Post

The ransomware blueprint: Attack patterns and strategic variations across gangs

Posted Updated
By Pietro Melillo
1 min read

#Abstract In recent years, ransomware attacks have attracted the attention of researchers and companies, prompting new issues in identifying effective defense techniques. The study provides a comprehensive analysis of ransomware attacks and their employed tactics from 2020 to 2024, leveraging a large dataset of over 16,000 documented ransomware incidents involving 155 distinct gangs. Using this data, we identify the exploited software vulnerabilities (CVEs) and map them to specific adversarial behaviors within the MITRE ATT&CK framework. In addition to this technical mapping, we differentiated between broadly targeting “generalist” gangs and industry-focused ”specialist” gangs, and we examined variations in attack patterns across target sectors and geographic origins. Our methodology reveals the core ”ransomware blueprint”: a unified kill-chain model comprising recurring techniques spanning initial access through encryption. Key findings include the use of high-severity, widely deployed CVEs (particularly public-facing exploits, such as T1190) as entry points, followed by routine privilege escalation, lateral movement, and impact actions (e.g., T1486 for data encryption). The analysis also reveals regional and sectoral differences: (i) Russian-origin groups often emphasize rapid disruption and recovery inhibition, and (ii) other groups focus on stealthier reconnaissance. Generalist gangs (e.g., LockBit, Cl0p, ALPHV) employ advanced techniques across multiple industries, while specialist gangs concentrate on narrower sectors, using simpler methods such as phishing and credential reuse. Moreover, the number of shared techniques is employed to assess the degree of interconnection among the gangs. These findings provide actionable intelligence for defenders, highlighting the need for multi-layered defenses, targeted vulnerability management, and sector-specific hardening strategies to mitigate evolving ransomware threats.

Here is the link to “The ransomware blueprint: Attack patterns and strategic variations across gangs”: https://www.sciencedirect.com/science/article/pii/S2214212625003011

Publications, Ransomware
CTI Ransomware APT Unisannio
This post is licensed under CC BY 4.0 by the author.