Anatomy of a Ransomware Attack: A Technical Playbook for Defenders

Modern ransomware operations bear little resemblance to the spray-and-pray campaigns of 2017. Today's groups — LockBit, BlackCat/ALPHV, Cl0p, Play — operate more like well-funded red teams with dedicated developers, negotiators, and infrastructure teams. Understanding their playbook is essential for building effective defenses.

Phase 1: Initial Access (Day 0)

Ransomware affiliates typically gain access through one of four vectors:

• Purchased access from Initial Access Brokers through dark web forums
• Exploitation of edge devices — VPN appliances (CVE-2023-46805/Ivanti), firewalls (CVE-2024-3400/PAN-OS), or file transfer tools (MOVEit, GoAnywhere)
• Phishing with callback — BazarCall/Luna Moth style phone-based social engineering leading to remote access tool installation
• Valid credentials from stealer logs or credential stuffing against SSO portals

Phase 2: Discovery & Lateral Movement (Days 1–5)

Once inside, the attacker maps the environment:

• nltest /dclist: and net group "Domain Admins" to enumerate Active Directory
• BloodHound/SharpHound for AD attack path analysis
• Cobalt Strike / Sliver / Brute Ratel for C2 and lateral movement
• RDP pivoting using harvested credentials or pass-the-hash
• Impacket tools (WMIExec, PSExec, SMBExec) for remote execution

Phase 3: Privilege Escalation (Days 2–7)

Common escalation techniques include:

• Kerberoasting to extract service account TGS tickets for offline cracking
• DCSync to replicate domain controller credential database
• Exploitation of misconfigured Group Policy Preferences (GPP) passwords
• LSASS memory dumping with Mimikatz or comsvcs.dll

Phase 4: Data Exfiltration (Days 5–10)

Before encryption, attackers exfiltrate data for double-extortion leverage:

• Rclone to cloud storage (Mega.nz, pCloud, or attacker-controlled S3)
• WinSCP/FileZilla to external SFTP servers
• Custom exfiltration tools — StealBit (LockBit), ExMatter (BlackCat)
• Typical targets: financial records, HR data, customer PII, intellectual property, legal documents

Phase 5: Deployment (Day 10+)

Ransomware deployment is methodically orchestrated:

1. Disable security tools (EDR killer drivers: Terminator, AuKill, Backstab)
2. Delete Volume Shadow Copies: vssadmin delete shadows /all /quiet
3. Deploy encryptor via GPO, PsExec, or WMI to all domain-joined systems simultaneously
4. Drop ransom notes with Tor-based negotiation portal links

Detection Opportunities

Each phase presents detection opportunities that security teams should instrument:

• Phase 1: Monitor SIA Watch Tower for your organization in ransomware negotiation leaks and dark web chatter
• Phase 2: Alert on BloodHound/SharpHound artifacts, unusual RDP connections, and Cobalt Strike DNS beacons
• Phase 3: Monitor for Kerberoasting (Event ID 4769 with RC4 encryption), DCSync (Event ID 4662 replication rights), and LSASS access (Sysmon Event ID 10)
• Phase 4: Detect Rclone execution, unusual outbound data volume to cloud storage, and DNS queries to known exfil infrastructure
• Phase 5: Alert on VSS deletion commands, EDR service termination attempts, and mass file modification events

How SIA Force Helps

To disrupt the ransomware kill chain, SIA Watch Tower provides early warnings from dark web chatter and leak sites, while SIA Monitor helps identify the valid credentials attackers often use for initial access.