The main way companies get infected with ransomware is through the use of phishing emails. Whether they are normal phishing emails or spear phishing emails. Once the email is delivered the next most common thing to happen is for the end user to click on a link or attachment and allow it to run. After the file is allowed to run, the ransomware is unleashed on the network and begins crawling the network looking for files, servers, and backups. Public-facing servers are also a common point of breach. If a public facing server isn’t patched properly, or configured properly, or protected in some way there is a chance it could be breached by a bad actor. Once a bad actor has access to the server they may be able to use it as a pivot point to get further into the network. Software vulnerabilities are a huge attack vector for ransomware. This is why keeping software and hardware up to date as possible is critical. Some of the most devastating exploits are several years old and there are still systems affected by them that haven’t been updated either due to necessity or incompetence.

Ransomware is identified by specific characteristics; malware that infects a system, encrypts the files it finds, and then demands a payment, or ransom, from the owner of the files to get their files back. Ransomware operators also hold the ransom note they use as well as the encryption key they use on their servers and use HTTP requests to move the ransom note down to the victim machines as well as accessing the key held on their servers without the key ever touching the victim’s environment. This protects the key from being found by the victim and making decryption easier. Ransomware attacks also follow a Ransomware Kill Chain much like the Cyber Kill Chain which are both based off the military kill chain. The MITRE ATT&CK framework is a well known, standardized knowledge base of adversary tactics, techniques, and common knowledge (The TT and CK part of the name). This framework is arranged in a way to allow defenders to easily understand the goal of alerts they are receiving as well as the life stage of a potential attack. As we move from left to right in the ATT&CK framework we advance through the stages of an attack, starting with Initial Access and ending at Impact, where the effects of the attack are felt by the victim. The phases of the attack cycle are Initial Access, Execution, Lateral Movement, Command and Control, and finally Impact.