Ransomware attacks are complex — breaching the system is just the beginning. To maximize the damage, an attacker must also spread their malicious payload across the network before beginning encryption or exfiltration. For the ransomware attack to be successful, the attacker must perform various steps — discover network assets, move laterally, elevate privileges, etc. Those steps can be transposed onto a ransomware kill chain. Each step in this chain opens many opportunities for detection and mitigation. Much like frameworks such as MITRE show the various steps and categorisations of a specific attack breach, this helps to understand where you are best placed to defend against the threats, and where you are weakest.

Visualising the attack through the chain links of reconnaissance, exploit creation, payload delivery, Exploitation and then Exfiltration, we can understand what tools we can use to protect our estates to thwart the attackers at every stage. Controlling your network and assets can reduce your attack surface, and help mitigate and contain any possible damage from ransomware before you’re even aware you’ve been hit.