Ransomware preparation and response: Develop a cyber kill chain

We are excited to bring Transform 2022 back in-person July 19 and virtually July 20 – 28. Join AI and data leaders for insightful talks and exciting networking opportunities. Register today!


Emerging risks in the advent of hybrid/remote work, the proliferation of ransomware-as-a-service (RaaS) and talent shortages in every area of IT are testing the limitations of CISOs (chief information security officers) and CROs (chief risk officers) as never before. Having a frequently monitored and updated security checklist can be a commonsense approach that breaks a complicated problem down into easier-to-manage departmental tasks.

Kaspersky’s threat intelligence team has conducted analysis into eight of the most prolific ransomware groups, such as Conti and Lockbit2.0, during their attacks. The data reveals many similarities in attack execution, how ransomware groups operate and how to defend against their attacks.

Freezing your network and holding your data hostage is as easy as embedding ransomware in a document macro attached in a phishing email. This can happen even with heightened cybersecurity measures such as zero-tolerance policies and strict password protocols. 

There are myriad ways that malware can access your network. Most are discussed in “The hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs,” available for download. 

“In recent years, ransomware has become a top concern for the cybersecurity industry, with constant developments and improvements being made by ransomware operators,” comments Nikita Nazarov, team lead for the threat intelligence group at Kaspersky. “It is time consuming and often challenging for cybersecurity specialists to study every single ransomware group and follow each one’s activities and developments in order to win the race between attackers and defenders.”

“We have been tracking the activity of various ransomware groups for a long time, and this report represents the results of a huge piece of analytical work,” Nazarov said. “Its purpose is to serve as a guide for cybersecurity professionals working in all kinds of organizations, making their jobs easier.”

Know your enemy

In military theory, warfare can be summed up into tactics, strategy and operations. Similarly, in cybersecurity, experts often discuss the common tactics, techniques and procedures (TTPs) used by cybercriminals. 

The data in the Kaspersky study of modern ransomware has revealed that the groups of attackers are quite predictable, with ransomware attacks following a pattern that includes the following:

  • The corporate network or victim’s computer
  • Delivering malware 
  • Further discovery,
  • Credential access, 
  • Deleting shadow copies,
  • Removing backups 
  • Achieving their objectives

Ransomware-as-a service” (RaaS) is where the ransomware groups don’t deliver malware themselves, but provide instead the data encryption services for affiliate distribution – making it even easier to deliver the malware. 

Since both the makers of the ransomware and their affiliates who deliver the malicious files (in exchange for an 80% commission after successful infiltration and collection of ransom) want to simplify their lives, they use template delivery methods or automation tools to gain access to their victim’s network.

Reusing common TTPs makes hacking easier. With easy access to the dark web and the proliferation of hacking software, ransomware attacks are becoming more similar. 

While it’s possible to detect such techniques, it’s much harder to do so preventively, across all possible threat vectors. Successful breaches of the victim’s network are often due to slow installation of updates and patches.

The cyber kill chain framework

First published as “Intelligence-Driven Computer Network Defense,” by Eric Hitchins, Micheal Coppert and Rohan Amin, an analogy for offensive cybersecurity was developed based on the example of a military kill chain. 

There are many varieties to this modeling, and this is not a comprehensive list by any means. Just as a military response must evolve in response to an attack, so must cybersecurity. 

For instance, one military kill chain model is “F2T2EA:” Find, Fix, Track, Target, Engage, Assess. The “Four Fs,” is a kill chain model popular during WWII that was designed to be easy to remember: Find, Fix, Fight, Finish. A quick web search will find a dozen more. 

The cyber kill chain was adapted from the military model, and broken into seven steps:  

  1. Reconnaissance 
  2. Weaponization  
  3. Exploitation 
  4. Delivery  
  5. Installation  
  6. Command and control  
  7. Actions on objective  

There are disagreements amongst CISAs about the order of events, and concerns have been voiced that stopping threats at points of entry should be high on the list. 

The Kaspersky report suggests the following version of a modern cyber kill chain:

  • Intrusion prevention
  • Exploitation prevention
  • Lateral movement prevention
  • Countering data loss
  • Preparing for an incident

Overall, the cyber kill chain itself remains mostly the same because the attackers still have to carry out all steps of the attack to achieve their goals. What changes is the way these steps are executed. Cybersecurity professionals should rely on threat intelligence resources in order to have up-to-date information about attackers’ TTPs and how they’re evolving.

Mitigation techniques

Having a frequently updated cybersecurity emergency response, or kill chain, in the event of a cyberattack is vital to successfully thwarting bad actors and keeping your network and systems safe.

To protect against ransomware attacks, consider the following:

  • An assessment program to track the products and services the enterprise uses and the vendors that provide them. 
  • Do not expose remote desktop services (such as RDP) to public networks unless absolutely necessary, and always use strong passwords for them.
  • Promptly install available patches for commercial VPN solutions that provide access for remote employees and act as gateways in your network.
  • Always keep software updated on all the devices you use to prevent ransomware from exploiting known vulnerabilities.
  • Focus your defense strategy on detecting lateral movements and data exfiltration to the internet. Pay special attention to the outgoing traffic to detect cybercriminals’ connections.
  • Back up data regularly. Make sure you can quickly access it in an emergency when needed. 
  • To protect the corporate environment, provide continuing education for your employees. The enemy is constantly looking for new ways to infiltrate your network. This means your IT department must constantly be trained in evasive maneuvers.
  • Use a reliable endpoint security solution, keep your eye on exploit prevention and behavior detection, and invest in a remediation engine that’s able to roll back malicious actions.
  • Have an automated system to force password updates for all users on a regular schedule. 

There’s been a trend to outsource cybersecurity to IT subcontractors that can provide a wider scope of services, with access to more skill sets via their specialized teams. This might be a good option for your business. Whether you’re back to working at the company office, or if you’re working remotely at home, your network should be equally secure.

VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Learn more about membership.