Disrupting the Ransomware Kill Chain

Thousands of Internet users and organizations can become victims of ransomware attacks in today’s world. The use of malicious software is growing rapidly. Global damages from ransomware are predicted to reach $265bn annually by 2031. The average cost of recovery from an attack has already doubled to $1.85m in 2021, and the post-effect can be even more damaging.
5 min read
By Andrey Barashkov
Senior Software Security Architect at DataArt
Disrupting the Ransomware Kill Chain

What is ransomware?

Ransomware is a type of malicious software that blocks access to data or a computer system. Cybercriminals then offer the victim to pay a ransom fee to restore access to the data. The most common types of ransomware include encryptors and screen lockers. The first ones encrypt all the files on the targeted system, making it impossible to access them without the decryption key. Screen lockers, meanwhile, block the system data with a «lock» screen, notifying victims that they have to purchase cryptocurrency in order to restore files.

Do backups protect against ransomware?

Many business executives believe that it’s enough to have backup processes set up to protect against ransomware. However, recent events connected with the Colonial Pipeline attack have shown that it’s not that simple. After all, since the attackers took the time to get to know the organization, were also able to encrypt the backups and include them into the bargain. Moreover, modern ransomware attacks go beyond just encrypting your files. Very often victims risk losing all their passwords to various websites and portals. Such popular cybercriminal groups like Maze and DoppelPaymer have already found a way of using stolen personal data to blackmail users who don’t want to pay for system recovery. In pursuit of additional means of monetization, cyber criminals use ransomware attacks as a smokescreen to divert security attention from other illicit processes behind the scenes. Analysts from Acronis have been observing ransomware attacks that also spread financial Trojans to the targets’ software for several years.

Targeted ransomware attacks continue to spread through well-crafted phishing emails. However, recently, malware developers have shifted their focus to finding poorly secured remote access services, such as RDP, or VPN servers with vulnerabilities, which are used for an attack on remote employees. There are even ransomware-as-a-service websites that provide everything you need to attack a chosen organization or person.

How to disrupt the ransomware kill chain?

The Cyber Kill Chain concept is used to systematize the scenarios of cyberattacks and detail their various phases. Breaking a targeted ransomware attack into stages can help a user to detect suspicious behavior and disrupt the ransomware kill chain.

We’ll look closely at each stage below, paying attention to practical tips that can minimize the potential damage of the attack.

1. Campaign distribution

During the first stage users are tricked into downloading a malicious dropper that starts the infection. Attackers distribute phishing emails with infected file attachments or manipulate users to click on links to defective websites.


  • Do not open email attachments from unknown people. Always check a sender’s email address.
  • Do not open links contained in email messages from unknown persons.
  • Install updates regularly.
  • Protect remote access channels.

2. Infection

Once the dropper is downloaded and opened, it executes an application that installs the ransomware itself.


How to spot infection? There are several ways to detect a ransomware attack.

  • Alarms from the virus scan program. If a virus scanner is installed on your device, ransomware infection can be detected at an early stage (if the ransomware has not bypassed protection).
  • Changing file extensions. For example, a common image file extension is jpg. If this extension has been replaced with an unknown letter combination, the file may have been infected with ransomware.
  • Changing file names. Are the file names different from the ones you’ve had? Malware often changes file names when encrypting data. Hence, it can also be a sign of infection.
  • Increased disk or CPU activity may indicate that ransomware is running in the background.
  • Questionable network activity. Software that interacts with cybercriminals or malicious servers can trigger suspicious network activity.

3. Staging

Once the goal is achieved, and the malware is already inside the targeted device or the corporate network, attackers try to overcome the security controls and establish the virus’ persistence beyond any counter measures.


Some criminal groups target password managers to penetrate deeper into the corporate network. Such tools as Mimikatz and Bloodhound & Co. help to hack domain administrator accounts. At this stage, APIs are changed, and ROOT rights are obtained, and attackers gain full control over the system.

4. Scanning

The installed ransomware searches for data to encrypt on target systems across a network.


Very often mass data theft takes place under ransomware disguise. There are many examples when cybercriminals managed to download terabytes of data from a company, which could have been prevented by installation and configuration of network monitoring tools. After all, most of the time, data transfer occurs simply using FTP, Putty, WinSCP or PowerShell scripts. In order to bypass DLP and network monitoring systems, criminals can encrypt data or send it as a password archive, creating a new challenge for security services that would need to check outbound traffic for such files.

Analysis of infostealers’ behavior shows that attackers don’t collect everything — they are mainly interested in financial reports, employees’ and customers’ personal data, contracts, records, and legal documents. Malware scans for any information that could be further used for blackmail.

5. Encryption

Ransomware encrypts data via various methods that can include the master boot record encryption of a file system, or encryption of individual files and even entire virtual machines. Some ransomware targets backup systems to prevent recovery.


At this stage it is very hard to stop the attack but there are some things that can help to minimize the consequences. For example, isolate the infected device from the Internet and any other devices to keep malware from spreading across the larger network. Also, segment your network: use L3 switches with configured VLANs and routers.

6. Payday

A ransom note is displayed to the victim with payment instructions. Some types of ransomware include timeout thresholds where the ransom price increases or the software begins to delete encrypted files.


At this stage there are several options for a victim:

  • trust the attackers and pay the ransom.
  • try to remove the malware (there are security firms that claim to be able to help remove the ransomware).
  • reinstall the system from scratch.

However, even if you pay the ransom, and the hackers agree to give you the keys for data recovery, there are still cases when it is impossible to decipher all the information due to the errors in ransomware programs. Therefore, the best solution would be to contact Information security specialists who can help you with the correct incident response process or maybe with recovering your data as well.

Thus, using a backup system alone, even with a good recovery plan, is not enough to counteract a targeted multi-stage ransomware attack. A good defensive approach should include comprehensive traffic analysis and investigation.

Sign Up for Updates!

Subscribe now to receive industry-related articles and updates

Choose industries of interest
Thank You for Joining!

You will receive regular updates based on your interests. No spam guaranteed

Add another email address
Sign Up for Updates!
Choose industries of interest
Thank You for Joining!

You will receive regular updates based on your interests. No spam guaranteed

Add another email address
We are glad you found us
Please explore our services and find out how we can support your business goals.
Get in Touch Envelope