The threat actor will identify their target and try to phish login credentials, scan the web for vulnerable servers, or purchase exploits and credentials from the Dark Web.
The threat actor uses the credentials or exploits they acquired to enter your infrastructure. With so many connected apps and servers, it can be difficult to identify unauthorized logins.
The actor then installs a loader or injector file into the compromised infrastructure. This could enable them to create a backdoor or install software that will sit silently in the background.
To ensure their work isn’t deleted when the compromised resource is rebooted or updated, the actor will create an auto-start action that persists through any state.
The actor escalates their privileges, enabling them to carry out more steps along the chain with a lower chance of setting off any alarms.
In order to avoid detection, the threat actor may reduce security configurations. An example of this would be removing single-sign on or disabling logging so there is no more visibility into activity.
To ensure the greatest chance of success, the actor will silently observe security practices and processes, baselines typical user behavior, and find out where the most valuable assets are located.
With the intel gathered during discovery, the actor will move laterally around the infrastructure. This helps them identify more assets for encryption and is often where they start to hone in on more sensitive data.
The actor opens up communications with command and control (C2) server(s) to gain further control over the environment. This is usually where the actor takes greater control of any compromised assets and begins issuing additional commands remotely.
The actor may exfiltrate some data to hold as additional leverage against the victim to pressure them into paying the ransom. Taking it a step further, the actor may execute a “lock and leak” attack where they leak some of the stolen data as a negotiation tactic.
The actor reveals themselves and executes their attack. They will encrypt sensitive files, lock out users and demand payment within a certain time-frame.