Ransomware is identified by specific characteristics; malware that infects a system, encrypts the files it finds, and then demands a payment, or ransom, from the owner of the files to get their files back. Ransomware operators also hold the ransom note they use as well as the encryption key they use on their servers and use HTTP requests to move the ransom note down to the victim machines as well as accessing the key held on their servers without the key ever touching the victim’s environment. This protects the key from being found by the victim and making decryption easier. Ransomware attacks also follow a Ransomware Kill Chain much like the Cyber Kill Chain which are both based off the military kill chain. The MITRE ATT&CK framework is a well known, standardized knowledge base of adversary tactics, techniques, and common knowledge (The TT and CK part of the name). This framework is arranged in a way to allow defenders to easily understand the goal of alerts they are receiving as well as the life stage of a potential attack. As we move from left to right in the ATT&CK framework we advance through the stages of an attack, starting with Initial Access and ending at Impact, where the effects of the attack are felt by the victim. The phases of the attack cycle are Initial Access, Execution, Lateral Movement, Command and Control, and finally Impact.

Initial Access is the first phase of the attack chain and is when an adversary breaches the network and has gotten access to the victim’s environment. This can be done a few different ways with the most common methods being phishing, drive-by-compromise, exploiting a public-facing application, the abuse of valid accounts, or the use of external remote services. Phishing emails continue to be the most effective way for an attacker to get malware into a victim’s network. No matter how secure a computer network is, the human operator is always the weakest link and social engineering will always be an effective attack vector. A drive-by-compromise is when an attacker places malware on a website that attempts to install itself to visitor browsers when they visit the site. These most commonly take advantage of vulnerabilities in the browser software which is why it’s so critical to keep your browser and operating system up to date. Exploiting public-facing applications and external remote services both involve taking advantage of either a vulnerability or a misconfiguration in the service. The abuse of valid accounts is where an adversary has the username and password to a valid account in the environment. They could have gotten this via a phishing campaign, cracked credentials, or purchased the credentials from a credential dump.

Execution is the second phase of the attack chain and where the attacker’s malware is executed to grant them access to the network. The most common way for this to happen is just for a user to execute the malware, such as via phishing email or some other form of social engineering. Utilizing system administration tools are another common and effective way for attackers to spread malware as it’s also hard to detect unauthorized usage of these tools if they’re already in the environment. A method called Living off the Land (frequently abbreviated to LoL). If remote administration tools are left on machines for ease of use by an administrator, then they are easily accessible by attackers, such as PSExec. PSExec is a very common remote administration tool and one that is also frequently used by attackers. Its usage should be carefully monitored and controlled. PowerShell is another tool whose usage should be closely monitored and controlled as it can also be used to deploy malware to the environment as it commonly used by system administrators for normal system maintenance. Native APIs can also be used to execute malware or other types of payloads if they are configured incorrectly and allow unauthorized users to perform privileged commands via their interfaces.

Lateral movement is the third phase of the attack chain and where the attacker has gained access to the network and established a persistent way to reconnect to the network if their connection should be severed for any reason. This is the phase of the attack chain where the attacker begins moving through the network looking for important targets. There are several ways an attacker can do this, the biggest and easiest way being the exploitation of remote access services configured in the network. Several servers have remote desktop accessible for remote administration by system administrators, which if systems are not patched or running legacy operating systems, can be easy points of exploit. Poisoning of shared content is another common vector of attack. This is where an attacker replaces a commonly accessed file on the network with a malicious version. I have seen this happen before during a penetration test being performed. The calculator application was replaced by the testers with a malicious version, which when executed also executed the pre-programmed payload the testers had created. Lateral tool transfer is also common as it is also very difficult to detect, especially if the tools existed in the environment already, such as PSExec. This is referred to as Living Off The Land and is a very common attack methodology. It’s a lot harder to detect the movement of authorized tools as opposed to the detection of newly downloaded tools from the Internet. Alternative authentication methods can also be used such as legacy authentication methods or misconfigured methods. If the SSH key for a server is stolen by an attacker, it can be used for the attacker to remotely authenticate to that server without a password. Additionally, if said server is using Telnet, then the password for that server will be sent across the network in plaintext.

Command and Control is the fourth phase of the attack chain and where the attacker has established their foothold in the network, have identified their target and are ready to being utilizing their tools to perform their objectives. These tools can include things such as data obfuscation and encrypted channels to avoid detection of their actions be defenders. These are more examples of tools being used by the attacker to obfuscate and hide their activity. The use of already present application layer protocols is an effective way to hide attack traffic as this traffic blends into the background of the network noise. The use of remote access software is also an effective form of command and control. The remote support software AnyDesk is notoriously difficult to fully remove after it’s been installed.

Impact is the final stage of the attack chain. This is the stage where the end result of the attack is seen. This can be data encryption for ransomware, destruction of data, destruction of system recovery tools, or disruption of endpoints in the environment. When the attack has reached this phase of the chain, the damage is either being done, or has already been done and recovery and response needs to be triggered by the affected entity.

If at any point in the attack chain, a step is disrupted then the subsequent links in the attack chain fall apart. You can’t have impact on an environment if your command and control is blocked. You can’t have command and control or lateral movement if you can’t get your malware or remote access tools into the target environment, which means impact can’t happen either. This is where the similarities to the Cyber Kill Chain and the Military Kill Chain are derived from. If any link in the chain is broken, the attack falls apart.