where data, machine/s, service/s, or some other asset is held hostage in some way, where the ransomware will offer the asset back for some remuneration. The asset being hold hostage can mean some data was encrypted, some sensitive data has been exfiltrated, or the asset will not continue to run after the fact.
IoCs
- Command and Control C&C traffic
- known malicious IP contact
- legitimate tools used in abnormal ways
- lateral movement processes
- non-consensual encryption of files
- notice of ransom
- data exfiltration behaviour
Defences
- good backups, isolated from ransomware’s reach
- anti-ransomware tools