Ransomware attack chain

Classification:

attack

Tactic:

TA0040-impact

Technique:

T1489-service-stop

Esta página aún no está disponible en español. Estamos trabajando en su traducción.
Si tienes alguna pregunta o comentario sobre nuestro actual proyecto de traducción, no dudes en ponerte en contacto con nosotros.

Goal

Detect ransomware impact operations by correlating ransom note deployment, system service disruption, evidence destruction, and defense evasion within the same execution context.

Strategy

This correlation rule identifies ransomware impact operations by detecting combinations of the following activity groups:

  • Ransom Note Deployment: Creation of ransom note files with characteristic naming patterns (for example, RESTORE, RECOVER, HOW_TO, RANSOM) under common user and system directories
  • Service Disruption: Stopping system services using systemctl, indicating attempts to disable security tools, backups, or database services before encryption
  • Evidence Destruction: Deletion of recently executed binaries, process self-deletion, deletion of system logs, or shell history tampering (deletion, truncation, or symlink to /dev/null)

The rule triggers different severity levels based on the combination of detected activities:

CaseSeverityCondition
Full Ransomware AttackCriticalRansom Note Deployment, Service Disruption, and Evidence Destruction
Ransomware with Evidence DestructionHighRansom Note Deployment and Evidence Destruction
Ransomware with Service DisruptionHighRansom Note Deployment and Service Disruption

Triage & Response

  1. Isolate affected systems: Immediately disconnect the affected host and container (or pod) from the network — do not shut down, as memory forensics may be needed.

  2. Activate incident response: Engage the ransomware response team and begin documenting all indicators of compromise.

  3. Identify ransomware family: Investigate the impacted process(es) and analyze ransom note contents to determine the ransomware variant.

  4. Assess encryption scope: Determine which files and systems are affected and verify backup system integrity.

  5. Preserve evidence: Capture memory dumps and forensic images before any remediation attempts.

  6. Validate backups: Confirm backup integrity and determine recovery options without paying ransom.

  7. Investigate attack vector: Trace how the ransomware was delivered (for example, exploitation, compromised credentials, lateral movement).

  8. Hunt for additional compromises: Search for ransomware artifacts on other systems using the same indicators.

  9. Plan recovery: Develop a recovery strategy using clean backups and system rebuilds while deploying enhanced monitoring controls.