Ransomware Attack Chain
How ransomware operators all follow the same five-stage chokepoint sequence, regardless of group, brand, or tooling.
Every actor in the matrix below follows the same sequence of stages. They must, because each stage reflects an unavoidable prerequisite condition. Their tools, loaders, and C2 infrastructure change constantly. The underlying chokepoints do not. Detect the prerequisite; catch any actor.
TTP Overlap Across Groups
Each card represents a MITRE ATT&CK technique. Dots indicate which groups or families use it. Cards with an orange border are universal chokepoints used by every tracked actor. Click an actor below to filter.
Chokepoint Opportunities by Stage
Each card shows the invariant prerequisite an attacker must satisfy at that stage, the top detection signals, and links to the full chokepoint analysis.
User executes payload OR exposed service is network-reachable
- Browser download of renamed/masqueraded binary (missing or mismatched signature)
- RDP/VPN login from new geo-location or ASN
- Email attachment execution from user Downloads folder
- Legitimate RMM tool (AnyDesk, ConnectWise, TeamViewer) installed outside of IT workflow
Elevated process reads memory/registry containing credential material
- LSASS process access by non-system process (Sysmon EID 10)
- SAM/SECURITY registry hive read outside of system tools
- rundll32.exe loading comsvcs.dll with MiniDump export
- esentutl.exe copying browser credential databases
Valid admin credentials + network path open (445 / 3389 / 135)
- Network logon Type 3 + service creation across multiple hosts in short window
- IPC$ share access followed by ADMIN$ write
- Unusual admin account authenticating to 5+ hosts within 30 minutes
- PsExec service installation (PSEXESVC) on remote host
SYSTEM-level process with service stop/delete permission
- Multiple security/backup services stopped in rapid succession
- EDR kill tool execution (Backstab, PowerTool, GMER, Terminator)
- bcdedit.exe with safeboot argument
- PowerShell Set-MpPreference DisableRealtimeMonitoring / DisableAntiSpyware
- Veeam, VSS, or SQL service termination
File system write access + encryption library loaded
- vssadmin delete shadows / wmic shadowcopy delete / PowerShell Get-WmiObject Win32_Shadowcopy | Remove-WmiObject
- Mass file modifications with high-entropy output (bulk file rename)
- Ransom note .txt/.html creation across multiple directories
- WinSCP / RClone / FileZilla outbound to cloud storage (Mega, attacker infrastructure)
Actor Convergence Matrix 5 actors tracked
Different tools. Different operators. Same chokepoints. The highlighted bottom row shows the invariant prerequisite condition your detections must cover, regardless of which actor you're facing.
| Actor | Initial Access | Credential Access | Lateral Movement | Defense Evasion | Impact |
|---|---|---|---|---|---|
| BlackBasta Inactive |
QakBot phishing / Teams social engineering / exploit acquisition (zero-days purchased within days of disclosure) | Mimikatz LSASS dump + ZeroLogon / NoPac / PrintNightmare CVE exploitation | PsExec + Cobalt Strike beacon (custom 'Coba PROXY' C2 infrastructure) | Backstab EDR kill + PowerShell Defender disable (DisableAntiSpyware) + bcdedit safeboot | vssadmin delete shadows + ChaCha20/RSA-4096 file encrypt (.basta extension) |
| LockBit 3.0 Disrupted |
Stolen RDP creds / exposed RMM / valid accounts | LSASS dump + SAM hive export | PsExec + Cobalt Strike + GPO mass-deploy | Comprehensive service kill list (50+ services) + registry modification | WMI shadow copy delete + fastest-in-class encrypt (LockBit 3.0 / Black) |
| Akira Active |
VPN compromise (no MFA) / SonicWall exploitation / Veeam CVE-2024-40711 | Mimikatz + LaZagne + esentutl browser credential theft + comsvcs.dll LSASS MiniDump | RDP + SSH + AnyDesk / RustDesk / MobaXterm | PowerTool + Terminator BYOVD + Zemana AntiMalware driver EDR kill | PowerShell WMI shadow delete + Akira / Akira_v2 (Rust) / Megazord encrypt |
| Alphv/BlackCat Defunct |
Stolen creds / Eamfo infostealer (Veeam credential theft) / exposed web services | Eamfo Veeam credential theft + LSASS dump | PsExec + RDP + WMI | Multi-vendor EDR termination + reg.exe registry modification + bcdedit safeboot | vssadmin delete shadows + vim-cmd snapshot.removeall (ESXi) + cross-platform Rust encrypt |
| Play Active |
N-day exploits (FortiOS, Exchange ProxyNotShell/OWASSRF) | Mimikatz LSASS dump | PsExec + WMI + Grixba custom infostealer | GMER + IOBit + Process Hacker + PowerTool | Custom .NET VSS Copying Tool + PlayCrypt selective file encrypt |
| The Chokepoint | User executes payload OR exposed service is network-reachable | Elevated process reads memory/registry containing credential material | Valid admin credentials + network path open (445 / 3389 / 135) | SYSTEM-level process with service stop/delete permission | File system write access + encryption library loaded |
Research Methodology
Procedure-level data in this attack chain was extracted and corroborated using Kitsune, an AI-driven threat intelligence pipeline. 260 procedures were extracted across 36 reports from 5 ransomware actors, with cross-report corroboration used to validate convergence patterns. Reports were sourced from ORKL (Open Repository of Knowledge on Libraries) and direct vendor publications.
Related Attack Chains
- Infostealers - Often precedes ransomware via IABs
- AiTM / Phishing Kits - AiTM-compromised accounts sold to ransomware IABs