Ransomware Kill Chain and Controls - Part 1

By James Robinson ·

With the rising threat of ransomware, we continue to see more and more coverage of the topic in the news and in marketing campaigns. I guess about half of all marketing emails I get are ransomware-oriented. It could be the lists I am on, but I think ransomware is shaping up to be the top marketed threat in 2016. 

In all the materials I have received on this subject, I haven’t seen the evolution of the kill chain for this threat. It is important to map out the different steps of the attack so we can understand the threat and map controls to it. Below is the basic structure of a ransomware attack we have developed. 

Step 1: Lure – This is the bait used to launch the attack. We typically see phishing emails with infected attachments or links, but it also could be a hacked website or malicious ads. If the user “takes the bait” by clicking on a link or opening an attachment, this triggers the next step.

Step 2: Install – Once an individual clicks on a malicious file, the malware is installed on the user’s device. Many times the user may not know the malware is being installed and that their device is being taken over with infected software.

Step 3: Call Home and Key Exchange – After the malware is installed, it needs to “call home” to get the unique encryption key from the server so the files can be decrypted after the ransom is paid (although it is not guaranteed that the attackers will hold up their end of the deal if they are paid).

Step 4: Encryption – The ransomware then encrypts files or systems on the device, to restrict access. This effectively locks data from the user or renders the entire device inoperative.

Step 5: Ransom/Extortion – In order to gain access to the system or data, the threat actors request payment (or ransom) from the victim to unlock the device.

Understanding each stage of the kill chain allows us to answer the following questions:

  • How can we be attacked?
  • What is the exposure level?
  • What countermeasures can be put in place?

In our next blog post we will map out countermeasures for each step that will lessen our exposure level. 

James Robinson

Vice President, Third-Party Risk Management

As vice president, third-party risk management, Robinson oversees Optiv’s Third-Party Risk Management practice which includes the development and operations of TPRM-as-a-Service and Evantix. During his tenure at Optiv, he has worked as a core contributor around strategic internal initiatives including threat management, risk management, third-party risk management, vulnerability management and data program protection. He also develops and delivers a comprehensive suite of strategic services and solutions that help chief experience officer (CXO) executives evolve their security strategies through innovation.