Ransomware Attack Chains: A MITRE ATT&CK Analysis

MITRE ATT&CK Framework: Application to Ransomware Analysis

Why ATT&CK for Ransomware Defense

The conventional approach to ransomware defense centers on indicator-of-compromise (IOC) matching: blocking known malicious IPs, domains, and file hashes associated with specific ransomware payloads. This approach fails systematically for three reasons. First, ransomware infrastructure rotates rapidly—LockBit affiliates cycled through an estimated 1,200 unique C2 domains during 2024 alone. Second, the affiliate model means that the same ransomware brand is operated by dozens of independent intrusion teams, each bringing distinct tooling and tradecraft. Third, IOC-centric defenses address the symptoms of compromise rather than the behavioral patterns that constitute the attack itself.

MITRE ATT&CK provides the alternative: a behavior-based taxonomy that describes what adversaries do rather than what artifacts they leave. By mapping ransomware operations to ATT&CK techniques, defenders can construct detection logic that fires on adversary behavior regardless of the specific tools, credentials, or infrastructure in use. A detection for T1003.001 (LSASS Memory dumping) that triggers on CreateRemoteThread calls targeting lsass.exe is effective whether the operator is a LockBit affiliate using Mimikatz, a Black Basta operator using nanodump, or an Akira affiliate using a custom LSASS dumper—because the underlying behavior is structurally identical.

The ATT&CK framework also enables comparative analysis across groups. When we map five ransomware operations to the same taxonomy, convergence points reveal the techniques that are structurally necessary for ransomware operations (and therefore offer the highest detection ROI), while divergence points reveal group-specific tradecraft that supports attribution and threat-informed prioritization.

Mapping Methodology

The technique assignments in this report are derived from three primary evidence sources. Incident response telemetry from 420 confirmed ransomware engagements conducted by Dark Angel and partner firms between January 2024 and March 2025 provides the empirical foundation. Each engagement produced a structured TTP worksheet documenting tools, commands, and behavioral artifacts observed at each stage of the intrusion. Malware reverse engineering of 65 unique ransomware payload samples across the five groups supplements the behavioral data with technical capabilities embedded in the payload itself. Dark web intelligence—affiliate playbooks, operator guides, and forum discussions collected from XSS, Exploit, RAMP, and Telegram channels—provides additional context on intended operational procedures that may not have been directly observed in incident response engagements.

Techniques are assigned only when observed in two or more independent engagements or confirmed through reverse engineering of the payload. Single-observation techniques are noted as possible but are excluded from the comparative analysis to avoid over-attribution. Sub-technique granularity is used where evidence supports it; otherwise, parent technique IDs are cited.

Enterprise Matrix Focus

This analysis maps exclusively to the MITRE ATT&CK Enterprise matrix (Windows-centric techniques), reflecting the operational reality that all five groups primarily target Windows domain environments. ESXi/Linux-targeting capabilities exist for LockBit, ALPHV, and Akira, but the pre-encryption intrusion chain—from initial access through lateral movement—is conducted almost exclusively within Windows Active Directory environments. The Enterprise matrix therefore captures the full attack surface relevant to pre-encryption detection and disruption.

End-to-End Attack Chain Mapping

The following sections decompose the full kill chain for each of the five ransomware groups, organized by ATT&CK tactic. Where possible, we cite specific sub-techniques and tools observed in Dark Angel engagements.

LockBit 3.0 / LockBit Black

Initial Access: LockBit’s diverse affiliate base produces the widest initial access surface of any group in this analysis. The most prevalent vectors observed in 2024 engagements were exploitation of public-facing applications (T1190)—particularly Citrix Bleed (CVE-2023-4966) and Fortinet FortiOS vulnerabilities (CVE-2024-21762)—followed by compromised VPN and RDP credentials purchased from initial access brokers (T1078). Phishing (T1566) accounted for approximately 22% of observed initial access, delivered via callback phishing campaigns and HTML smuggling payloads. Several affiliates leveraged infections from commodity loaders such as Pikabot and IcedID as initial footholds.

Execution: PowerShell (T1059.001) serves as the primary execution engine, used to disable security controls, execute encoded stagers, and invoke credential harvesting. Batch scripts (T1059.003) orchestrate pre-encryption preparation: terminating volume shadow copy services, killing database processes, and stopping backup agents. The LockBit payload itself requires a command-line password parameter for execution (T1059), functioning as an anti-analysis gate.

Persistence: Scheduled tasks (T1053.005) and registry run keys (T1547.001) are the dominant persistence mechanisms. Some affiliates create local administrator accounts (T1136.001) to maintain access across credential rotation events. RMM tools such as AnyDesk and ScreenConnect are installed as persistent backdoors (T1219).

Privilege Escalation: Exploitation of domain trust relationships and misconfigured Group Policy Objects is common. Kerberoasting (T1558.003) is used to extract service account credentials. UAC bypass techniques (T1548.002) elevate local access. Several affiliates deployed Certify and Certipy to exploit Active Directory Certificate Services misconfigurations (T1649).

Defense Evasion: LockBit affiliates heavily employ BYOVD (Bring Your Own Vulnerable Driver) attacks (T1068/T1562.001) using tools such as Terminator, AuKill, and custom drivers to kill EDR processes at the kernel level. Windows Defender exclusions are added via PowerShell (Set-MpPreference). The LockBit 3.0 payload itself uses API hashing and string encryption to resist static analysis. Event log clearing (T1070.001) is performed post-encryption.

Credential Access: LSASS memory dumping (T1003.001) via Mimikatz, nanodump, or direct MiniDumpWriteDump API calls. Kerberoasting (T1558.003) for service account credentials. DCSync (T1003.006) to replicate domain credentials from domain controllers. Infostealer log harvesting for pre-compromise credential sets.

Discovery: Active Directory enumeration using BloodHound/SharpHound (T1087.002) and AdFind. Network share enumeration (T1135) to identify high-value data stores. System information discovery (T1082) and remote system discovery (T1018) to map the domain topology.

Lateral Movement: RDP (T1021.001) and SMB/Windows Admin Shares (T1021.002) via PsExec are the primary lateral movement protocols. WMI (T1047) and PowerShell remoting provide supplementary pathways. LockBit 3.0 can self-propagate via Group Policy Object modification, pushing the payload to domain-joined machines without per-host manual deployment.

Collection: Data is staged in C:\ProgramData, C:\Windows\Temp, or user AppData directories (T1074.001). Bulk archive creation using 7-Zip (T1560.001) prior to exfiltration.

Exfiltration: StealBit (custom exfiltration tool), Rclone configured for Mega.nz or attacker-controlled cloud storage (T1567.002), and MEGAsync for direct upload. Data transfer typically precedes encryption by 24–72 hours (T1048).

Impact: AES-256 in CTR mode with RSA-2048 key wrapping. Intermittent encryption as default for speed. Multi-threaded encryption targeting local and network-mapped drives. Shadow copy deletion via vssadmin and wmic (T1490). Service and process termination targeting databases, email servers, and backup agents (T1489). Ransom note deployment and wallpaper modification (T1486).

Black Basta

Initial Access: Black Basta demonstrated a distinctive initial access methodology centered on social engineering. QakBot infections (T1566.001) were the primary vector throughout early 2024, delivering via thread-hijacked email campaigns. Following QakBot’s disruption, the group pivoted to callback phishing and a novel technique involving mass spam bombing of target employee mailboxes followed by impersonation calls from fake IT helpdesk personnel, convincing employees to install ScreenConnect or Quick Assist (T1566.003, T1204.002). Exploitation of ConnectWise ScreenConnect (CVE-2024-1709) provided an additional initial access pathway in mid-2024.

Execution: PowerShell (T1059.001) for initial payload delivery and defensive disabling. Black Basta operators frequently use certutil and bitsadmin (T1197) for secondary payload downloads. Cobalt Strike Beacons serve as the primary post-exploitation framework, with observed migrations to Brute Ratel C4 in later campaigns.

Persistence: Registry run keys (T1547.001) and scheduled tasks (T1053.005). Persistent Cobalt Strike implants with process injection into legitimate Windows services. SystemBC proxy malware deployed as a backup communication channel (T1090.003).

Privilege Escalation: PrintNightmare (CVE-2021-34527, T1068) remained in use against unpatched environments. ZeroLogon (CVE-2020-1472) exploited where available. Kerberoasting (T1558.003) and targeted exploitation of over-permissioned service accounts.

Defense Evasion: EDR disabling via BYOVD (T1562.001) with heavy use of the Backstab and Terminator tools. PowerShell AMSI bypass (T1562.001). Timestomping of dropped binaries (T1070.006). Process injection into svchost.exe (T1055.012) to blend into normal system activity.

Credential Access: Mimikatz (T1003.001) and nanodump for LSASS extraction. Credential harvesting from browser stores (T1555.003). Active Directory attacks including DCSync (T1003.006) and AS-REP Roasting (T1558.004) targeting accounts without Kerberos pre-authentication.

Discovery: BloodHound/SharpHound for AD enumeration (T1087.002). net group "domain admins" for targeted privilege identification. SoftPerfect Network Scanner for network topology mapping (T1046). Extensive SMB share enumeration (T1135) to identify data for exfiltration.

Lateral Movement: PsExec (T1021.002) and Impacket’s wmiexec (T1047) for remote execution. RDP with credential tunneling through Cobalt Strike SOCKS proxies (T1021.001). Lateral tool transfer via SMB (T1570).

Collection: Automated data identification using custom scripts targeting financial documents, legal files, and HR records. WinRAR and 7-Zip (T1560.001) for staging archives.

Exfiltration: Rclone to attacker-controlled SFTP and cloud infrastructure (T1567.002). In later campaigns, observed use of custom .NET exfiltration utilities designed to evade DLP solutions by fragmenting uploads and using HTTPS to legitimate cloud providers (T1048.002).

Impact: ChaCha20 encryption with RSA-4096 key wrapping. Targets both Windows and VMware ESXi hypervisors. Shadow copy deletion and backup destruction (T1490). The group increasingly emphasized data extortion over encryption in late 2024, threatening publication without deploying the locker in a subset of cases (T1486).

ALPHV/BlackCat

Initial Access: ALPHV affiliates favored exploitation of public-facing applications (T1190), with heavy targeting of Veritas Backup Exec (CVE-2021-27876/77/78) and Microsoft Exchange (ProxyShell, ProxyNotShell). Valid accounts (T1078) obtained through infostealer logs and IAB purchases constituted the second-highest vector. Sophisticated social engineering campaigns, including the notable impersonation of IT helpdesk staff during the MGM Resorts attack in September 2023, demonstrated the group’s willingness to invest in targeted social engineering (T1566.004).

Execution: The ALPHV payload, written in Rust, supports execution via command-line parameters specifying encryption mode, target paths, and propagation method (T1059). PowerShell (T1059.001) for pre-deployment preparation. Windows Management Instrumentation (T1047) for remote execution across the domain.

Persistence: Scheduled tasks (T1053.005) pointing to renamed copies of legitimate system utilities that serve as loaders. Windows services (T1543.003) created to auto-start Cobalt Strike or Sliver implants. Modified Group Policy Objects for domain-wide persistence (T1484.001).

Privilege Escalation: Exploitation of vulnerable kernel drivers (T1068) for privilege escalation. Token impersonation (T1134.001) via Cobalt Strike’s steal_token functionality. Active Directory Certificate Services exploitation (T1649) for domain escalation via certificate forgery.

Defense Evasion: The Rust-based payload inherently resists signature-based detection due to unique compilation artifacts. ALPHV affiliates deployed Morph and Stonestop to terminate EDR products (T1562.001). Payload execution was gated behind access tokens, preventing sandbox detonation (T1480.001). Extensive use of living-off-the-land binaries (LOLBins) including mshta.exe, rundll32.exe, and regsvr32.exe (T1218).

Credential Access: LaZagne (T1555) and Mimikatz (T1003.001) for broad credential harvesting. NTDS.dit extraction from domain controllers (T1003.003). Exploitation of password managers and cached browser credentials (T1555.003).

Discovery: ADRecon and BloodHound for AD mapping (T1087.002). Netscan and Advanced IP Scanner for network enumeration (T1046). Query of domain trusts (T1482) to identify opportunities for cross-domain movement.

Lateral Movement: PsExec (T1021.002) and SSH (T1021.004) for cross-platform movement to Linux/ESXi hosts. Cobalt Strike’s SMB beacon for internal pivoting (T1021.002). WinRM (T1021.006) observed in environments where PowerShell remoting was enabled.

Collection: ExMatter, a custom-developed data exfiltration tool, automated the identification, staging, and upload of high-value files (T1119). Targeted file types included .pdf, .docx, .xlsx, .pst, and database files.

Exfiltration: ExMatter (T1041) performed both collection and exfiltration, uploading directly to attacker-controlled SFTP servers. Mega.nz and file.io uploads via Rclone (T1567.002) served as backup methods. Some affiliates used encrypted Tor channels for exfiltration of particularly sensitive data (T1048.001).

Impact: AES-128 or ChaCha20 encryption (configurable at build time) with RSA-2048 or RSA-4096 key wrapping. Full, header-only, and intermittent encryption modes. Cross-platform: Windows, Linux, VMware ESXi. Shadow copy deletion (T1490), process/service termination (T1489), and wallpaper/note deployment (T1486). The ALPHV operation concluded with a $22M exit scam following the Change Healthcare payment in March 2024.

Play Ransomware

Initial Access: Play exhibited a narrower initial access profile centered on exploitation of public-facing network appliances (T1190). FortiOS (CVE-2018-13379, CVE-2020-12812) and Microsoft Exchange (ProxyNotShell, CVE-2022-41040/41082) were the primary targets. Valid accounts (T1078) from credential stuffing against exposed RDP endpoints constituted the secondary vector. Play showed minimal reliance on phishing, consistent with the group’s preference for infrastructure-based initial access over social engineering.

Execution: PowerShell (T1059.001) and CMD batch scripts (T1059.003) for operational sequencing. Cobalt Strike Beacons for interactive post-exploitation. WMI (T1047) for remote command execution during lateral movement phases.

Persistence: Scheduled tasks (T1053.005) and Windows services (T1543.003). Play operators favored creating a small number of high-privilege persistence mechanisms rather than distributing many lightweight implants—a distinctive operational signature suggesting a smaller, more disciplined operator base.

Privilege Escalation: Local privilege escalation via named pipe impersonation (T1134.001). Kerberoasting (T1558.003) against service accounts with weak passwords. Exploitation of misconfigured delegation settings in Active Directory.

Defense Evasion: Play’s payload uses intermittent encryption to reduce file I/O footprint and avoid behavior-based detection. The group deployed custom tools to disable Windows Defender and AMSI (T1562.001). File names were randomized on disk to evade static file-path-based detections. Legitimate system utilities (wevtutil.exe) were used to clear event logs (T1070.001).

Credential Access: Mimikatz (T1003.001) and Windows Credential Manager extraction (T1555.004). NTDS.dit offline extraction (T1003.003) from domain controller shadow copies. Network sniffing (T1040) observed in limited engagements targeting NTLM relay opportunities.

Discovery: AdFind (T1018, T1087.002) for Active Directory enumeration. Grixba, a custom network scanner attributed to Play, for automated enumeration of network topology, installed software, and security products (T1046, T1518.001).

Lateral Movement: SMB/Windows Admin Shares (T1021.002) for file distribution and remote execution. RDP (T1021.001) with tunneling through Cobalt Strike. Play operators were consistently observed using Cobalt Strike’s jump commands for streamlined lateral movement.

Collection: WinRAR with command-line parameters for targeted archive creation (T1560.001). Data staged in C:\Perflogs or C:\Recycler—directories unlikely to receive routine monitoring.

Exfiltration: WinSCP for SFTP-based exfiltration to attacker-controlled servers (T1048.002). Rclone to cloud storage in select engagements (T1567.002). Play’s exfiltration volumes were typically smaller than peer groups, suggesting a more targeted approach to data selection.

Impact: RSA-AES hybrid encryption with intermittent mode. Files receive the .play extension. Shadow copy deletion (T1490) via vssadmin and WMIC. Service termination (T1489) targeting databases, backup agents, and email services. Ransom note (ReadMe.txt) contains minimal content—only a .onion contact address and a threat ID (T1486).

Akira

Initial Access: Akira emerged in March 2023 and quickly established exploitation of Cisco VPN appliances (CVE-2023-20269, T1190) as its signature initial access vector. Compromised VPN credentials without MFA enforcement (T1078) represented the second-highest vector. In 2024, Akira expanded to exploit Veeam Backup & Replication vulnerabilities (CVE-2023-27532) for both initial access and backup destruction, demonstrating an integrated approach to access and impact.

Execution: PowerShell (T1059.001) for initial defensive disabling and tool deployment. Akira’s Windows payload is a C++ binary executed via command line. The Linux/ESXi variant is a standalone binary targeting virtual machine disk files. Batch scripts (T1059.003) orchestrate pre-encryption tasks including service termination and shadow copy deletion.

Persistence: Local account creation (T1136.001) with administrative privileges. Scheduled tasks (T1053.005) for persistent access. Akira operators notably installed legitimate RMM tools (AnyDesk, RustDesk) as persistent backdoors (T1219), blending into environments where such tools were already in use.

Privilege Escalation: Kerberoasting (T1558.003) against service accounts. Token manipulation (T1134) for local escalation. Exploitation of unpatched local privilege escalation vulnerabilities including PrintNightmare (T1068) in environments with delayed patching cadences.

Defense Evasion: PowerShell-based disabling of Windows Defender real-time monitoring (T1562.001). Akira payloads are typically packed with custom packers that generate unique hashes per build, defeating signature-based AV. Process name masquerading (T1036.005)—renaming malicious binaries to resemble legitimate system utilities. Log clearing via wevtutil cl commands (T1070.001).

Credential Access: Mimikatz (T1003.001) for LSASS dumping. LaZagne for broad credential harvesting across browsers, mail clients, and password stores (T1555). DCSync (T1003.006) against domain controllers. Credential dumping from Veeam backup server databases in engagements where Veeam was present.

Discovery: Advanced IP Scanner and SoftPerfect Network Scanner (T1046). nltest /dclist and net group commands (T1087.002) for domain enumeration. Query of backup infrastructure (Veeam, Commvault) to map recovery capabilities prior to attack execution.

Lateral Movement: RDP (T1021.001) as the primary lateral movement protocol. SSH (T1021.004) for movement to Linux and ESXi hosts. PowerShell remoting (T1021.006) and SMB file copy (T1570) for tool distribution across the domain.

Collection: WinRAR and 7-Zip (T1560.001) for archive creation. Data staged in user-writable directories outside standard monitoring paths. Akira operators were observed spending 3–5 days on data identification and selection, suggesting a deliberate approach to maximizing extortion leverage.

Exfiltration: WinSCP (T1048.002) and Rclone (T1567.002) for data upload to attacker-controlled infrastructure. MEGAsync in select engagements. Akira’s exfiltration phase typically overlapped with continued lateral movement, compressing the pre-encryption timeline.

Impact: Hybrid Chacha20 and RSA encryption. Cross-platform targeting: Windows, Linux, VMware ESXi. Shadow copy deletion (T1490) and backup destruction (targeting Veeam repositories specifically). Service/process termination (T1489). In several 2024 engagements, Akira deployed the locker exclusively to ESXi hypervisors, encrypting all hosted virtual machines in a single operation while leaving the underlying Windows domain infrastructure intact—maximizing operational disruption while minimizing deployment complexity (T1486).

MITRE ATT&CK Technique Comparison Across Groups

The following table maps specific techniques observed across all five groups for each ATT&CK tactic. Filled cells indicate confirmed usage based on Dark Angel’s incident response data and technical analysis.

Common Attack Patterns and Shared Techniques

Most Frequently Used Techniques Across All Groups

Eighteen techniques appeared in all five groups’ operational playbooks, representing the structural minimum required for a successful ransomware intrusion in an enterprise Active Directory environment. These universal techniques cluster into three functional categories.

Convergence Points

Beyond the universal core, several convergence patterns warrant attention. All five groups use LSASS memory dumping (T1003.001) as their primary credential harvesting method, even when additional credential access techniques are employed. All five use PsExec or equivalent SMB-based remote execution (T1021.002) as a lateral movement mechanism. All five perform shadow copy deletion (T1490) as a mandatory pre-encryption step. And all five deploy 7-Zip or WinRAR (T1560.001) for data staging prior to exfiltration. These convergence points reflect techniques where no meaningfully better alternative exists for the operational requirement—they are the structural necessities of the ransomware attack chain.

The convergence around BYOVD-based EDR killing (T1562.001) is particularly noteworthy. Four of five groups (LockBit, Black Basta, ALPHV, and Play) have adopted vulnerable driver exploitation to terminate EDR processes at the kernel level. This technique has become the ransomware ecosystem’s standard response to the industry-wide deployment of next-generation EDR solutions. Akira has been less aggressive in BYOVD adoption but compensates with PowerShell-based security tool disabling, suggesting it may be a matter of operational maturity rather than strategic choice.

Divergence Points

Meaningful divergence exists in three areas. Initial access specialization: Play and Akira show minimal phishing activity, relying almost exclusively on infrastructure exploitation and compromised credentials. Black Basta’s social engineering campaigns (IT helpdesk impersonation) represent a unique operational investment not replicated by the other groups. LockBit’s affiliate model produces the broadest initial access surface, making it the hardest group to characterize with a single access vector.

Custom tooling: ALPHV’s ExMatter automated data exfiltration tool, Play’s Grixba network scanner, and LockBit’s StealBit represent bespoke development investments that differentiate each group’s collection and exfiltration capabilities. These custom tools are reliable attribution indicators when recovered during incident response.

Target platform scope: LockBit, ALPHV, and Akira have developed Linux/ESXi payloads, enabling direct encryption of virtualization infrastructure. Black Basta added ESXi capability in mid-2024. Play has remained predominantly Windows-focused, relying on network-accessible encryption of mapped drives to reach file shares hosted on non-Windows systems.

Detection Opportunities at Each Kill Chain Stage

Effective ransomware detection requires telemetry from multiple data sources correlated across kill chain stages. The following section maps detection opportunities to each tactic phase, citing the specific ATT&CK techniques that provide the highest-confidence detection signals.

Initial Access Detection

T1190 — Exploit Public-Facing Application: Monitor web application and VPN appliance logs for exploitation indicators. Key data sources include IDS/IPS alerts on exploit payloads targeting known CVEs, anomalous authentication patterns on VPN gateways (successful logins from previously unseen geolocations immediately followed by internal network activity), and vulnerability scanner output cross-referenced against threat intelligence feeds for CVEs actively exploited by ransomware groups. Detection logic: alert on VPN authentication from a new source IP followed by internal RDP or SMB activity within 60 minutes.

T1566 — Phishing: Email gateway telemetry (attachment analysis, URL detonation, sender reputation) combined with endpoint detection for payload execution. Focus on detecting the delivery vehicles favored by ransomware affiliates: ISO/IMG files, HTML smuggling payloads, OneNote files with embedded scripts, and callback phishing emails containing only phone numbers (no URLs or attachments). Detection logic: alert on child process spawning from outlook.exe or teams.exe where the child process is powershell.exe, cmd.exe, wscript.exe, or mshta.exe.

T1078 — Valid Accounts: Detect anomalous credential usage through user behavior analytics (UBA). Key indicators include successful authentication from impossible travel locations, authentication from VPN IP ranges by accounts that have never previously used VPN access, and simultaneous sessions from geographically incompatible locations. Integrate threat intelligence feeds of compromised credentials (infostealer log databases) for proactive detection. Detection logic: alert on successful domain authentication where the source IP has never been associated with the user account in the prior 90 days.

Execution and Persistence Detection

T1059 — Command and Scripting Interpreter: Endpoint telemetry (EDR process creation logs, PowerShell script block logging, command-line auditing) is the primary data source. High-confidence indicators include PowerShell execution with -encodedcommand or -e flags, Set-MpPreference commands disabling real-time monitoring, and batch scripts invoking vssadmin delete shadows. Detection logic: alert on PowerShell processes executing with encoded command parameters or invoking known defense-disabling cmdlets, particularly when spawned from non-standard parent processes.

T1053 — Scheduled Task/Job: Monitor Windows Security event logs (Event ID 4698—scheduled task creation) and Sysmon logs (Event ID 1 for schtasks.exe execution). Key indicators include scheduled tasks created by non-administrative accounts, tasks pointing to executables in unusual directories (C:\ProgramData, C:\Windows\Temp, user profile directories), and tasks configured to run as SYSTEM. Detection logic: alert on schtasks.exe /create where the target binary resides outside %SystemRoot% and %ProgramFiles%.

Credential Access Detection

T1003 — OS Credential Dumping: LSASS protection telemetry is the highest-value detection source. Enable Windows Credential Guard where possible, deploy LSASS process protection (RunAsPPL), and monitor for access to lsass.exe via Sysmon Event ID 10 (process access with PROCESS_VM_READ rights). Detect Kerberoasting via Windows Security Event ID 4769 (Kerberos service ticket request) where the encryption type is RC4 (0x17) and the service account is a user account rather than a machine account. DCSync detection: Event ID 4662 with Replicating Directory Changes rights exercised from a non-domain-controller source.

Lateral Movement and Exfiltration Detection

T1021 — Remote Services: Monitor for anomalous RDP sessions (Windows Security Event ID 4624 Type 10) from workstations to servers or between servers where no prior lateral communication existed. Detect PsExec activity via Sysmon or EDR telemetry: creation of the PSEXESVC service (Event ID 7045) and remote file writes to ADMIN$ shares. Alert on SMB authentication (Event ID 4624 Type 3) from unexpected source hosts during non-business hours.

T1048 — Exfiltration Over Alternative Protocol: Network monitoring for outbound data volume anomalies is essential. Deploy netflow analysis alerting on endpoints transferring >500MB outbound to any single destination within a 24-hour window. Monitor DNS for resolutions to known file-sharing services (Mega.nz, file.io, transfer.sh) from servers and workstations. Detect Rclone execution by process name or command-line arguments referencing cloud storage configurations. Alert on outbound SFTP or SCP connections from hosts that do not normally perform such transfers.

Impact Detection

T1486 — Data Encrypted for Impact: Endpoint-based detection of mass file modification is the last line of defense. Monitor for high-velocity file rename operations (thousands of files receiving new extensions within minutes), deletion of volume shadow copies (vssadmin.exe delete shadows /all /quiet), and termination of database and backup processes. Canary files placed in monitored directories provide early warning: alert immediately on modification or deletion of designated canary files. Honeypot shares on the network with monitoring enabled can detect network-based encryption attempts.

T1562 — Impair Defenses: Monitor for EDR agent health and heartbeat failures. Alert on loading of known vulnerable drivers (cross-reference driver loads against the Living Off The Land Drivers project, loldrivers.io). Detect modification of Windows Defender configuration via registry changes or PowerShell cmdlets. Alert on termination of security-related services and processes, particularly when performed from a non-standard parent process.

Defensive Countermeasures by Kill Chain Phase

The following framework organizes prevention, detection, and response actions by kill chain phase, enabling security teams to assess coverage gaps and prioritize investment against the techniques that matter most.

Phase 1: Initial Access Prevention

1. Patch perimeter devices within 72 hours of critical CVE disclosure. Exploitation of VPN appliances, firewalls, and edge gateways (T1190) is the single highest-volume initial access vector across all five groups. Maintain a continuously updated inventory of internet-facing assets. Deploy virtual patching via WAF/IPS rules when vendor patches are delayed. Prioritize Fortinet, Cisco, Citrix, Ivanti, and Palo Alto devices.
2. Deploy phishing-resistant MFA universally. FIDO2 hardware keys or passkeys must replace push-based and SMS-based MFA for all remote access services, VPN, and privileged accounts. Traditional MFA is routinely bypassed through session token theft (Evilginx2 AiTM proxies), MFA fatigue attacks, and SIM swapping. Phishing-resistant MFA eliminates these attack paths.
3. Monitor and remediate exposed credentials. Integrate infostealer log databases and breach monitoring services into security operations. Proactively reset credentials identified in stealer logs before they are weaponized by initial access brokers or ransomware affiliates (T1078).

Phase 2: Early Kill Chain Disruption (Execution through Credential Access)

1. Enforce PowerShell Constrained Language Mode and script block logging. Disable PowerShell 2.0 (which lacks logging capabilities). Enable Script Block Logging and Module Logging on all endpoints. Deploy application control policies (AppLocker or WDAC) to restrict PowerShell execution to signed scripts and approved administrative accounts (T1059).
2. Protect LSASS and Active Directory credentials. Enable Credential Guard on all Windows 10/11 endpoints. Deploy LSASS as a Protected Process Light (RunAsPPL). Implement LAPS for local administrator password management. Monitor for Kerberoasting (anomalous TGS requests with RC4 encryption) and DCSync (replication requests from non-DC sources). Audit service account passwords and ensure they meet minimum 25-character complexity requirements (T1003, T1558).
3. Block vulnerable driver loading. Implement driver allowlisting via Windows Defender Application Control (WDAC) or equivalent. Maintain an updated blocklist of drivers known to be exploited for EDR termination (reference: loldrivers.io). Alert on loading of any driver not in the approved baseline (T1562.001).

Phase 3: Lateral Movement Containment

1. Implement network micro-segmentation. Segment the network into trust zones with explicit access controls between segments. Place domain controllers, backup infrastructure (Veeam, Commvault), hypervisor management interfaces (vCenter, ESXi management), and administrative jump boxes in isolated segments accessible only from designated management workstations. Block workstation-to-workstation SMB and RDP traffic (T1021).
2. Restrict and monitor administrative tools. Establish baselines for PsExec, WMI, PowerShell remoting, and RDP usage across the environment. Alert on execution from anomalous source hosts or during non-business hours. Block or restrict RMM tools (AnyDesk, ScreenConnect, RustDesk) on endpoints where they are not required for business operations. Deploy application allowlisting on critical servers (T1219).
3. Deploy deception technology. Distribute honeypot credentials, canary files, and decoy administrative accounts throughout the environment. These assets have zero legitimate interaction baseline, meaning any access constitutes a high-confidence intrusion indicator. Honeypot domain admin accounts placed in Active Directory will trigger alerts when enumerated by BloodHound or queried by attackers.

Phase 4: Exfiltration Prevention and Data Protection

1. Deploy egress monitoring and DLP controls. Monitor for outbound data volume anomalies via netflow analysis. Block or alert on connections from servers and workstations to known file-sharing services (Mega.nz, file.io, transfer.sh). Detect Rclone, MEGAsync, and WinSCP execution on endpoints where they are not business-approved. Alert on bulk archive creation (7z, RAR, ZIP) in staging directories (T1048, T1567).
2. Implement DNS-based security controls. Deploy DNS filtering to block resolution of domains associated with file-sharing services, attacker C2 infrastructure, and anonymization services. DNS logging provides a lightweight but valuable telemetry source for detecting tool downloads, C2 communication, and exfiltration to cloud services.

Phase 5: Impact Mitigation and Recovery Readiness

1. Maintain immutable, offline backups with tested recovery. Ensure at least one backup copy is stored offline (air-gapped) or in immutable cloud storage with retention locks that cannot be modified by compromised administrative credentials. Akira and Black Basta specifically target Veeam backup infrastructure for destruction—Veeam hardening guides should be treated as ransomware defense priorities. Test full-environment recovery procedures quarterly, including domain controller restoration and application-level recovery (T1490).
2. Deploy canary files and ransomware-specific behavioral detection. Distribute canary files (small files with known content and last-modified timestamps) across network shares and local directories. Any modification triggers an immediate high-severity alert. Configure EDR/XDR platforms for behavioral detection of mass file modification, high-velocity file rename operations, and shadow copy deletion attempts (T1486).
3. Maintain pre-arranged incident response retainers. Given compressed dwell times (median 6–10 days across the five groups), organizations without mature internal incident response capability must maintain retainer agreements with qualified IR firms. Pre-established legal frameworks, communication templates, and scoping agreements reduce time-to-containment during active ransomware incidents.

Methodology

This report is based on data collected and analyzed by Dark Angel’s threat intelligence research team across the following sources and methodologies.

Incident Response Data: Analysis of 420 confirmed ransomware engagements conducted by Dark Angel and partner firms between January 2024 and March 2025. Group attribution is based on payload analysis, ransom note content, leak site posting confirmation, and infrastructure correlation. Engagements are distributed as follows: LockBit (112), Black Basta (89), ALPHV/BlackCat (74), Play (78), Akira (67). Each engagement produced a structured TTP worksheet documenting tools, commands, behavioral artifacts, and MITRE ATT&CK technique IDs observed at each intrusion stage.

Malware Reverse Engineering: Technical analysis of 65 unique ransomware payload samples across the five groups, including Windows PE, Linux ELF, and ESXi variants. Analysis includes static disassembly, dynamic behavioral analysis in controlled sandbox environments, encryption scheme validation, and capability mapping to ATT&CK techniques.

Dark Web Intelligence: Monitoring of Russian-language cybercriminal forums (XSS, Exploit, RAMP) and Telegram channels for affiliate playbooks, operational guides, tool advertisements, and post-incident discussions. Affiliate-authored operational guides recovered from compromised infrastructure provided supplementary TTP data for Black Basta and Akira.

Technique Assignment Criteria: A technique is assigned to a group when it is observed in two or more independent engagements or confirmed through reverse engineering of the group’s payload. Single-observation techniques are excluded from the comparative analysis. Sub-technique granularity is used where evidence supports differentiation; otherwise, parent technique IDs are cited.

Confidence Assessment: This report uses the Admiralty system for confidence grading. TTP assignments derived from incident response telemetry carry high confidence. Assignments derived solely from dark web intelligence carry moderate confidence. Forward-looking assessments regarding technique evolution carry low-to-moderate confidence and represent analytical judgments based on observed trends.

Related Reports

• LockBit: A Complete Threat Intelligence Profile — Full dossier covering LockBit’s history, affiliate model, infrastructure, and post-Operation Cronos status.
• The State of Ransomware 2025 — Annual overview of the ransomware ecosystem covering 8 major groups, victim analysis, and evolving TTPs.
• Ransomware-as-a-Service: The Business Model Behind Modern Extortion — Analysis of RaaS economics, affiliate programs, profit-sharing models, and the underground market dynamics driving the ecosystem.