Ransomware Attack Chain

How ransomware operators all follow the same five-stage chokepoint sequence — regardless of group, brand, or tooling.

Last updated: 2025-01-15

The Chokepoint Convergence Principle

Every actor in the matrix below follows the same sequence of stages — they must, because each stage reflects an unavoidable prerequisite condition. Their tools, loaders, and C2 infrastructure change constantly. The underlying chokepoints do not. Detect the prerequisite; catch any actor.

TTP Overlap Across Groups

Each box represents a MITRE ATT&CK technique. Colored dots indicate which groups or families use that technique — techniques where all dots are filled are universal chokepoints and the highest-value targets for detection engineering. Hover or focus a technique for detail.

BlackBasta LockBit 3.0 Akira Alphv/BlackCat Play
Ransomware Attack Chain — TTP overlap diagram

Attack Flow

Three swimlanes show the attacker's actions, mapped ATT&CK techniques, and detection posture at each stage. Exploited (detection gap) Detected (opportunity) Blocked (control active) Hover or focus a stage for ATT&CK detail.

Ransomware Attack Chain — attack flow diagram Attack chain with 5 stages: Initial Access, Credential Access, Lateral Movement, Defense Evasion, Impact. Stages are color-coded by detection posture: red = exploited (gap), yellow = detected (opportunity), green = blocked (control active). ATTACKER ATT&CK DETECTION Initial Access TA0001 Phishing / exposed VPN T1566.001 T1133 T1190 DETECTED Endpoint · Email GW Credential Access TA0006 LSASS dump / Kerberoast T1003.001 T1558.003 T1003.002 DETECTED DC · Endpoint Lateral Movement TA0008 PsExec / RDP / WMI T1021.002 T1021.001 T1047 EXPLOITED Domain · Servers Defense Evasion TA0005 Kill AV/EDR · Stop backups T1562.001 T1490 DETECTED All hosts Impact TA0040 VSS delete · File encrypt T1486 T1490 EXPLOITED All file servers

Chokepoint Opportunities by Stage

Each card shows the invariant prerequisite an attacker must satisfy at that stage, the top detection signals, and links to the full chokepoint analysis.

1 Initial Access
Chokepoint

User executes payload OR exposed service is network-reachable

Detection Signals
  • Browser download of renamed/masqueraded binary (missing or mismatched signature)
  • RDP/VPN login from new geo-location or ASN
  • Email attachment execution from user Downloads folder
Renamed RMM Tools ClickFix Techniques
2 Credential Access
Chokepoint

Elevated process reads memory/registry containing credential material

Detection Signals
  • LSASS process access by non-system process (Sysmon EID 10)
  • SAM/SECURITY registry hive read outside of system tools
  • Kerberos TGS-REQ spike for service accounts
3 Lateral Movement
Chokepoint

Valid admin credentials + network path open (445 / 3389 / 135)

Detection Signals
  • Network logon Type 3 + service creation across multiple hosts in short window
  • IPC$ share access followed by ADMIN$ write
  • Unusual admin account authenticating to 5+ hosts within 30 minutes
Remote Execution Tools
4 Defense Evasion
Chokepoint

SYSTEM-level process with service stop/delete permission

Detection Signals
  • Multiple security/backup services stopped in rapid succession (sc.exe / net stop)
  • Security service deletion after stop
  • Veeam, VSS, or SQL service termination
Ransomware Service Manipulation
5 Impact
Chokepoint

File system write access + encryption library loaded

Detection Signals
  • vssadmin delete shadows / wmic shadowcopy delete
  • Mass file modifications with high-entropy output (bulk file rename)
  • Ransom note .txt/.html creation across multiple directories

Actor Convergence Matrix 5 actors tracked

Different tools. Different operators. Same chokepoints. The highlighted bottom row shows the invariant prerequisite condition your detections must cover — regardless of which actor you're facing.

Actor Initial Access Credential Access Lateral Movement Defense Evasion Impact
BlackBasta Inactive QakBot / phishing email lure LSASS dump + Kerberoasting PsExec + Cobalt Strike beacon Sophos / Defender stop via sc.exe VSS delete + ChaCha20 file encrypt
LockBit 3.0 Disrupted Stolen RDP creds / exposed RMM LSASS dump + SAM hive export PsExec + GPO mass-deploy Comprehensive service kill list (50+ services) VSS delete + fastest-in-class encrypt
Akira Active VPN compromise (no MFA / cred stuffing) LSASS dump + credential file harvest RDP hop + AnyDesk Defender disable via PowerShell VSS delete + dual-extension encrypt
Alphv/BlackCat Defunct Stolen creds / exposed web services LSASS dump + AD enumeration (BloodHound) PsExec + RDP + WMI Multi-vendor EDR termination (Impacket) VSS delete + cross-platform Rust encrypt
Play Active N-day exploits (FortiOS, Exchange ProxyNotShell) LSASS dump + Kerberoasting PsExec + WMI lateral movement AV/EDR service termination VSS delete + selective file encrypt
The Chokepoint User executes payload OR exposed service is network-reachable Elevated process reads memory/registry containing credential material Valid admin credentials + network path open (445 / 3389 / 135) SYSTEM-level process with service stop/delete permission File system write access + encryption library loaded

References