Ransomware ATT&CK and D3FEND
Strategies to Combat Ransomware - From Attack Vectors to Defense Mechanisms
In recent years, ransomware has become almost synonymous with cyber attacks, affecting businesses, governments, healthcare organizations, and individuals worldwide and ransom demands and operational disruptions skyrocketing, the financial impact of ransomware can be devastating.
While many associate ransomware solely with encryption, it encompasses much more and understanding ransomware as a full attack chain including its tactics, attack vectors, and technical mechanisms is the first step toward effective prevention.
This guide is the result of extensive research into the most impactful ransomware groups of the past three years (using insights from CISA and Ransomware Live) mapping their tactics, techniques, and procedures (TTPs) (using MITRE ATT&CK) and developing a typical ransomware attack chain.
Building on this, we crafted a ransomware defense chain (using MITRE D3FEND), providing actionable techniques to counter ransomware at every stage – not just its “endgame” of encryption and data exfiltration.
We will explore the anatomy of ransomware, its evolution, profiles of notorious groups, and the execution of these attacks. Whether you’re a cyber security professional or a CISO, this comprehensive guide equips you with the knowledge and tools need to develop practical defense strategies and technical controls to detect, mitigate, and ultimately prevent ransomware attacks.
What is Ransomware?
Ransomware is a type of malware that encrypts files or locks users out of their systems, rendering them inaccessible until a ransom is paid.
This attack typically begins with an infection, often through phishing emails or exploiting vulnerabilities in software, that allows the attacker to gain unauthorized access to the target’s system. Once inside, ransomware encrypts valuable files or blocks access to entire systems. Victims then receive a message demanding payment—often in cryptocurrency to maintain anonymity—to obtain the decryption key or regain access to the locked system.
The evolution of ransomware has made it one of the most disruptive and financially damaging types of cyberattacks. Unlike traditional viruses, which might delete data or corrupt files, ransomware is specifically designed to extort money from its victims. There are two main types of ransomwares: “locker” ransomware, which locks users out of their systems, and “crypto” ransomware, which encrypts individual files. In recent years, “double extortion” has become common, where attackers not only encrypt data but also threaten to release sensitive information if the ransom isn’t paid.
The growing prevalence of ransomware is partly due to the rise of Ransomware-as-a-Service (RaaS), a model in which experienced hackers lease ransomware tools to less-skilled criminals. This model has allowed ransomware operations to become more sophisticated, with attacks targeting large organizations, critical infrastructure, and government institutions. The impact of these attacks extends beyond financial losses, often resulting in significant operational downtime and sometimes even risking public safety. The continuous evolution of ransomware tactics underscores the need for robust cybersecurity practices to mitigate its threat.
Ransomware evolved slowly until the late 2000s, when advancements in encryption and payment systems like Bitcoin made it easier to demand and collect ransoms anonymously. By the early 2010s, ransomware started to surge, with crypto-ransomware (which encrypts files) becoming the most common form.
The Cost of Ransomware to the Global Economy
Ransomware attacks have surged dramatically in recent years, with the frequency of incidents more than doubling from 2019 to 2021.
During this period, high-impact sectors such as healthcare, government, and critical infrastructure emerged as primary targets for ransomware groups, drawn to these industries because operational disruptions can have severe, often life-threatening consequences.
The financial toll of ransomware is also climbing at an unprecedented rate and In 2021 alone, ransomware attacks were estimated to cost the global economy $20 billion. Projections suggest this could grow to $265 billion by 2031 as ransomware tactics evolve and attacks become more sophisticated. This staggering forecast underscores the critical need for enhanced cybersecurity defenses and proactive strategies to mitigate these threats.
In 2023, ransom payments broke records, with total payouts exceeding $1 billion. Among the highest individual ransom payments reported was a $75 million settlement made by an unnamed Fortune 50 company in 2024 to the Dark Angels ransomware group, highlighting the high stakes and substantial sums involved in ransomware negotiations.
The willingness of major organizations to pay such amounts reflects the enormous pressure to protect sensitive information and resume normal operations swiftly. These trends make it clear that ransomware is a serious and growing threat, necessitating strong, proactive cybersecurity measures across all sectors.
Origins and evolution of Ransomware
Ransomware first appeared in 1989, with the AIDS Trojan or PC Cyborg virus, created by Dr. Joseph Popp and was distributed on floppy disks at an AIDS conference. This virus encrypted file names on infected computers and demanded a ransom of $189 for a decryption key.
Since then, there have been numerous ransomware attacks that have changes the cyber security world and the threat landscape drastically.
Here are some key examples:
WannaCry (March 2017)
Perhaps the most infamous ransomware attack, WannaCry leveraged a Windows vulnerability, affecting over 200,000 computers across 150 countries within a day.
It targeted various sectors, including the UK’s NHS, which had to cancel appointments and divert emergency patients. The attack highlighted the vulnerabilities in unpatched systems and underscored the urgent need for cybersecurity practices across industries.
NotPetya (June 2017)
Initially masquerading as ransomware with very similar behavior to Petya (earlier ransomware variant used to encrypt the Master Boot Record), NotPetya was more of a “wiper” attack intended to destroy data rather than secure a ransom.
It caused severe disruptions globally, particularly affecting Maersk, a logistics giant, resulting in an estimated $10 billion in damages. This attack showed the world that ransomware-style tactics could be used for destructive purposes rather than profit.
Colonial Pipeline (2021)
This attack by the DarkSide ransomware group led to fuel shortages across the Eastern United States and triggered a temporary shutdown of the Colonial Pipeline, a major fuel artery. The company paid a ransom of $4.4 million.
After the Colonial Pipeline attack, DarkSide disbanded, though many suspect the members later reformed under new names.
This incident showed how coordinated law enforcement and private sector efforts could pressure ransomware groups.
Kaseya (2021)
REvil, one of the most prolific and notorious groups, responsible for numerous high-profile attacks, exploited vulnerabilities in Kaseya’s software, affecting hundreds of businesses that relied on its IT management services.
This attack demonstrated how ransomware could reach extensive supply chains, impacting multiple companies through a single breach.
In 2021, law enforcement agencies from around the world, cooperated to take down the REvil ransomware group, seizing servers and arresting affiliates.
MOVEit (2023)
The Cl0p gang targeted large organizations in what’s known as “big game hunting,” focusing on high-value targets for substantial ransom demands. In total, this campaign generated over $100 million in ransom payments.
Ransomware Groups
Several ransomware groups have been particularly active in recent years, orchestrating widespread attacks targeting organizations across multiple sectors.
Let’s take a closer look at some of the better-known ones:
LockBit
LockBit is one of the largest ransomware groups in the world since 2022.
They are using a Ransomware-as-a-Service (RaaS) model that allows affiliates to carry out attacks globally and is known for its adaptive and aggressive tactics, LockBit’s malware often spreads autonomously within networks and employs advanced encryption to lock files.
The group also uses extortion, threatening to leak sensitive data if ransoms aren’t paid.
Despite law enforcement pressures in 2024, which caused a slight drop-in activity, LockBit remains a top threat in ransomware due to its evolving techniques and continues to target infrastructure sectors, including financial services, food and agriculture, education, energy, government and emergency services, healthcare, manufacturing, and transportation.
RansomHub
The RansomHub (AKA RansomHouse) group operates a data extortion business model, focusing on exfiltrating sensitive data from networks without encrypting it.
They target organizations with valuable intellectual property, including corporations and healthcare systems, and emphasize speed and stealth in their attacks.
They operate a leak site and often demand high ransoms to avoid data leaks
Play
Play ransomware, which appeared in late 2022, is known for its unique approach to encryption, leaving certain parts of files intact to bypass some defenses.
They have targeted critical infrastructure and public services, including hospitals in North America and South America.
Their TTPs involve exploiting RDP and weak passwords, and they rely heavily on manual exploitation and post-compromise attacks.
Black Basta
This group, active since 2022, quickly rose to prominence by targeting major organizations across industries, including manufacturing and healthcare.
Black Basta uses a dual extortion approach and is known for collaborating with other cybercriminals.
They are recognized for aggressive phishing and vulnerability exploitation in Windows and Linux systems, with recent attacks reported throughout 2024.
Qilin
Originally detected in 2022, Qilin (AKA Agenda) operates using a ransomware variant known as Agenda, initially written in Golang and later re-coded in Rust for added evasion.
The group engages in double extortion, targeting high-value entities, including healthcare, education, and other sectors in Africa, Asia, and more recently, Western targets.
Qilin exploits vulnerabilities in remote desktop protocols and applications like Citrix.
The group’s activity was noted as recently as mid-2024, with attacks on UK hospitals and various international companies.
Medusa
Medusa ransomware is known for its aggressive extortion tactics, targeting organizations worldwide.
The group uses a combination of encryption and data-theft extortion, threatening to leak sensitive information.
They primarily target public sector entities, including schools, hospitals, and governments, and have been particularly active in 2023.
Their TTPs include exploiting vulnerabilities in Windows systems and phishing tactics.
Rhysida
Rhysida ransomware emerged in 2023, primarily targeting healthcare and public sector organizations in Latin America, Europe, and the U.S. The group follows a double extortion approach, encrypting data and demanding ransoms while threatening to leak stolen information.
Rhysida uses email phishing for initial access and leverages poorly secured networks.
How Does Ransomware Technically Work?
To detect and stop ransomware attacks using the MITRE ATT&CK framework and MITRE D3FEND framework, organizations can implement a combination of detection mechanisms and defensive controls that map directly to specific techniques.
Below is a detailed breakdown of how to detect various ransomware attack techniques across the different phases of the MITRE ATT&CK framework:
Initial Access
Through phishing or exploiting public-facing applications, attackers gain an initial foothold.
Phishing (T1566)
Phishing involves sending malicious messages (often emails) to deceive targets into revealing sensitive information or triggering malware. It remains a widespread initial access method.
Exploit Public-Facing Application (T1190)
Exploiting vulnerabilities in publicly accessible applications is a common tactic to gain access to systems or networks.
Execution
Attackers use scripts or commands to execute ransomware or other tools.
Command and Scripting Interpreter: PowerShell and CMD (T1059)
This involves using command-line interpreters (like PowerShell or Bash) to execute commands and scripts, often used by adversaries to automate or customize attacks.
System Services: Service Execution (T1569.002)
Adversaries may execute commands by interacting with system services, allowing them to execute code under the context of these services.
Persistence
They establish mechanisms to maintain access, such as scheduled tasks.
External Remote Services (T1133)
Gaining unauthorized access to external remote services, such as VPNs or RDP, enables attackers to maintain persistence or access internal resources from outside.
Modify Registry (T1112)
Modifying the Windows Registry can allow adversaries to configure persistence mechanisms or alter system behavior.
Privilege Escalation
Attackers escalate privileges, often using vulnerabilities or stolen credentials.
Valid Accounts (T1078)
Attackers may use legitimate credentials to access systems, making detection more challenging by blending in with normal activity.
Exploitation for Privilege Escalation (T1068)
Exploiting software vulnerabilities can allow attackers to escalate privileges, gaining broader access on compromised systems.
Defense Evasion
Security tools are disabled, and files are obfuscated to avoid detection.
Impair Defenses: Disable or Modify Tools (T1562.001)
Attackers may disable security tools (like antivirus or logging) to avoid detection during their activities.
Masquerading (T1036)
Masquerading tactics involve disguising files, processes, or services as legitimate to evade detection.
Credential Access
Credentials are stolen through memory scraping or brute force.
OS Credential Dumping (T1003)
Credential dumping enables attackers to extract account credentials from compromised systems for lateral movement or persistent access.
Unsecured Credentials: Credentials in Files (T1552.001)
Attackers may search for and exploit credentials stored in files, potentially revealing sensitive access information.
Discovery
Network scanning and system reconnaissance help attackers map out the environment.
Remote System Discovery (T1018)
By identifying and mapping remote systems, adversaries can plan lateral movement within a network.
System Network Configuration Discovery (T1016)
Attackers can gather network configuration information to understand the environment and identify potential paths for exploitation.
Lateral Movement
Attackers spread across the network using remote services.
Remote Services: Remote Desktop Protocol and SSH (T1021)
Using remote services like SMB or SSH, attackers can move laterally across networked systems.
Lateral Tool Transfer (T1570)
Transferring tools to remote systems allows attackers to prepare for further actions like lateral movement or data exfiltration.
Collection
Sensitive data is collected for exfiltration.
Archive Collected Data: Archive via Utility (T1560.001)
Adversaries may archive data to compress and consolidate stolen information before exfiltration.
Data from Local System (T1005)
Attackers often gather files from local systems, extracting data directly from compromised devices.
Command and Control
The malware communicates with a remote server for instructions.
Remote Access Software (T1219)
This tactic involves using legitimate remote access tools, often making detection difficult as it resembles regular administration activity.
Ingress Tool Transfer (T1105)
Transferring tools into a network allows attackers to establish or expand their control over compromised systems.
Exfiltration
Data is exfiltrated for double extortion.
Exfiltration Over Alternative Protocol (T1048)
Attackers may use uncommon protocols to exfiltrate data, circumventing network monitoring systems.
Transfer Data to Cloud Account (T1537)
Moving data to cloud accounts provides attackers with alternative storage outside the target’s network.
Impact
The primary ransomware payload is executed, encrypting files.
Data Encrypted for Impact (T1486)
Often used in ransomware attacks, encrypting data on systems disrupts operations and demands attention.
Inhibit System Recovery (T1490)
By disabling or deleting recovery options, attackers make it harder for organizations to restore systems post-attack.
Ransomware Detection and Protection
To detect and protect against ransomware attacks using the MITRE D3FEND framework, organizations can implement a combination of detection mechanisms and defensive controls that map directly to specific techniques described in the MITRE ATT&CK framework.
Below is a detailed breakdown of how to detect and protect against various ransomware attack techniques across the different using the MITRE D3FEND framework:
Initial Access
URL Analysis (D3-UA)
Determining if a URL is benign or malicious by analyzing the URL or its components.
Application Configuration Hardening (D3-ACH)
Modifying an application’s configuration to reduce its attack surface.
Message Analysis (D3-MA)
Analyzing email or instant message content to detect unauthorized activity.
Execution
Process Segment Execution Prevention (D3-PSEP)
Preventing execution of any address in a memory region other than the code segment.
Service Binary Verification (D3-SBV)
Analyzing changes in service binary files by comparing to a source of truth.
Persistence
Remote Terminal Session Detection (D3-RTSD)
Detection of an unauthorized remote live terminal console session by examining network traffic to a network host.
Registry Key Deletion (D3-RKD)
Delete a registry key.
Privilege Escalation
Multi-factor Authentication (D3-MFA)
Requiring proof of two or more pieces of evidence in order to authenticate a user.
System Configuration Permissions (D3-SCP)
Restricting system configuration modifications to a specific user or group of users.
Defense Evasion
Endpoint Health Beacon (D3-EHB)
Monitoring the security status of an endpoint by sending periodic messages with health status, where absence of a response may indicate that the endpoint has been compromised.
Executable Allowlisting (D3-EAL)
The eviction tactic is used to remove an adversary from a computer network.
Executable Denylisting (D3-EDL)
Blocking the execution of files on a host in accordance with defined application policy rules.
Credential Access
Process Analysis (D3-PA)
Process Analysis consists of observing a running application process and analyzing it to watch for certain behaviors or conditions which may indicate adversary activity.
Credential Hardening (D3-CH)
Credential Hardening techniques modify system or network properties in order to protect system or network/domain credentials.
Discovery
Network Traffic Analysis (D3-NTA)
Analyzing intercepted or summarized computer network traffic to detect unauthorized activity.
Connection Attempt Analysis (D3-CAA)
Analyzing failed connections in a network to detect unauthorized activity.
Network Traffic Filtering (D3-NTF)
Restricting network traffic originating from any location.
Lateral Movement
Remote Terminal Session Detection (D3-RTSD)
Detection of an unauthorized remote live terminal console session by examining network traffic to a network host.
Platform Hardening (D3-PH)
Hardening components of a Platform with the intention of making them more difficult to exploit.
Network Traffic Policy Mapping (D3-NTPM)
Network traffic policy mapping identifies and models the allowed pathways of data at the network, transport, and/or application levels.
Broadcast Domain Isolation (D3-BDI)
Broadcast isolation restricts the number of computers a host can contact on their LAN.
Collection
User Data Transfer Analysis (D3-UDTA)
Analyzing the amount of data transferred by a user.
Platform Hardening (D3-PH)
Hardening components of a Platform with the intention of making them more difficult to exploit.
Command and Control
Mandatory Access Control (D3-MAC)
Controlling access to local computer system resources with kernel-level capabilities.
Network Traffic Policy Mapping (D3-NTPM)
Network traffic policy mapping identifies and models the allowed pathways of data at the network, transport, and/or application levels.
Exfiltration
Network Traffic Community Deviation (D3-NTCD)
Establishing baseline communities of network hosts and identifying statistically divergent inter-community communication.
Protocol Metadata Anomaly Detection (D3-PMAD)
Collecting network communication protocol metadata and identifying statistical outliers.
Impact
Platform Hardening (D3-PH)
Hardening components of a Platform with the intention of making them more difficult to exploit.
Restore File (D3-RF)
Restoring a file for an entity to access.
Technical Controls for Detection and Mitigation
While ransomware is a very serious threat, the good news is that with enough due care and due diligence most ransomware attacks are preventable.
There are various ways cyber security professionals can implement defensive techniques, but one of the most effective and straightforward approaches is to use cyber security solutions specifically designed for this purpose.
These solutions are built to address a wide range of threats and can simplify the process of securing systems, networks, and data.
Some of these solutions are:
- NGAV/EDR/XDR: Detect anomalous behavior like credential dumping, obfuscation, or execution of malicious scripts.
- SIEM: Log and analyze login patterns, process creations, file access, and lateral movement.
- Network Security: Limit lateral movement by restricting access to critical systems using firewalls or NAC.
- Multi Factor Authentication: Reduce risk from compromised credentials by requiring multiple forms of verification.
- Vulnerability Scans and Patch Management: Regularly patch public-facing applications and address known vulnerabilities.
- Data Loss Prevention: Prevent data exfiltration by monitoring file access and copying activities.
- Backups: Ensure regular, segmented backups that are not vulnerable to the ransomware attack.
Conclusion
In a world where ransomware constantly evolves, understanding its tactics and effective defenses is essential to staying one step ahead. By implementing layered security strategies and leveraging frameworks like ATT&CK and D3FEND, you can gain insights into ransomware’s history, notorious attacks, and the methods employed by modern ransomware groups.
Recognizing the stages of a ransomware attack, along with adopting proactive security practices, can significantly reduce your risk, strengthening your organization’s ability to detect, mitigate, and prevent ransomware threats.
Please note that the content provided here is a general guideline. Required actions can vary significantly depending on specific cases.
First days as a CISO
We all know that your role is critical to the...
Read MoreCyber Security Architect Vs. CISO
Two key positions in building an organization's information security strategy...
Read MoreIf You Fail to Plan You Plan to Fail
The CISO is not just a technical expert but, above...
Read MoreDefense in Depth The Technological Layer
To protect against cyber threats, organizations implement a broad strategy...
Read More