Skip to main content

Ransomware Kill Chain and Controls - Part 1

April 20, 2016

With the rising threat of ransomware, we continue to see more and more coverage of the topic in the news and in marketing campaigns. I guess about half of all marketing emails I get are ransomware-oriented. It could be the lists I am on, but I think ransomware is shaping up to be the top marketed threat in 2016. 

Kill Chain and Controls

In all the materials I have received on this subject, I haven’t seen the evolution of the kill chain for this threat. It is important to map out the different steps of the attack so we can understand the threat and map controls to it. Below is the basic structure of a ransomware attack we have developed. 

Step 1: Lure – This is the bait used to launch the attack. We typically see phishing emails with infected attachments or links, but it also could be a hacked website or malicious ads. If the user “takes the bait” by clicking on a link or opening an attachment, this triggers the next step.

Step 2: Install – Once an individual clicks on a malicious file, the malware is installed on the user’s device. Many times the user may not know the malware is being installed and that their device is being taken over with infected software.

Step 3: Call Home and Key Exchange – After the malware is installed, it needs to “call home” to get the unique encryption key from the server so the files can be decrypted after the ransom is paid (although it is not guaranteed that the attackers will hold up their end of the deal if they are paid).

Step 4: Encryption – The ransomware then encrypts files or systems on the device, to restrict access. This effectively locks data from the user or renders the entire device inoperative.

Step 5: Ransom/Extortion – In order to gain access to the system or data, the threat actors request payment (or ransom) from the victim to unlock the device.

Understanding each stage of the kill chain allows us to answer the following questions:

  • How can we be attacked?
  • What is the exposure level?
  • What countermeasures can be put in place?

In our next blog post we will map out countermeasures for each step that will lessen our exposure level. 

    James Robinson

By: James Robinson

Vice President, Third-Party Risk Management

See More

Related Blogs

May 17, 2017

Ransomware Kill Chain and Controls - Part 2: Once the Crying is Over, the Controls Must Kick In

In the first part of the blog series, we alluded to the impending danger of ransomware campaigns. It appears the concerns were justified, given the si...

See Details

May 09, 2016

Ransomware Part 1: Is this an Epidemic?

he words ‘ransomware’ and ‘epidemic’ occur too frequently in the same sentence these days, prompting executives to prepare their organizations to surv...

See Details

May 12, 2016

Ransomware Part 2: Technical Analysis

The concept behind ransomware simple: an attacker finds a way to run file encryption software on a machine, and then demands payment in return for a d...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.