Summary
Once a ransomware operator has gotten onto your network, they want to achieve predictable objectives. In most cases, the attacker seeks:
- Persistence - After gaining an initial foothold, the attacker will attempt to sink an anchor into the victim network that will enable them to come back and maintain access. This is commonly done by configuring the first infected machine to call back to the attacker even if it’s rebooted.
- Escalate privileges - Unless the attackers get lucky, the account that initially fell victim to the intrusion will have insufficient privileges on the network. Attackers will seek to elevate themselves to a higher privilege level, which will help them access more systems and spread wider into the target in the next step…
- Lateral Movement - Once the attacker has stolen access to higher privileges, they will begin to move around the network, infecting more machines and hoovering up data.
-Exfiltration - By this point in the kill chain, the bad guys might siphon some data out of the network, which will help extort the victim further down the line.
-Deployment - Finally, attackers will deploy ransomware with creative techniques that ensure maximum damage and disruption.
It is important to note that PreventRansomware does not expect, want or require you to become an expert in the following attack tactics. We instead wish to instil knowledge that you don't need to be a cyber security scientist to win at defending. Getting the basics right and understanding the mechanics of each category of tactic will go a very, very long way.