Based on extensive experience, security researchers at IBM’s Security X-Force Incident Response team have discerned a predictable pattern that ransomware attacks follow. IBM researchers utilized this predictable pattern to break down a ransomware attack into five stages: Initial Access, Post-Exploitation, Understand and Expand, Data Collection and Exfiltration, and Ransomware Deployment. Initial access is gained most commonly through phishing or vulnerability exploitation. In the post-exploitation stage, the adversary may deploy a remote access tool or another malware device. In stage three, understand and expand, threat actors conduct reconnaissance, credential harvesting, and lateral movement across systems. Stage four involves collection and exfiltration of data to later be used for extorting victims. The final attack stage is where the actual ransomware is deployed.

Recognizing the general patterns in ransomware attacks provides defenders with a greater chance of thwarting a ransomware attack before it can successfully exfiltrate and encrypt data. Moreover, this common attack pattern sheds light on multiple mitigation recommendations users can implement now. These mitigations include limited privileged access, protected privileged accounts, secure Active Directory, restrict common lateral movement pathways, defend against phishing threats, and focus on patch management. Read more at SecurityIntelligence.