the user’s device or network for vulnerabilities that allow for infiltration into the company system or network.
  5. Install: A ransomware payload is installed – files that encrypt the system.
  6. Callback: The ransomware calls back home – a command-and-control server (C2) is used to deliver keys for encryption.
  7. Persist: The attacker encrypts everything, shuts down business operations, and demands a ransom – pressuring the company to pay or lose critical assets and loss of infrastructure.

The Good and the Bad in the Ransomware Threat Evolution

Bad: The variety and complexity of the steps in the ransomware kill chain have led to many bad actors specializing in one specific piece (i.e., credential phishers that sell access to other shops, exploit kits for sale, or callback specialization, etc.). Companies must be agile with various solutions in adapting to new and evolving threats.

Good: Managed Detection and Response (MDR), when designed and managed correctly, can provide a comprehensive defense against ransomware, malware, and other types of attacks. Each step in the chain calls for a different security tool (from firewall and intrusion prevention in the target phase; email and web security in the launch phase; and anti-malware later in the process). Reach out to Torchlight and build your business’ comprehensive ransomware protection today.