Ransomware needs its own kill chain framework | SC Media
Strategy, Cybercrime

Ransomware needs its own kill chain framework

October 22, 2021
Today’s columnist, Nicole Hoffman of GroupSense, explains the evolution of the Cyber Kill Chain developed by Lockheed Martin and argues that the industry needs a kill chain specifically for ransomware. (Credit: Creative Commons: https://www.flickr.com/photos/[email protected]; https://creativecommons.org/licenses/by/2.0/legalcode
  • It’s existential: The old “reputational” concerns of the past seem quaint compared to today’s ransomware threat, where the inability to use the systems required for business operations can mean bankruptcy, particularly for smaller businesses.
  • It’s multi-phase: To increase the urgency of ransomware demands, threat actors will often use double extortion techniques such as exfiltrating data before encryption. If ransom demands are not met, ransomware groups will threaten to publicly leak or sell the stolen data. Victims are left with two concurrent issues: decryption and preventing data exposure.
  • It’s multi-party: The dark web ecosystem has simplified ransomware operations, where “initial access brokers” sell access to compromised networks and ransomware-as-a-service (RaaS) vendors make it easy for anyone to become a cybercriminal. The fate of the company might be in the hands of a sophisticated ransomware syndicate that wants an initial victim to recover their data (so others will also pay), or an inexperienced freelancer who might behave erratically and not care whether a company recovers its systems.
  • The Access Phase: Threat actors establish and sell access. Even if organizations fail to detect the presence of an intrusion, there’s still time to break this link in the chain before damage is done. Security teams can do this by monitoring access broker sites and determining if accesses to the company’s network are being sold. They can do this through a combination of automated and human intelligence, because it requires engaging the threat actor as a potential “customer” and getting information verifying the network breach. 
  • The Exfiltration Phase: Threat actors escalate privileges and move laterally across the network to find valuable data to exfiltrate as part of their double extortion scheme, threatening to release it on dark web “shame sites” if the victim does not pay the ransom. 
  • The Encryption Phase: The threat actor unleashes the ransomware, encrypting the data and the victim gets notified of the ransom demands or price for the decryption keys.
prestitial ad