Skip to content

Cyber Kill Chain & Ransomware

Nino Vales 2018-08-20

The Cyber Kill Chain model breaks down a Ransomware attack in seven stages. This article will give you an understanding of our security solutions and what is effective based on the current stage of the Ransomware. 


Cyber Kill Chain stages



The threat actor or attacker will gather all public information available for your organization. An example of which is the website's contact us page, phone numbers, or domain WHOIS information. Some attacks involve attackers running an automated script to guess the email addresses associated with the domain.


  • Better security practice and handling of public information
  • Cyber Security training to identify Phishing attempts



Once the threat actor gathers enough information, it now prepares to launch the attack. An example of which is a Phishing email with malicious attachments or URL's to be sent out to the users of the targeted organization.


  • User Security training to identify Phishing emails from legitimate emails (Cybersecurity training – KnowBe4)



If the user opens the attachment from a Phishing email or clicked the link then it could execute a script to infect the system.


  • Cisco Umbrella to filter DNS traffic
  • Meraki MX Firewall with intrusion prevention system
  • Office 365 spf, dkim, or dmarc records



The stage where the malicious script looks for the vulnerability of the system. An example is an unprotected, unpatched system or outdated firmware. A network with a weak firewall system is severely at risk.


  • Cisco Umbrella for blocking suspicious traffic
  • Meraki MX Firewall with Intrusion Prevention System



The stage where the Ransomware payload is installed on the vulnerable system. Workstations with no real-time antivirus protection are at risk.


  • Host-based antivirus or anti-malware products such as Webroot, Trend Micro, or Cisco AMP



The infected system contacts the attacker's command and control center to retrieve the key to encrypting the user files. It is also called as the Botnet command center.


  • Cisco Umbrella to block suspicious categories like newly created domains or known Botnet locations
  • Meraki MX Firewall to filter out suspicious traffic



The stage where the system files are already encrypted and a ransom note keeps popping up requesting the victim to pay the ransom.


  • A security professional to assist with assessing the impact and removal of the Ransomware
  • Meraki MX Firewall that logs all unusual traffic produced by the infected system to help with the investigation


You might notice that certain security solutions cover several stages of the Cyber Kill Chain model. Implementing these solutions will give you a better chance of avoiding a Ransomware infection.

In addition to this, having a reliable backup solution will save your files in case Ransomware still manages to infect your system.

This model is not perfect, but it gives your business better chances of stopping a Ransomware attack. The cost of these security solutions is minimal compared to the downtime or paying a ransom to recover your files.