Ransomware Attack Chain
The chokepoint sequence every ransomware operator must follow.
Same stages, different tools. Each stage is an unavoidable prerequisite - the underlying chokepoints don't change. Detect the prerequisite; catch any actor.
TTP Overlap Across Groups
Technique cards with actor dots. Orange border = used by all actors. Click actors to filter; a cyan glow marks techniques shared by every selected actor.
Chokepoint Opportunities by Stage
Invariant prerequisite per stage, top signals, and links to the full chokepoint analysis.
User executes payload OR exposed service is network-reachable
- Browser download of renamed/masqueraded binary (missing or mismatched signature)
- RDP/VPN login from new geo-location or ASN
- Email attachment execution from user Downloads folder
- Legitimate RMM tool (AnyDesk, ConnectWise, TeamViewer) installed outside of IT workflow
Elevated process reads memory/registry containing credential material
- LSASS process access by non-system process (Sysmon EID 10)
- SAM/SECURITY registry hive read outside of system tools
- rundll32.exe loading comsvcs.dll with MiniDump export
- esentutl.exe copying browser credential databases
Valid admin credentials + network path open (445 / 3389 / 135)
- Network logon Type 3 + service creation across multiple hosts in short window
- IPC$ share access followed by ADMIN$ write
- Unusual admin account authenticating to 5+ hosts within 30 minutes
- PsExec service installation (PSEXESVC) on remote host
SYSTEM-level process with service stop/delete permission
- Multiple security/backup services stopped in rapid succession
- EDR kill tool execution (Backstab, PowerTool, GMER, Terminator)
- bcdedit.exe with safeboot argument
- PowerShell Set-MpPreference DisableRealtimeMonitoring / DisableAntiSpyware
- Veeam, VSS, or SQL service termination
File system write access + encryption library loaded
- vssadmin delete shadows / wmic shadowcopy delete / PowerShell Get-WmiObject Win32_Shadowcopy | Remove-WmiObject
- Mass file modifications with high-entropy output (bulk file rename)
- Ransom note .txt/.html creation across multiple directories
- WinSCP / RClone / FileZilla outbound to cloud storage (Mega, attacker infrastructure)
Actor Convergence Matrix 5 actors tracked
Different tools, different operators - same chokepoints. Bottom row: the invariant your detections must cover.
| Actor | Initial Access | Credential Access | Lateral Movement | Defense Evasion | Impact |
|---|---|---|---|---|---|
| BlackBasta Inactive |
QakBot phishing / Teams social engineering / exploit acquisition (zero-days purchased within days of disclosure) | Mimikatz LSASS dump + ZeroLogon / NoPac / PrintNightmare CVE exploitation | PsExec + Cobalt Strike beacon (custom 'Coba PROXY' C2 infrastructure) | Backstab EDR kill + PowerShell Defender disable (DisableAntiSpyware) + bcdedit safeboot | vssadmin delete shadows + ChaCha20/RSA-4096 file encrypt (.basta extension) |
| LockBit 3.0 Disrupted |
Stolen RDP creds / exposed RMM / valid accounts | LSASS dump + SAM hive export | PsExec + Cobalt Strike + GPO mass-deploy | Comprehensive service kill list (50+ services) + registry modification | WMI shadow copy delete + fastest-in-class encrypt (LockBit 3.0 / Black) |
| Akira Active |
VPN compromise (no MFA) / SonicWall exploitation / Veeam CVE-2024-40711 | Mimikatz + LaZagne + esentutl browser credential theft + comsvcs.dll LSASS MiniDump | RDP + SSH + AnyDesk / RustDesk / MobaXterm | PowerTool + Terminator BYOVD + Zemana AntiMalware driver EDR kill | PowerShell WMI shadow delete + Akira / Akira_v2 (Rust) / Megazord encrypt |
| Alphv/BlackCat Defunct |
Stolen creds / Eamfo infostealer (Veeam credential theft) / exposed web services | Eamfo Veeam credential theft + LSASS dump | PsExec + RDP + WMI | Multi-vendor EDR termination + reg.exe registry modification + bcdedit safeboot | vssadmin delete shadows + vim-cmd snapshot.removeall (ESXi) + cross-platform Rust encrypt |
| Play Active |
N-day exploits (FortiOS, Exchange ProxyNotShell/OWASSRF) | Mimikatz LSASS dump | PsExec + WMI + Grixba custom infostealer | GMER + IOBit + Process Hacker + PowerTool | Custom .NET VSS Copying Tool + PlayCrypt selective file encrypt |
| The Chokepoint | User executes payload OR exposed service is network-reachable | Elevated process reads memory/registry containing credential material | Valid admin credentials + network path open (445 / 3389 / 135) | SYSTEM-level process with service stop/delete permission | File system write access + encryption library loaded |
Analysis & References
Research Methodology
Source: Kitsune pipeline over ORKL + vendor reports - 260 procedures / 36 reports / 5 actors. Convergent techniques only.
Related Attack Chains
- Infostealers - Often precedes ransomware via IABs
- AiTM / Phishing Kits - AiTM-compromised accounts sold to ransomware IABs