Ransomware
criticalransomware
Adversary encrypts or destroys organisational data and demands payment for decryption. Modern variants combine encryption with double-extortion exfiltration, threatening to publish stolen data even if backups allow recovery. Cloud-targeted ransomware additionally abuses identity to delete snapshots, rotate KMS keys, or wipe object storage.
TamperingDenial of ServiceInformation Disclosure
MITRE ATT&CK techniques
| ID | Name | Tactic |
|---|---|---|
| T1486 | Data Encrypted for Impact | Impact |
| T1490 | Inhibit System Recovery | Impact |
| T1657 | Financial Theft | Impact |
| T1567 | Exfiltration Over Web Service | Exfiltration |
Common Weakness Enumeration
Mitigating controls
ctrl-ransom-1- Maintain immutable, offline, and regularly tested backups following the 3-2-1 rule
ctrl-ransom-2- Use object-lock or write-once storage and protect snapshot deletion with separate credentials and MFA
ctrl-ransom-3- Network-segment to limit lateral movement; disable SMB/RDP exposure to the internet
ctrl-ransom-4- Deploy EDR with anti-ransomware behavioural detection and automated isolation
ctrl-ransom-5- Enforce phishing-resistant MFA and disable legacy authentication on identity providers
ctrl-ransom-6- Apply application allowlisting and restrict macro and script execution on endpoints
ctrl-ransom-7- Maintain and rehearse an incident response plan including ransom-payment policy and recovery runbooks