From Infiltration to Execution: Understanding the Phases of a Ransomware Attack

6 minute read

September 2023

There is no silver bullet, although, believe it or not, there is a silver lining to ransomware attacks. 

In 2022, organizations around the world detected nearly 500 million ransomware attacks. Each time an attack occurs, smart people (perhaps some of you) examine and deconstruct the way criminals perpetrated the attack. Attack profiling, also called a “Kill Chain,” is a term popularized by Lockheed Martin and used to describe the phases of a cyberattack. 

This post outlines a typical ransomware kill chain to illustrate how the attacks are performed.

The Kill Chain Phases of a Ransomware Attack

Understanding the kill chain model is helpful because it provides a structured way to think about cyber attacks and identify potential defensive measures at each stage. If defenses can detect or thwart an attack in its earlier stages, it’s possible to prevent the attacker from reaching their end objective.

The primary kill chain phases of a ransomware attack are surveillance, distribution, infection, staging, scanning, encryption, and extortion, or the big payday. Once the files are encrypted and a ransom is demanded, your options become limited. 

Phase 1: Surveillance

Just like thieves “case” a house before attempting a break-in, so do cyber criminals watch you before launching an attack. In this early phase, attackers gather information to identify your vulnerabilities and potential avenues for exploitation. The information gathered may include IP addresses, network infrastructure, operating system types and versions, and collecting data on employees– especially new hires.

Even though surveillance is a preparatory phase, it’s not without risks for the attacker. Active reconnaissance methods, like network scanning, can be detected by intrusion detection systems or vigilant administrators. Passive surveillance is stealthier but is much less effective, and attackers can still leave traces, especially if they are accessing many profiles or documents in a short time span.

Phase 2: Distribution

The second phase of a ransomware attack is distribution — where the destructive code is distributed to your system. The attacker tries to get users to click a link or download an attachment, opening the door to scan for unpatched or vulnerable services. Controls that would be useful here (or even prior) are:

  • Email and web filtering 
  • Endpoint Detection and Patch management
  • Security Awareness Training for employees

Any of these controls would help your defenses, but not a single ONE should be wholly relied upon to be effective against all attacks.

Incidentally, user training is one of the most important defenses you can employ. 

Making sure all users know how to identify suspicious threats in correspondence is the number one thing you can do to stop distribution from happening. Staff training and knowledge testing should be recurring, continually updated, and not understated. 

However, staff training and testing extends beyond your organization. If your third parties are not diligent in their user training efforts, you’ve got exposure through them. According to data from the CyberGRX Exchange, 83% of third parties say they’re conducting social engineering training, but 42% aren’t checking the curriculum’s effectiveness by pen-testing the staff for vulnerabilities. Remember, behavior is a better indicator than knowledge when managing your third-party and cybersecurity risks.

Phase 3: Infection

After an attacker has successfully exploited a vulnerability in a system during the distribution phase, they typically want to ensure that they can maintain access to the compromised system, even if the initial exploit were to be discovered and remedied. Enter the “infection” phase.

At this stage, new processes are being launched, and the malware is installed and starts its infection process. While some functions may look legitimate, they’re running from bizarre locations in the file structure. 

Controls to watch for:

  • File and Process Monitoring
  • Endpoint and Least Privilege

It’s also possible the infected endpoint’s user may not notice the malicious activity if things get to this point.

Phase 4: Staging

In the staging phase, the malicious code starts communicating with the outside world and uploading your data, usually to a newly registered domain or a bare IP address. The staging phase is one of the pivotal stages in the lifecycle of a cyber attack, especially in targeted and persistent threats. 

Once malware has been installed on a victim’s system, it often needs to communicate with an external controller. This controller, operated by the attacker, provides instructions to the malware and can also receive data from the compromised system. You can think of this as a secret tunnel used to move thieves in and valuables out.

The same controls as the infection phase will apply here, and least privilege is still the most effective control. The point here is that if your users don’t have machine admin rights, the malware can’t push updates or modifications to the compromised system.

Phase 5: Scanning

In the scanning phase, the malware is looking for content to encrypt locally and at the network level. Specifically, the malware seeks out network drives and mounted cloud accounts such as Box, Dropbox, and buckets like S3– AKA your backups!

In this stage, your security team would see the greatest amount of network traffic as the malware extends over the network to infect new targets. 

Controls that can detect and prevent threats at this stage include: 

  • Network, Process, and File Activity Monitoring…again
  • Security Analyst Training 

The scanning stage is the first stage where security teams have the best opportunity to detect the infection and do something about it. 

The scanning phase can take seconds if the malware doesn’t find an extensive network, or it can take hours if it finds a jackpot. A well-trained SecOps team can identify and isolate the infection if an infection exists.

Phase 6: Encryption

In this final stage, the malware is going to start encrypting files. In other words, attackers have achieved their end goals after successfully navigating the preceding stages, such as gaining access, installing malware, and establishing command and control over the victim’s systems.

The same detection/monitoring controls are relevant, but at this point, the attack now becomes an “incident.” Incident response controls like SOAR or Security Orchestration and Automated Response workflow technologies are helpful here. Unfortunately, any human intervention will probably be too slow to be effective, and SOAR is likely the most effective tool for mitigating the infection. 

You may also experience encryption across multiple systems, so your response could be much larger depending on what the malware was able to find in the scanning phase. Now is when any response planning or desktop exercises you’ve done will start to pay off. 

Finally, at this point, your infected machines are telling you to pay up. 

Messages like, “The contents of this machine are encrypted; send us <enter foreign currency here> or other crypto to get your files back.” 

Controls at this stage are all incident response related:

  • Secure Backups, AND Forensics, Investigations, etc.

If your company hasn’t already established a policy regarding negotiating with digital criminals, you probably should discuss whether or not you’re going to pay up. You have to consider the value of the data that was encrypted. Is it catastrophic if it becomes unavailable? Is the public release of the data damaging to your business? 

These discussions SHOULD NOT happen for the first time during an active attack. Your C-Suite should consider all scenarios before an attack and be aligned on your policy if this happens to you.

Ransomware Attack Readiness

The ransomware kill chain model underscores the importance of a layered, in-depth defense strategy. While stopping an attack in its early stages (like surveillance or distribution) is ideal, organizations must also be prepared to detect and respond to threats that have already penetrated their initial defenses and are in the process of executing their end goals.

To help organizations improve their defenses against threats, CyberGRX offers a suite of threat tools, including Attack Scenario Analytics. Attack Scenario Analytics applies a data-driven approach combining third-party cyber risk management expertise with insights from the MITRE™ ATT&CK framework

Not only does the MITRE framework provide uniformity in how threat-informed data is organized, used, and communicated, but it’s based on real-world observations and “reverse-engineering” of past attacks. As such, security teams can use the framework to proactively identify and uncover undefended attack vectors.

MITRE techniques are also used to create kill chains, and CyberGRX is the only risk management platform to map control deficiencies of over {{Assessments}} attested assessments to 150+ of the most disruptive breaches and incidents using the MITRE ATT&CK framework to generate risk analytics. As a result, you’ll have data at your fingertips to help improve how you identify third-party outliers, including ransomware attacks, in a dynamic threat landscape. If you’d like to learn more about CyberGRX and additional ways to identify, analyze, and manage your third-party cyber risk, request a demo today.


This article was originally published 10/6/21 and was updated on 9/5/23 for relevancy and accuracy.

Related Articles

About Us

ProcessUnity is a leading provider of cloud-based applications for risk and compliance management. The company’s software as a service (SaaS) platform gives organizations the control to assess, measure, and mitigate risk and to ensure the optimal performance of key business processes. ProcessUnity’s flagship solution, ProcessUnity Vendor Risk Management, protects companies and their brands by reducing risks from third-party vendors and suppliers. ProcessUnity helps customers effectively and efficiently assess and monitor both new and existing vendors – from initial due diligence and onboarding through termination. Headquartered outside of Boston, Massachusetts, ProcessUnity is used by the world’s leading financial service firms and commercial enterprises. For more information, visit