Ransomware Prevention – Disrupting Each Stage of the Ransomware Kill Chain

Ransomware is a difficult threat to address. Due to the complex nature of a ransomware attack, there is no single solution to stopping the threat of ransomware. Tackling ransomware requires a holistic approach to address every stage of the ransomware kill chain. Many organizations deal with some of the stages but not all of them. It is crucial that you understand your current security posture and where the gaps are. Proper remediation of ransomware begins with a thorough risk assessment and an understanding of your vulnerabilities. Once you understand your current risks and your organization’s appetite to mitigate them, you can adequately address each of the stages of the ransomware kill chain.

The ransomware kill chain is made up of 6 stages:

  1. Recon
  2. Network compromise
  3. Command and control
  4. Discovery and spread
  5. Exfiltration
  6. Detonation

We will talk about each stage of the kill chain and discuss appropriate solutions to mitigate the risk at every stage.


Recon is when ransomware attackers identify potential target organizations and individuals. These are often large spam campaigns to many companies. However, with the advent of ransomware-as-a-service lowering the technical understanding required for performing an attack and the increasing profitability of ransomware attacks, we’re seeing an increase of targeted attacks where campaigns are handcrafted for the target companies.

In this phase, attackers gather information that is already publicly available to create targeted social engineering attacks in later phases. Attackers seek information about the organizational structure of the target’s IT environment. The information gathered can range from the business applications and software an enterprise utilizes to the roles and relationships that exist within it.

Disrupting the Recon Stage

Any information that can disguise an attacker as a trusted 3rd party or insider is of interest during the Recon phase. Details shared in a company meeting, camera footage, or even which vendors you use can be used to craft compelling social engineering scripts for use during the Network Compromise phase. A fundamental approach to make reconnaissance difficult is to have policies in place that make seemingly mundane information private.

Network Compromise

Once the attackers have performed adequate recon, they can apply the intelligence they gathered to formulate attack plans to compromise the network. They could use varied methods to infiltrate a target’s infrastructure. Common methods include customized spearphishing emails, zero-day or unpatched software exploits, and watering hole techniques. Attackers also utilize instant messaging and social networking platforms to entice targets to click links or download malware. Eventually, the attackers gain access to the target network.

Disrupting the Network Compromise Stage

Users are the primary target at this stage. The principle of least privilege helps defend against users that are deceived or exploited. Having strong email security that warns users about external senders, blocks suspicious emails, and prevents dangerous links and harmful attachments from executing are essential. Having a strong endpoint protection platform (EPP) on your endpoints helps identify and prevent the execution of malware and other malicious programs that can assist attackers in gaining access to your network.

Command and Control

After security has been breached, attackers use the malware to execute malicious routines or gather information from within your network. This communication is often hidden, and attackers use commands and tools native to your environment to keep their movements under the radar; this is known as a “Living Off the Land” (LotL) attack. They can also use fileless attacks which, as their name implies, don’t use files or leave a footprint.

Once inside, an attacker might seek to elevate their permissions, create a new domain, or add administrator accounts via Active Directory, thus gaining access to sensitive data or other target systems.

Disrupting the Command and Control Phase

At this stage, traditional anti-virus and even endpoint protection platforms have been defeated. A strong endpoint detection and response (EDR) system uses behavioral heuristics and machine learning to detect fileless attacks, abnormal behavior, and quarantine infected endpoints before an attacker can gain control.

File Integrity Monitoring (FIM) notifies you if there are unauthorized changes to important files in root directories. These types of changes can be an important red flag to discovering that you have been compromised and that an unauthorized party has gained administrative permissions in your network.

Discovery and Spread

Once inside, attackers spread throughout the network to seek key information or infect other valuable systems.

Notable assets or data are determined and isolated for exfiltration in the next stage. A possible technique used in this stage may be sending back file lists in different directories so attackers can identify valuable data.

Disrupting the Discovery and Spread Phase

EDR plays an essential role in identifying and isolating errant behavior. A properly configured Security Information and Event Management (SIEM) platform that aggregates and processes events across all network devices, not just the endpoints, adds an additional layer of protection. The SIEM can identify movements or changes and be configured to flag accounts or users accessing directories or systems they shouldn’t.


This is the primary goal of targeted attacks. An attack’s objective is to obtain valuable information and transfer it to a place the attackers control. These transfers can be quick or gradual over time. The longer the attack is undetected, the more data they can extract. Therefore, attacks strive to remain undetected for as long as possible. If granted access long enough, attackers can steal intellectual property, trade secrets, and customer information.

Once at this stage, it is not difficult for attackers to obtain the data.

Disrupting the Exfiltration Stage

At this stage of the kill chain, it is extremely difficult to disrupt the attackers. A fully managed detection and response (MDR) team, essentially a third-party security operations center (SOC) monitoring the network, is needed to intervene at this stage. A SIEM configured to flag large or otherwise irregular data transfers would be important in identifying the movement of data and stopping its exfiltration. At the very least, it can be used to identify that a breach has occurred.


At this point, an attacker executes a ransomware program on a device on your network. It might encrypt the device it is on and then spread across a network, locking out access to users and disabling critical business operations. They typically will demand a ransom in exchange for decryption or regaining access to the data and systems.

Disrupting the Detonation Stage

EDR and EPP systems can identify suspicious files, place them in an emulated sandbox environment, and execute them to test if they are ransomware or malware programs. If proven to be hostile, the file can then be quarantined and destroyed. In the unfortunate event that a ransomware program successfully detonates on your network, an EPP system can not only backup a device’s files in case of encryption but also can prevent encryption entirely. EDR systems can also isolate affected devices from the network, thus stopping the spread and impact to business-critical systems.


Ransomware is a complex threat to address because there isn’t a “one-size-fits-all” solution. Every network is unique, as are the threats that they face. Successfully preventing ransomware requires cutting-edge solutions, technical expertise, and the ability to implement them properly.

Viking Cloud is uniquely equipped to blend the technology and human factors to address the risks specific to your organization as a done-for-you service. We become a force multiplier for your IT or security team.

Contact us here to set up a time to discuss your needs and how Viking Cloud can help mitigate the threat of a ransomware attack on your organization.

Continue reading.

View all news

Experience our Asgard Platform™ today.

Call us today at 1 (833) 970-3100
Get a demo