Skip to content

Chapter 23: Ransomware Deep Dive

Overview

Ransomware is the dominant threat to organizational operations, accounting for over 60% of significant cyber incidents in 2025. Modern ransomware operations are sophisticated criminal enterprises — not opportunistic malware — combining advanced intrusion techniques, double/triple extortion, and hardened operational infrastructure. This chapter dissects the complete ransomware threat: kill chain, economics, defense, and crisis response.

Learning Objectives

After completing this chapter, you will be able to:

  1. Map the ransomware kill chain to MITRE ATT&CK techniques
  2. Explain the Ransomware-as-a-Service (RaaS) economic model
  3. Identify pre-encryption indicators in log data
  4. Design a ransomware-resilient backup and recovery architecture
  5. Execute an IR playbook during an active ransomware incident
  6. Navigate the negotiation and payment decision process

Prerequisites

Chapter Scope

This chapter contains defensive analysis of real-world ransomware behavior including TTPs, negotiation mechanics, and payment decisions. Content is strictly for defensive purposes. No functional ransomware code is provided.

23.1 The Modern Ransomware Threat Landscape

Evolution: Commodity → Big Game Hunting

Ransomware evolved from mass-distributed commodity malware (WannaCry, NotPetya era) to targeted "big game hunting" operations:

2013–2017: Spray-and-pray     CryptoLocker, CryptoWall, Cerber
2017–2018: Wormable epidemics  WannaCry (EternalBlue), NotPetya (wiper)
2019–2021: Targeted RaaS       REvil, Maze, DarkSide, Conti
2022–2025: Hyperspecialized    ALPHV/BlackCat (Rust), LockBit 3.0, Cl0p

Key evolution drivers: - Affiliates share risk/reward with developers (RaaS model) - Double extortion forces payment even with good backups - Cryptocurrency enables anonymous payment - Initial access brokers (IABs) commoditize entry

The RaaS Ecosystem

graph LR
    DEV[Ransomware Developer<br/>Builds malware + infrastructure<br/>15-30% cut]
    AFF[Affiliate<br/>Conducts intrusion<br/>70-85% cut]
    IAB[Initial Access Broker<br/>Sells network access<br/>$500-$50K]
    NP[Negotiation Platform<br/>Dark web leak site<br/>Tracks payment]
    LAUN[Money Launderer<br/>Crypto mixing<br/>5-10% cut]

    IAB -->|sells access| AFF
    DEV -->|licenses malware + RaaS panel| AFF
    AFF -->|pays IAB| IAB
    AFF -->|encrypts + demands ransom| NP
    AFF -->|pays dev share| DEV
    DEV -->|launders proceeds| LAUN

23.2 Ransomware Kill Chain

Full Attack Timeline

The average dwell time before encryption is 5–21 days. This window is the primary detection opportunity.

timeline
    title Ransomware Kill Chain (Typical 14-day dwell)
    Day 1       : Initial Access<br/>Phishing / VPN / RDP / IAB purchase
    Day 1-3     : Establish Foothold<br/>C2 beaconing, persistence, defense evasion
    Day 3-7     : Reconnaissance<br/>AD enumeration, share discovery, data mapping
    Day 7-10    : Credential Theft<br/>Kerberoasting, LSASS dump, pass-the-hash
    Day 10-14   : Lateral Movement<br/>Spread to file servers, backup systems, DCs
    Day 14      : Pre-Encryption<br/>Disable backups, delete VSS, inhibit recovery
    Day 14      : Exfiltration<br/>Sensitive data to attacker-controlled storage
    Day 14+1hr  : Encryption<br/>AES-256 + RSA-4096, all files encrypted
    Day 14+2hr  : Extortion<br/>Ransom note + threat of data leak

ATT&CK Technique Mapping

Kill Chain Phase ATT&CK Technique Detection Opportunity
Initial Access T1566 Phishing / T1133 External Remote Services Email gateway, VPN auth anomalies
Execution T1059 Command & Script Interpreter PowerShell logging (Event 4104)
Persistence T1547 Boot/Logon Autostart / T1053 Scheduled Task Registry / schtasks monitoring
Defense Evasion T1562 Impair Defenses / T1070 Indicator Removal EDR tamper alerts, Event Log clearing
Credential Access T1003 OS Credential Dumping / T1558 Kerberoasting LSASS access (Event 10), 4769 RC4 TGS
Discovery T1018 Remote System Discovery / T1082 System Info net.exe, nltest.exe, ADFind activity
Lateral Movement T1021 Remote Services / T1047 WMI SMB logins, WmiPrvSE.exe spawning cmd
Collection T1039 Network Share Data / T1119 Automated Collection Mass share access (4656/4663 volume)
Exfiltration T1048 Exfil Over Alternative Protocol Large outbound transfers, rclone.exe
Impact T1486 Data Encrypted for Impact / T1490 Inhibit Recovery VSS deletion, bcdedit, wbadmin

23.3 Pre-Encryption Indicators

Critical Detection Window

The highest-value detection window is the 30–60 minutes before encryption:

// VSS deletion — almost always ransomware precursor
DeviceProcessEvents
| where ProcessCommandLine has_any (
    "vssadmin delete shadows",
    "wmic shadowcopy delete",
    "bcdedit /set recoveryenabled no",
    "wbadmin delete catalog"
)
| project Timestamp, DeviceName, AccountName, ProcessCommandLine

// Bulk file rename/modification — encryption in progress
DeviceFileEvents
| where ActionType == "FileRenamed"
| summarize renamed_count = count() by DeviceName, bin(Timestamp, 1m)
| where renamed_count > 500
| order by renamed_count desc

// Mass share access — pre-encryption data collection
DeviceNetworkEvents
| where RemotePort == 445
| summarize connections = dcount(RemoteIP) by DeviceName, bin(Timestamp, 10m)
| where connections > 20

Behavioral Indicators by Phase

Reconnaissance phase: 

net group "Domain Admins" /domain
nltest /domain_trusts
AdFind.exe -f "(objectcategory=computer)"
bloodhound-python -d corp.local -u jsmith

Credential theft phase: - lsass.exe accessed by non-Windows processes (Sysmon Event ID 10) - procdump.exe -ma lsass.exe - Kerberoasting: multiple Event 4769 with Encryption Type 0x17

Pre-encryption cleanup: - vssadmin delete shadows /all /quiet - bcdedit /set {default} recoveryenabled no - wbadmin delete catalog -quiet - EDR service termination commands - Firewall rule modifications disabling outbound blocking

23.4 Double and Triple Extortion

Double Extortion Model

First implemented by Maze in 2019 — now universal among major groups:

Stage 1: Exfiltrate sensitive data (before encryption)
Stage 2: Encrypt all systems
Stage 3: Demand ransom for:
         - Decryption key
         - Deletion of exfiltrated data
         - Non-publication on leak site

Leverage: Even organizations with good backups must pay to protect data

Triple Extortion

Adds additional pressure vectors:

Extortion Layer Target Mechanism
Layer 1: Decryption IT/Business Ops Encrypt files; sell decryptor
Layer 2: Data Leak Legal/Compliance Threaten publishing sensitive data
Layer 3: DDoS Public Presence Launch DDoS against victim websites
Layer 4: Customer Contact Reputation Contact victim's customers directly

Leak Site Mechanics

  • Tor-hosted .onion sites per ransomware group
  • Countdown timers to publication deadlines
  • Partial data previews as proof
  • "Premium" listings for high-value victims
  • Automated data publishing if no contact

23.5 Major Ransomware Groups (2024–2025)

Group RaaS? Specialty Notable TTPs Status
LockBit 3.0 Yes Volume; bug bounty program Exfiltration tool StealBit; custom encryptors Disrupted 2024, rebuilt
ALPHV/BlackCat Yes Rust-based; Linux/ESXi targeting BYOVD driver abuse; Exmatter exfil tool Defunct 2024 (exit scam)
Cl0p No MFT/zero-day exploitation GoAnywhere (CVE-2023-0669), MOVEit (CVE-2023-34362) Active
Play No No negotiation; direct encryption RemCom, SystemBC, Cobalt Strike Active
Akira Yes Double extortion; Linux/ESXi Cisco VPN exploitation (CVE-2023-20269) Active
Black Basta Yes Financial sector focus QAKBOT loader, Cobalt Strike, PrintNightmare Active
Hunters International Yes Hive remnants IDAT Loader, SharpRhino RAT Active

23.6 Ransomware-Resilient Architecture

The 3-2-1-1-0 Backup Rule

The gold standard evolved from 3-2-1:

3  — Three copies of data
2  — Two different storage media types
1  — One offsite copy
1  — One air-gapped / immutable copy
0  — Zero errors on recovery test (monthly validation required)

Immutable Backup Architecture

graph LR
    PROD[Production Systems] -->|continuous| LOCAL[Local Backup<br/>On-prem NAS]
    PROD -->|daily| CLOUD[Cloud Backup<br/>S3 Object Lock<br/>WORM 90 days]
    LOCAL -->|weekly| AIRGAP[Air-Gapped Tape<br/>Offline rotation<br/>quarterly test]
    CLOUD -->|replication| DR[DR Site<br/>Immutable blob<br/>separate tenant]

    style AIRGAP fill:#2d5a27,color:#fff
    style CLOUD fill:#1a3a5c,color:#fff

AWS S3 Object Lock (WORM): 

{
  "ObjectLockEnabled": "Enabled",
  "Rule": {
    "DefaultRetention": {
      "Mode": "COMPLIANCE",
      "Days": 90
    }
  }
}

Critical Protection Controls

Control Mitigates Implementation
Immutable backups Data destruction (T1490) S3 Object Lock, Veeam Hardened Repository
Privileged access workstations (PAWs) Credential theft Dedicated AD tier for backup admin accounts
Network segmentation Lateral movement VLAN isolation for backup infrastructure
EDR on backup servers Malware deployment Exclude backup paths from tamper protection
MFA on all remote access Initial access via VPN Phishing-resistant MFA (FIDO2)
Email filtering + sandboxing Phishing initial access Scan attachments in detonation sandbox
Patch management (14-day SLA) Vulnerability exploitation Prioritize perimeter-facing systems
Disable legacy protocols Lateral movement Disable SMBv1, NTLM where possible

23.7 Incident Response: Active Ransomware

Decision Tree — First 30 Minutes

flowchart TD
    A[Alert: Ransomware detected] --> B{Encryption in progress?}
    B -- Yes --> C[IMMEDIATE: Network isolate all affected hosts]
    B -- No --> D[Preserve evidence — DO NOT shut down]
    C --> E[Identify patient zero]
    D --> E
    E --> F{Domain Controller affected?}
    F -- Yes --> G[CRITICAL: Reset krbtgt × 2; assume full domain compromise]
    F -- No --> H[Scope lateral movement from patient zero]
    G --> I[Invoke business continuity plan]
    H --> J{Exfiltration confirmed?}
    J -- Yes --> K[Notify legal; GDPR/HIPAA 72h clock starts]
    J -- No/Unknown --> L[Assume exfiltration pending evidence]
    K --> M[Begin recovery from clean backups]
    L --> M

IR Phases for Ransomware

Phase 1 — Contain (Hours 0–4)

# Network isolation via EDR (CrowdStrike example)
crowdstrike-cli contain --host-id <ID>

# Or via AD — disable computer accounts of compromised hosts
Disable-ADAccount -Identity "WRK447$"

# Verify domain controllers are clean
Get-ADComputer -Filter * | Where-Object {$_.LastLogonDate -gt (Get-Date).AddHours(-2)}

Phase 2 — Eradicate (Hours 4–24)

  • Re-image infected systems (don't trust decrypted files)
  • Reset all service accounts and admin passwords
  • Reset krbtgt account password twice (with 10-hour delay between)
  • Review and revoke all OAuth tokens and certificates
  • Audit scheduled tasks, startup items, and WMI subscriptions across all hosts

Phase 3 — Recover (Hours 24–72)

# Recovery priority framework
RECOVERY_TIERS = {
    'Tier 1 — Critical': [
        'Domain Controllers',
        'Authentication infrastructure (AD CS, Entra ID sync)',
        'Backup servers',
        'Core business applications',
    ],
    'Tier 2 — Important': [
        'Email servers',
        'File shares',
        'ERP/finance systems',
    ],
    'Tier 3 — Standard': [
        'Workstations',
        'Non-critical servers',
        'Development environments',
    ],
}

23.8 Negotiation and Payment Decisions

Should You Pay?

This is a legal, ethical, and practical decision that must involve:

Stakeholder Role Key Questions
Legal counsel Sanctions compliance; OFAC check Is the threat actor on a sanctioned list?
Cyber insurance Coverage trigger; ransom approval Does policy cover ransomware? What is the sublimit?
Executive leadership Business decision; board notification Can we recover without paying? What is recovery timeline?
Law enforcement (FBI/CISA) Intelligence; decryptors may exist Has law enforcement seized keys from this group?
IR firm Technical assessment Is decryptor likely to work? Data leak imminent?

OFAC Sanctions Warning: Paying ransomware groups on OFAC's SDN list (e.g., Evil Corp affiliates, DPRK-linked groups) constitutes a sanctions violation. Legal counsel must verify before any payment.

Negotiation Mechanics (If Paying)

  1. Do not respond immediately — demonstrate operational continuity under pressure
  2. Verify the decryptor — request test decryption of 1-2 non-critical files
  3. Challenge the demand — initial demands are typically 3–5× expected settlement; counter at 10–20% of initial demand
  4. Negotiate timeline — buy time to accelerate recovery from backups
  5. Secure communication — use encrypted channels; do not expose identity of negotiator

No Guarantees

Paying does not guarantee: (1) a working decryptor, (2) deletion of exfiltrated data, (3) non-publication. Criminal groups have re-extorted victims months after payment.

23.9 Nexus SecOps Benchmark Controls

Control ID Control Maturity Level
Nexus SecOps-RS-01 Immutable backups with tested recovery Level 3
Nexus SecOps-RS-02 Ransomware-specific incident response playbook Level 3
Nexus SecOps-RS-03 Pre-encryption detection (VSS deletion, bulk rename) Level 4
Nexus SecOps-RS-04 Business continuity plan exercised annually Level 3
Nexus SecOps-RS-05 Negotiation decision framework documented Level 4
Nexus SecOps-RS-06 Recovery time objective (RTO) validated under 24h Level 4

23.10 Key Takeaways

Essential Controls

  1. Immutable, tested backups are the single highest-impact ransomware control — 3-2-1-1-0 rule
  2. The pre-encryption dwell period (average 14 days) is the primary detection window — focus hunts here
  3. VSS deletion and bulk file rename are near-certain ransomware signals — alert on sight
  4. Double extortion means data theft must be assumed even if backups are clean
  5. Sanctions compliance is mandatory before any ransom payment discussion

Exam Prep & Certifications

Relevant Certifications

The topics in this chapter align with the following certifications:

  • GIAC GCTI — Domains: Cyber Threat Intelligence, Ransomware Analysis
  • GIAC GCIH — Domains: Incident Handling, Ransomware Response
  • CISSP — Domains: Security Operations, Security and Risk Management

View full Certifications Roadmap →

Key Terms

Term Definition
RaaS Ransomware-as-a-Service — criminal model where developers license malware to affiliates
Double extortion Combination of encryption and data exfiltration as extortion leverage
Dwell time Time between initial compromise and encryption; primary detection window
VSS Volume Shadow Copy Service — Windows backup mechanism routinely destroyed by ransomware
BYOVD Bring Your Own Vulnerable Driver — technique used to disable security tools
IAB Initial Access Broker — criminal specializing in selling network access to other attackers
OFAC SDN Office of Foreign Assets Control Specially Designated Nationals list — paying these groups is illegal
krbtgt Kerberos ticket-granting ticket account — must be reset twice after domain compromise

Further Reading

Next: Chapter 24: Supply Chain Attacks