---
title: Ransomware attack chain
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: Docs > Datadog Security > OOTB Rules > Ransomware attack chain
---

# Ransomware attack chain
Classification:attackTactic:[TA0040-impact](https://attack.mitre.org/tactics/TA0040)Technique:[T1489-service-stop](https://attack.mitre.org/techniques/T1489) 
## Goal{% #goal %}

Detect ransomware impact operations by correlating ransom note deployment, system service disruption, evidence destruction, and defense evasion within the same execution context.

## Strategy{% #strategy %}

This correlation rule identifies ransomware impact operations by detecting combinations of the following activity groups:

- **Ransom Note Deployment**: Creation of ransom note files with characteristic naming patterns (for example, RESTORE, RECOVER, HOW_TO, RANSOM) under common user and system directories
- **Service Disruption**: Stopping system services using systemctl, indicating attempts to disable security tools, backups, or database services before encryption
- **Evidence Destruction**: Deletion of recently executed binaries, process self-deletion, deletion of system logs, or shell history tampering (deletion, truncation, or symlink to /dev/null)

The rule triggers different severity levels based on the combination of detected activities:

| Case                                 | Severity | Condition                                                            |
| ------------------------------------ | -------- | -------------------------------------------------------------------- |
| Full Ransomware Attack               | Critical | Ransom Note Deployment, Service Disruption, and Evidence Destruction |
| Ransomware with Evidence Destruction | High     | Ransom Note Deployment and Evidence Destruction                      |
| Ransomware with Service Disruption   | High     | Ransom Note Deployment and Service Disruption                        |

## Triage & Response{% #triage--response %}

1. **Isolate affected systems**: Immediately disconnect the affected host and container (or pod) from the network — do not shut down, as memory forensics may be needed.

1. **Activate incident response**: Engage the ransomware response team and begin documenting all indicators of compromise.

1. **Identify ransomware family**: Investigate the impacted process(es) and analyze ransom note contents to determine the ransomware variant.

1. **Assess encryption scope**: Determine which files and systems are affected and verify backup system integrity.

1. **Preserve evidence**: Capture memory dumps and forensic images before any remediation attempts.

1. **Validate backups**: Confirm backup integrity and determine recovery options without paying ransom.

1. **Investigate attack vector**: Trace how the ransomware was delivered (for example, exploitation, compromised credentials, lateral movement).

1. **Hunt for additional compromises**: Search for ransomware artifacts on other systems using the same indicators.

1. **Plan recovery**: Develop a recovery strategy using clean backups and system rebuilds while deploying enhanced monitoring controls.