Ransomware has only recently begun targeting corporations, which means that most security analysts have not yet had the opportunity to observe how ransomware behaves within corporate environments. This makes it difficult for analysts to detect ransomware early enough in the ransomware lifecycle to stop it. This sparked our interest in researching ransomware behavior. After detonating 86 strains of ransomware in our lab, we could narrow down the phases of the ransomware’s activity to six stages that assemble the “Ransomware Kill Chain”. These six stages were ubiquitous across all the strains we tested, and consistent in the face of permutations or improvements to any specific strain.
By exposing our findings to the security community, we hope security analysts everywhere will better understand this type of malware. Armed with this information, analysts should be able to react faster in the event their organization is hit with a ransomware infection.
This research report details:
- The business models used by ransomware network operators
- The kill chain of a ransomware attack
- How to detect and disrupt ransomware in corporate environments